Feeds

US Emergency Alert System open to hack attack

Security and encryption 'not primary design criteria'

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

The US Emergency Alert System (EAS) that lets officials instantly interrupt radio and TV broadcasts to provide emergency information in a crisis suffers from security holes that leave it vulnerable to denial of service attacks, and could even permit hackers to issue their own false regional alerts, federal regulators acknowledged Thursday.

"Security and encryption were not the primary design criteria when EAS was developed and initially implemented," the Federal Communications Commission (FCC) wrote in a public notice launching a review of the system. "Now, however, emergency managers are becoming more aware of potential vulnerabilities within the system. For example, the complete EAS protocol is a matter of public record and potentially subject to malicious activations or interference."

The EAS was launched in 1997 to replace the cold-war era Emergency Broadcast System known best for making the phrase "this is only a test" a cultural touchstone. Like that earlier system, the EAS is designed to allow the President to interrupt television and radio programming and speak directly to the American people in the event of an impending nuclear war, or a similarly extreme national emergency. The system has never been activated for that purpose, but state and local officials have found it a valuable channel for warning the public of regional emergencies, including the "Amber Alerts" credited with the recovery of 150 abducted children.

Despite its regional successes, the EAS is increasingly under fire by critics who charge that its national mission is obsolete in an era of instant 24-hour news coverage, and who deride its quaint reliance on analog radio and broadcast and cable television. On Thursday, the FCC responded by opening a formal review of the EAS, beginning a public comment period on how the network might be improved. One of the issues the FCC is probing is the security of the system.

As first reported by SecurityFocus nearly two years ago, the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves. That places radio and television broadcasters and cable TV companies at risk of being fooled by spoofers with a little technical know-how and some off-the-shelf electronic components. Under FCC regulations, unattended stations must automatically interrupt their broadcasts to forward alerts, making it possible for even blatantly false information to be forwarded without first passing human inspection.

The FCC's review follows a detailed report on the EAS produced by the non-profit Partnership for Public Warning (PPW) in February, which noted that "EAS security is now very much an issue."

"Since attacks involving chemical or biological weapons are likely to require use of the EAS system to provide official alert information to the public, it is possible that an attacker could decide to cripple the EAS or use it to spread damaging disinformation," reads the PPW report.

With Thursday's Notice of Proposed Rulemaking, the FCC acknowledged the vulnerabilities "could be exploited during times of heightened public anxiety and uncertainty" to distribute false information to the public, or that alternatively the "EAS signal could be subject to jamming."

Among the questions the FCC is pondering: how best to protect broadcasters from legal liability if they inadvertently rebroadcast a false EAS message; who should be responsible for system security; how can the authenticity of EAS messages be verified; and "what security standards, if any, should be implemented?"

"The Commission must now buckle down and do what it is we are asking state and local officials to do - assess vulnerabilities, create a plan for better service, and review and update that plan as communications technologies evolve," said commissioner Jonathan Adelstein in a statement.

There are no reported cases of the EAS vulnerabilities being exploited, and the PPW report concludes that the potential consequences of spoofing attacks are limited. "Research into the behavior of warning recipients suggests that a single false alarm, without corroboration from other credible sources, generally elicits only limited reaction from the public."

Copyright © 2004, 0

Related stories

Los Alamos and the missing discs that never were
Al-Qaeda computer geek nearly overthrew US
FBI publishes computer crime and security stats

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.