Slashdot Mirror

← Back to Stories (view on slashdot.org)

Emergency Alert System Insecure

Posted by ryuzaki0 on from the ahoooooga-ahooooooga dept.

glebe writes "The U.S. Emergency Alert System used to issue disaster warnings and other alerts over T.V. and radio is vulnerable to spoofing and denial-of-service attacks, SecurityFocus is reporting. Apparently, 'the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves.' The FCC acknowledged the security issues yesterday in a public notice seeking comment on the future of the system."

9 of 210 comments (clear)

  1. Old news... by ktakki · · Score: 4, Informative

    Almost two years old, in fact:

    http://www.securityfocus.com/news/613

    I'm sure one could find even earlier discussions of this vulnerability.

    k.

    --
    "In spite of everything, I still believe that people are really good at heart." - Anne Frank
  2. not only unencrypted but a public spec by js7a · · Score: 4, Informative
    the EAS digital signal is the same signal that the National Weather Service (NWS) uses on the National Oceanic and Atmospheric Administration's Weather Radio (NWR).
    -- www.fcc.gov/cgb/consumerfacts/eas.html

    NWR Specific Area Message Encoding (SAME)

    Full spec (pdf)

  3. Emergency Broadcast System problems by Animats · · Score: 4, Informative
    The previous system, the Emergency Broadcast System, was based on two components - teletype messages to broadcast stations, and secondary broadcast stations monitoring "primary" broadcast stations for an alert tone.

    On February 21, 1971, an alert message announcing a nuclear war was sent over the teletype network by accident. Somebody at NORAD loaded the wrong paper tape. Almost no stations broadcast the message. One station in Florida actually did. After that, NORAD lost their authority to send emergency action messages on their own.

    The current system has more input sources than the old one did. There are weather alerts, and now even child abduction alerts. If there's ever a phony message, it will probably come from some "authorized" input source.

    A detailed history is here.

  4. Re:A good reason *not* to keep these things secret by RadioTV · · Score: 3, Informative

    This system is not now and never was a secret. You can go to any TV or radio station and talk to any broadcast engineer, announcer, master control operator or station manager. They all can explain the basics of how the system works.

    --
    I have great faith in fools - self confidence my friends call it. - Edgar Allan Poe
  5. Re:A good reason *not* to keep these things secret by Digital+Avatar · · Score: 5, Informative

    Not only that, but you can find the format for EAS messages on Wikipedia, along with an overview of SAME headers and messages.

    EAS has never been a secret. Neither was EBS, nor CONELRAD. HAND.

  6. It isn't as bad as it sounds. by Kiryat+Malachi · · Score: 5, Informative

    Yes, its based on low-speed modem transmissions over public airwaves. What wasn't mentioned is:

    The low-speed transmissions are done by 'primary' stations, who have big transmitters. 'Secondary' stations choose primary stations to monitor, and retransmit the alerts the primary stations transmit.

    The low-speed transmissions are done on their broadcast frequency.

    So, you know what you need to exploit this? Locally, you need to know which local station(s) is/are primary, and a transmitter big enough to override the monitored signal, or a group of transmitters big enough to override the monitored signal at each of the monitoring antennas.

    Nationally, you would need to do this for EVERY primary station.

    It isn't perfect, but its actually pretty reasonable security. A far bigger threat would be someone who could inject a believable warning into the primary systems, and even there, I'm not so certain its really a worry (see: 1970s NORAD mistake that no one broadcast).

    --

    ---
    Mod me down, you fucking twits. Go ahead. I dare you.
    (I read with sigs off.)
  7. Been following EAS/EBS for a while... by Etcetera · · Score: 4, Informative


    It truly was designed for a different era, but has its uses even today. Virtually all weather emergency bulletins are sent out via the EAS protocols today, which doesn't normally affect people in, say, Silicon Valley, but makes a big difference in Tornado Alley and in Florida right now.

    A few miles from here there was a fire at a chemical factory in La Mesa, CA... I was sitting there watching something on a high-cable channel when I hear a tone and see scrolling text at the top of the screen advising me to evacuate the area. Thank you EAS, and thank you Cox Cable.

    When San Diego had its Cedar Fire in 2003 (largest fire in the history of CA, which altered everyone here's life) the EAS was used by the NWS, FD, and PD to provide information on evacuation across all channels on the cable systems (not sure about the radio, they might have been covering that themselves).

    The California Office of Emergency Services has a Emerg. Digital Info Service that uses some of the same technology and protocols as well (includes the much-reknowned AMBER alerts).

    Don't think that this is some relic, this is used and tested on at least a weekly basis nationwide (SD Info).

    That being said, efforts to modernize and update things are great. I'd like to see some sort of emergency protocol for data packets, similar to the emergency phone service that allows infrastructure workers' phone calls to have priority in the midst of an emergency. There should be a EAS sitatuion website that is update out-of-bounds and is replicated (through some fancy AS routing) to servers all across the country, so it's always accessible. Think of a FEMA-run Akamai.

    The company I work for was even considering some way to allow people to have EDIS/EAS alerts pop up (via Messenger service or some other client) whenever they were released for the area they're in (won't work because of all the RFC1918 space they use :\).

    Emergency Alert Systems, and Civil Defense systems in general ARE still around, and ARE working within their original intent, but more public attention needs to be brought to them, so that all know about them. It's not so much security, but having more eyes on them will undoubtedly help suggest further improvements.

    And I agree with the earlier poster... ANYONE who hacks a system like this deserves the 20 years of time they'll get. That's just dumb. It's on a par with DOSing a 911 call center. Don't do it. You WILL cause loss of life and NO ONE will have any sympathy when you go to prison for a very, very long time. In fact, I'd love to help catch you.

    --
    Hire a Linux system administrator, systems engineer,
  8. Tell us something new? by t_allardyce · · Score: 3, Informative

    Nice to know terrorism is really being taken care of seriously, so between this, voting and letting anything onto a plane that the tabaco companies deem ok, what else isnt working? the next terrorism incident will strike terror into everyone not because of fire and death but because they will suddenly realise their worst fear - that the people incharge are all idiots!

    --
    This comment does not represent the views or opinions of the user.
  9. Re:Dear FCC by MasterSLATE · · Score: 3, Informative

    In regards to your mention of Sept. 11....

    As a NYC area citizen who was affected by that tragedy, I would like to point out that at no time during the day did the EAS even get used, at least in my view. I never saw it go off on any of the many channels we were flipping through.

    --

    [sig]www.masterslate.org[/sig]