Slashdot Mirror
Emergency Alert System Insecure
glebe writes "The U.S. Emergency Alert System used to issue disaster warnings and other alerts over T.V. and radio is vulnerable to spoofing and denial-of-service attacks, SecurityFocus is reporting. Apparently, 'the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves.' The FCC acknowledged the security issues yesterday in a public notice seeking comment on the future of the system."
Dear FCC,
Since you asked, I thought I would weigh in with my comments about The U.S. Emergency Alert System (EAS). I think it's appalling that anyone with a 14.4 could tap into this system and alter it for their own aims. The whole system could be crashed by terrorists during an attack, compounding the devastation of any terrorist attack by cutting off access to the system, or providing false and possibly deadly information. For example, during the 9/11 attacks the EAS could have directed people to return to their desks in the WTC, magnifying the losses suffered that day.
I suggest you rebuild the EAS and take it offline until such a time that it can be secure.
>... the EAS is designed to allow the President to interrupt television and radio programming and speak directly to the American people in the event of an impending nuclear war, or a similarly extreme national emergency.
With the audio capabilities available today, it would be quite possible to dupe the public into thinking they were listening to George Bush, when in fact they were listening to the words of Osama bin Laden. And with the stuff Bush has been saying lately, the public might actually believe it was Bush no matter how insane the babble was!
Somehow you would want to have a method for ensuring the audio was legit, encrypted and unaltered. I'm sure there are many ways to do this today, so I'm not really sure why you're asking me! Throw up a bunch of secure pipes and give the president access to them. Come up with a way to keep his message secure. Yeah, it's going to be expensive, but not as costly as 80,000 employees of the WTC returning to their offices because the EAS said it was "just a test".
Kind Regards,
Scott
The dangers of knowledge trigger emotional distress in human beings.
I've always thought things like this were insecure. When I was in
:)
high school, I wanted to make a device to activate the tornado siren.
I figured I could just implement a simple replay attack. I never got
around to researching what frequency the signal was broadcast on, and
I didn't know how to record the signal once I knew where to get it
from. But it seems simple:
record when they do the monthly test, replay whenever. Panic everyone. Good
fun.
Apparently if you modify various bits you can make them play different
sounds and even broadcast voice. Plenty of fun to be had there.
If anyone has done anything like this, I'd be interested in knowing,
just so I don't have to get myself hauled off to jail trying to do it
myself
fp?
My other car is first.
10 bucks for whoever can get all of Nevada to evacuate due to imminent flooding.
after a mysterious color purple alert was issued. Officials believe it was the work of slashdot user outraged at the horrible color schemes on the popular news for nerds website.
to give you this emergency message: ``Are your mortgage rates skyrocketing? Are your sexual organs too small? Do you have more money than brains? You can solve all of these problems by purchasing SUPER-VIAGRA! . . . and something about a tornado.''
MOUNT TAPE U1439 ON B3, NO RING
Conan + EAS + Bush picture + manlips = endless possibilities...
If you have to ask, you'll never know.
...how long until primetime television is interrupted so that we may be informed that 'all your base are belong to us'?
This is yet another example why keeping infrastructure details secret is a bad idea. It's security through obscurity in the real world, and removes any incentive to actually fix these things. Now that there is a public report about it, there's at least a chance that pressure can be brought to bear, and get it fixed.
Well the above letter was kind of a joke. I mean, there were flames shooting out of the buildings!
But the seriousness of the insecure EAS could have been much more deadly. Like if a nuke was detonated and people were told that some city was safe to return to, even when in reality a bunch of nuclear fallout was starting to cling to everything within miles of the blast.
I'm not sure how effective hacking the EAS would be, but I am damn sure I wouldn't want to find out. I say, take it offline until they can secure it (and I don't mean by getting Diebold involved).
The dangers of knowledge trigger emotional distress in human beings.
