Slashdot Mirror

← Back to Stories (view on slashdot.org)

Emergency Alert System Insecure

Posted by ryuzaki0 on from the ahoooooga-ahooooooga dept.

glebe writes "The U.S. Emergency Alert System used to issue disaster warnings and other alerts over T.V. and radio is vulnerable to spoofing and denial-of-service attacks, SecurityFocus is reporting. Apparently, 'the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves.' The FCC acknowledged the security issues yesterday in a public notice seeking comment on the future of the system."

8 of 210 comments (clear)

  1. Dear FCC by mfh · · Score: 5, Funny

    Dear FCC,
    Since you asked, I thought I would weigh in with my comments about The U.S. Emergency Alert System (EAS). I think it's appalling that anyone with a 14.4 could tap into this system and alter it for their own aims. The whole system could be crashed by terrorists during an attack, compounding the devastation of any terrorist attack by cutting off access to the system, or providing false and possibly deadly information. For example, during the 9/11 attacks the EAS could have directed people to return to their desks in the WTC, magnifying the losses suffered that day.

    I suggest you rebuild the EAS and take it offline until such a time that it can be secure.

    >... the EAS is designed to allow the President to interrupt television and radio programming and speak directly to the American people in the event of an impending nuclear war, or a similarly extreme national emergency.

    With the audio capabilities available today, it would be quite possible to dupe the public into thinking they were listening to George Bush, when in fact they were listening to the words of Osama bin Laden. And with the stuff Bush has been saying lately, the public might actually believe it was Bush no matter how insane the babble was!

    Somehow you would want to have a method for ensuring the audio was legit, encrypted and unaltered. I'm sure there are many ways to do this today, so I'm not really sure why you're asking me! Throw up a bunch of secure pipes and give the president access to them. Come up with a way to keep his message secure. Yeah, it's going to be expensive, but not as costly as 80,000 employees of the WTC returning to their offices because the EAS said it was "just a test".

    Kind Regards,
    Scott

    --
    The dangers of knowledge trigger emotional distress in human beings.
  2. tornado sirens too? by jrockway · · Score: 5, Interesting

    I've always thought things like this were insecure. When I was in
    high school, I wanted to make a device to activate the tornado siren.
    I figured I could just implement a simple replay attack. I never got
    around to researching what frequency the signal was broadcast on, and
    I didn't know how to record the signal once I knew where to get it
    from. But it seems simple:
    record when they do the monthly test, replay whenever. Panic everyone. Good
    fun.

    Apparently if you modify various bits you can make them play different
    sounds and even broadcast voice. Plenty of fun to be had there.

    If anyone has done anything like this, I'd be interested in knowing,
    just so I don't have to get myself hauled off to jail trying to do it
    myself :)

    fp?

    --
    My other car is first.
    1. Re:tornado sirens too? by JAD+lifter · · Score: 5, Funny



      Somewhat maybe related... In high school we had those fire alarms that have the handle that you pull down to trigger the alarm. Well, as one of my unlucky (and stupid) friends found out; when you pulled the alarm a big blast of marking dye shot out covering your hand, arm, torso, face and everything else with a blue/black stain that was almost impossible to wash off. Needless to say he was found and busted within minutes of pulling the alarm.

  3. Okay... by Anonymous Coward · · Score: 5, Funny

    10 bucks for whoever can get all of Nevada to evacuate due to imminent flooding.

  4. US Officials realized this... by bdigit · · Score: 5, Funny

    after a mysterious color purple alert was issued. Officials believe it was the work of slashdot user outraged at the horrible color schemes on the popular news for nerds website.

  5. We interupt this program . . . by homeobocks · · Score: 5, Funny

    to give you this emergency message: ``Are your mortgage rates skyrocketing? Are your sexual organs too small? Do you have more money than brains? You can solve all of these problems by purchasing SUPER-VIAGRA! . . . and something about a tornado.''

    --
    MOUNT TAPE U1439 ON B3, NO RING
  6. Re:A good reason *not* to keep these things secret by Digital+Avatar · · Score: 5, Informative

    Not only that, but you can find the format for EAS messages on Wikipedia, along with an overview of SAME headers and messages.

    EAS has never been a secret. Neither was EBS, nor CONELRAD. HAND.

  7. It isn't as bad as it sounds. by Kiryat+Malachi · · Score: 5, Informative

    Yes, its based on low-speed modem transmissions over public airwaves. What wasn't mentioned is:

    The low-speed transmissions are done by 'primary' stations, who have big transmitters. 'Secondary' stations choose primary stations to monitor, and retransmit the alerts the primary stations transmit.

    The low-speed transmissions are done on their broadcast frequency.

    So, you know what you need to exploit this? Locally, you need to know which local station(s) is/are primary, and a transmitter big enough to override the monitored signal, or a group of transmitters big enough to override the monitored signal at each of the monitoring antennas.

    Nationally, you would need to do this for EVERY primary station.

    It isn't perfect, but its actually pretty reasonable security. A far bigger threat would be someone who could inject a believable warning into the primary systems, and even there, I'm not so certain its really a worry (see: 1970s NORAD mistake that no one broadcast).

    --

    ---
    Mod me down, you fucking twits. Go ahead. I dare you.
    (I read with sigs off.)