US Emergency Alert System open to hack attack
Security and encryption 'not primary design criteria'
The US Emergency Alert System (EAS) that lets officials instantly interrupt radio and TV broadcasts to provide emergency information in a crisis suffers from security holes that leave it vulnerable to denial of service attacks, and could even permit hackers to issue their own false regional alerts, federal regulators acknowledged Thursday.
"Security and encryption were not the primary design criteria when EAS was developed and initially implemented," the Federal Communications Commission (FCC) wrote in a public notice launching a review of the system. "Now, however, emergency managers are becoming more aware of potential vulnerabilities within the system. For example, the complete EAS protocol is a matter of public record and potentially subject to malicious activations or interference."
The EAS was launched in 1997 to replace the cold-war era Emergency Broadcast System known best for making the phrase "this is only a test" a cultural touchstone. Like that earlier system, the EAS is designed to allow the President to interrupt television and radio programming and speak directly to the American people in the event of an impending nuclear war, or a similarly extreme national emergency. The system has never been activated for that purpose, but state and local officials have found it a valuable channel for warning the public of regional emergencies, including the "Amber Alerts" credited with the recovery of 150 abducted children.
Despite its regional successes, the EAS is increasingly under fire by critics who charge that its national mission is obsolete in an era of instant 24-hour news coverage, and who deride its quaint reliance on analog radio and broadcast and cable television. On Thursday, the FCC responded by opening a formal review of the EAS, beginning a public comment period on how the network might be improved. One of the issues the FCC is probing is the security of the system.
As first reported by SecurityFocus nearly two years ago, the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves. That places radio and television broadcasters and cable TV companies at risk of being fooled by spoofers with a little technical know-how and some off-the-shelf electronic components. Under FCC regulations, unattended stations must automatically interrupt their broadcasts to forward alerts, making it possible for even blatantly false information to be forwarded without first passing human inspection.
The FCC's review follows a detailed report on the EAS produced by the non-profit Partnership for Public Warning (PPW) in February, which noted that "EAS security is now very much an issue."
"Since attacks involving chemical or biological weapons are likely to require use of the EAS system to provide official alert information to the public, it is possible that an attacker could decide to cripple the EAS or use it to spread damaging disinformation," reads the PPW report.
With Thursday's Notice of Proposed Rulemaking, the FCC acknowledged the vulnerabilities "could be exploited during times of heightened public anxiety and uncertainty" to distribute false information to the public, or that alternatively the "EAS signal could be subject to jamming."
Among the questions the FCC is pondering: how best to protect broadcasters from legal liability if they inadvertently rebroadcast a false EAS message; who should be responsible for system security; how can the authenticity of EAS messages be verified; and "what security standards, if any, should be implemented?"
"The Commission must now buckle down and do what it is we are asking state and local officials to do - assess vulnerabilities, create a plan for better service, and review and update that plan as communications technologies evolve," said commissioner Jonathan Adelstein in a statement.
There are no reported cases of the EAS vulnerabilities being exploited, and the PPW report concludes that the potential consequences of spoofing attacks are limited. "Research into the behavior of warning recipients suggests that a single false alarm, without corroboration from other credible sources, generally elicits only limited reaction from the public."
Sponsored: DevOps and continuous delivery