Use this to replay a nation wide brown note. Also good fun. Buy stock in American Standard.
Oh my god! The russians are attacking!!!!!
Free Software: Like love, it grows best when given away.
During the 9-11 attacks, did that beep come on the TV and radio? Some commedians have joked that it didn't so I don't know. I got my news from the web -- bbc.co.uk was fairly, and the local radio announcers gave the info as they saw it. Did the gov't even try to use the Emergency Alert System? Seriously, I thought the alert was just for a nuclear attack by the USSR, never ment to be anything more than that -- a useless anachronism since the 1970's. Sounds like another group of buearucrats who want some of the Patriot Act resources to pad a sagging budget.
Almost two years old, in fact:
http://www.securityfocus.com/news/613
I'm sure one could find even earlier discussions of this vulnerability.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
It was reported two years ago. We'll probably hear about it in 2006 too, unless someone takes advantage of it.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
NWR Specific Area Message Encoding (SAME)
Full spec (pdf)
I'm sure it's nothing Halliburton or Diebold can't fix for $400 Million via a no-bid contract.
If they went public with this, I'd bet good money it's a precursor to an already set up proposal from a well-connected contractor who wants to ride the wave of public fear all the way to ten times the cost of fixing it.
...don't fix it.
Seriously. We don't have to coat everything in 50 feet of kevlar, spaced 100 feet apart and communicating with 1GB encryption keys.
Unencrypted broadcasting modem: scales well and very cost-effective.
When it was made, that wouldn't have been a problem. It was put in to repeat a message sent in the event of soviet nuclear attack. Each node would relay to all the other nodes. Of course, modem technology was rather scarce at the time, so security wasn't the top concern. This thing was never designed for security.
This is one of the few times where I can see hacking as terrorism. If you hack this, you are, in my eyes and in those of the law, a terrorist. Leave this one be.
Since when has this country used intellectual elite as a pejorative term?
That said - don't y'all sprain yer hamstrings to jump up and point fingers at the "government" or twist this into an open-source vs. closed source issue.
Every system is designed in relation to its operating environment. The EBS was originally designed for a far more benign environment than exists today. I bet the primary goal of the designers was to come up with a system that was simple and effective and would work even if large parts of the power grid and the telephone network collapsed. It is inconceivable that they did not ask themselves if they needed bullet-proof authentication mechanisms - it is equally probable that they discarded that requirement as being potentially failure-prone. Given the fairly benign security environment that they designed for, and given the technology available and the overarching goal of simplicity - they cam up with what is really quite functional.
And then the world changed (surprise, surprise). the environment that surrounded the EMS changed, rapidly and unpredictably. Where previously it was safe to assume that natural disasters would bring people in the community together to work in co-operation to face the threat, we now wonder which sleeper cells activate in these situations. The comfortable security blanket of yore that RipVanVinkle aka RVV dozed is suddenly yanked off - exposing us to the elements.
Its like waking up one day in the shadow of a dam and suddenly seeing a thousand leaks in it. The small leaks have always been there - all dams leak and sweat a little. But now we know that there are people out there that seek to widen the cracks and stuff them with C4 and stick some fulminate in them (amazing how much chemistry you can pick up from the newspapers isnt it?). So RVV franctically tries to seal the leaks in the dam. Paranoia? Perhaps.
The real tragedy is that the time that should be spent tending to his crops, playing with his children, making hot, sweaty love to his wife and dreaming big dreams in his afternoon nap is now spent in searching and classifying and closing the leaks in the dam.
Will RipVanVinkle make his dam perfect? Can any dam be made perfectly leak free? Go figure.
See that long UID - that's what you get for lurking too long
On February 21, 1971, an alert message announcing a nuclear war was sent over the teletype network by accident. Somebody at NORAD loaded the wrong paper tape. Almost no stations broadcast the message. One station in Florida actually did. After that, NORAD lost their authority to send emergency action messages on their own.
The current system has more input sources than the old one did. There are weather alerts, and now even child abduction alerts. If there's ever a phony message, it will probably come from some "authorized" input source.
A detailed history is here.
Yes, its based on low-speed modem transmissions over public airwaves. What wasn't mentioned is:
The low-speed transmissions are done by 'primary' stations, who have big transmitters. 'Secondary' stations choose primary stations to monitor, and retransmit the alerts the primary stations transmit.
The low-speed transmissions are done on their broadcast frequency.
So, you know what you need to exploit this? Locally, you need to know which local station(s) is/are primary, and a transmitter big enough to override the monitored signal, or a group of transmitters big enough to override the monitored signal at each of the monitoring antennas.
Nationally, you would need to do this for EVERY primary station.
It isn't perfect, but its actually pretty reasonable security. A far bigger threat would be someone who could inject a believable warning into the primary systems, and even there, I'm not so certain its really a worry (see: 1970s NORAD mistake that no one broadcast).
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
Its just a phase. I was insecure too when I was tht young.
________________________
Huh?
I don't think that the people you need to be concerned about gaining access to the system are really going to care about prison sentences.
It truly was designed for a different era, but has its uses even today. Virtually all weather emergency bulletins are sent out via the EAS protocols today, which doesn't normally affect people in, say, Silicon Valley, but makes a big difference in Tornado Alley and in Florida right now.
A few miles from here there was a fire at a chemical factory in La Mesa, CA... I was sitting there watching something on a high-cable channel when I hear a tone and see scrolling text at the top of the screen advising me to evacuate the area. Thank you EAS, and thank you Cox Cable.
When San Diego had its Cedar Fire in 2003 (largest fire in the history of CA, which altered everyone here's life) the EAS was used by the NWS, FD, and PD to provide information on evacuation across all channels on the cable systems (not sure about the radio, they might have been covering that themselves).
The California Office of Emergency Services has a Emerg. Digital Info Service that uses some of the same technology and protocols as well (includes the much-reknowned AMBER alerts).
Don't think that this is some relic, this is used and tested on at least a weekly basis nationwide (SD Info).
That being said, efforts to modernize and update things are great. I'd like to see some sort of emergency protocol for data packets, similar to the emergency phone service that allows infrastructure workers' phone calls to have priority in the midst of an emergency. There should be a EAS sitatuion website that is update out-of-bounds and is replicated (through some fancy AS routing) to servers all across the country, so it's always accessible. Think of a FEMA-run Akamai.
The company I work for was even considering some way to allow people to have EDIS/EAS alerts pop up (via Messenger service or some other client) whenever they were released for the area they're in (won't work because of all the RFC1918 space they use
Emergency Alert Systems, and Civil Defense systems in general ARE still around, and ARE working within their original intent, but more public attention needs to be brought to them, so that all know about them. It's not so much security, but having more eyes on them will undoubtedly help suggest further improvements.
And I agree with the earlier poster... ANYONE who hacks a system like this deserves the 20 years of time they'll get. That's just dumb. It's on a par with DOSing a 911 call center. Don't do it. You WILL cause loss of life and NO ONE will have any sympathy when you go to prison for a very, very long time. In fact, I'd love to help catch you.
Hire a Linux system administrator, systems engineer,
Nice to know terrorism is really being taken care of seriously, so between this, voting and letting anything onto a plane that the tabaco companies deem ok, what else isnt working? the next terrorism incident will strike terror into everyone not because of fire and death but because they will suddenly realise their worst fear - that the people incharge are all idiots!
This comment does not represent the views or opinions of the user.
They could have already set up monitors that could very quickly traingulate the source of an interference, while in parallel secretly laying down a secure system. Then by encouraging press coverage of the security holes, they would raise the possibility of a terrorist trying to use said security holes, and in doing so, give up their location.
Puting on my meta-tin-foil-hat.
As a broadcast engineer, this system was IMO, broken from the gitgo.
However, let me also point out that the huge majority of the system, if it all worked, which is rare, is secure in that the average stations gear can only accept input from the designated primary station in the area, and the NWS services which are also a part of the "network".
The rest of the secondary sites in a given area are proscribed from the generation of any spurious information by the FCC, with the penalties being both uncontestable, and damned expensive for the offender who originated the false message.
The rest of the problem is its dependability. The local system here has to jump the NRAO Quiet Zone, and is I believe now a satellite link, itself a huge problem in the event of an emp from an atomic device on the same side of the planet, or solar flares also can potentially render the link useless.
Once you get the alert up here from star city, then you have the problem of poorly designed gear foisted off on us broadcasters by the relatively short timetable mandated by the last methodology change about 15 years ago. That gear is now failing, and the maker, who was probably incorporated just to peddle the things, has since found it impossible to survive on the expendables the system requires, like its printers unique thermal paper etc. No schematics were furnished without a lot of yelling and screaming on our part, and sending it back for expert service? Fugetaboudit. Expert service does not exist in many cases.
And then the commission wants to fine us 27,000 per malfunction to boot. Most of the failures are beyond our control as the testing frequency is not sufficient to locate a malfunction before its a real malfunction.
Yes, its broken, hopelessly so. It needs to be replaced with something that actually works AND is secure from outside attacks.
And it needs to be stated up front that anyone with an idea of sueing the users for using an unknown submarine patent they ran to the patent office and got a patent on after the system was developed, will do jail time until such time as the system is declared unusable as this one s/b now. We went thru that already with this system, some jerk, smelling an easy dollar, ran and got a patent on it from our slumbering USTPO and sent all of us letters demanding $1500 a year for a license to use the system that was developed and mandated by the government. I think all of us were in close harmony during the chorus that told the commission and the equipment makers to pay it, we weren't about to pay annually for something that was mandated by them once we had purchased the original gear and installed it.
They faded away into the slime from whence they came eventually, and the patent was eventually set aside, or so we are being told.
Yah, we need a new system, one considerably more well thought out than this one ever was.
--
Cheers, Gene
Let us remember there is no such thing as "secure" there is only more secure. Don't rate this "100% funny" its not funny at all.
411 Y0UR 8453 4R3 8310NG 70 U5!! -NSA
The whole point of public key cryptography is you DON'T need to have a shared secret. It doesn't matter who gets hold of the public key so long as everyone keeps their private keys secure. Broadcasting public keys is fine.
Oolite: Elite-like game. For Mac, Linux and Windows
EAS is trigged by unencrypted slow-modem-like broadcasts over the broadcast airwaves. That is, station A has a machine that listens to station B, and when station B broadcasts an alert that needs to be heard on station A, a magic box interrupts programming to broadcast the alert.
Sure, there's no tech security in the EAS system itself, but there is plenty of physical security at any TV or radio station under the jurisdiction of the FCC. To put it bluntly, if their broadcast signal is overtaken by a hacker by any means, that station is at risk of having its ability to do business taking away from them forever by losing their license.
To create a false EAS message, an attacker would need to know what stations monitors what other stations in the EAS network, and also be able to overtake on of those statioons to get their own broadcast on the air. This just plain isn't likely... not to mention whatever public panic might be created would be mitigated by the real EAS system quickly publishing a "Ignore last message, we've lost control of our system!" message.
Why?
All you need is a central signing authority a la SSL websites. Everyone has a copy of the CA's key hardcoded into their emergency receiver equipment. You just have to make bloody sure the CA is never compromised (and there are ways to do that - the current SSL CAs seem to be remaining secure).
The bit that you distribute - the CA root cert in your box - can be sent out publically. It doesn't need a secure distribution channel.
This would be an entirely appropriate level of security for an emergency broadcast system.
Oolite: Elite-like game. For Mac, Linux and Windows