- House passes VA reform compromise
- Obama admin to blame for HealthCare.gov woes, $840M cost: GAO
- Al Gore’s climate-changers at EPA hearings foiled by cool temperatures
- Army’s 3-D printed bombs will create ‘a whole new universe’ of deadly capabilities
- Hamas calls on Hezbollah to join in fight against Israel
- Senators to FIFA, others: Don’t reward Putin with the World Cup in 2018
- U.S. condemns Israeli shelling of shelter in Gaza
- Obamacare shoots premiums up by 88 percent in California
- Chicken pox outbreak puts illegal immigrant facility on lockdown
- Obama to Republicans: ‘Stop just hatin’ all the time’
Over-the-air alerts for emergencies are vulnerable to hacking
Question of the Day
The Emergency Alert System designed to warn the public about severe weather and potential disasters can be hacked easily by terrorists, criminals and even pranksters.
“The vulnerabilities we found allow a hacker to get full control,” said Gunter Ollmann, chief technology officer of IOActive, a computer security firm. “With that control, you could send out your own emergency alerts, or even pre-empt the signal from the station with your own broadcast.”
In February, computer intrusions at TV stations in California, Michigan, Montana and New Mexico enabled hackers to broadcast fake warnings of a zombie apocalypse. “The bodies of the dead are rising from their graves and attacking the living,” ran one message.
“I’m surprised it hasn’t happened more often,” said Mr. Ollmann.
IOActive security engineers found the vulnerabilities late last year in devices that broadcasters recently had begun installing to receive Internet alerts from state emergency management agencies and other authorized users.
“These are basic vulnerabilities, easily found and exploited using popular automated tools,” Mr. Ollmann said. “Any developer with any training in writing secure software should know that you don’t leave equipment with default passwords or include encryption keys” in publicly available software updates.
Officials said the flaws have been fixed, but Mr. Ollmann noted that there are more devices with the vulnerabilities now than when his company first found the flaw.
The new devices are part of an update to the Emergency Alert System, which dates back to the days of the U.S.-Soviet nuclear standoff and is designed to allow the president to address the nation by pre-empting broadcasters’ programming with as little as 10 minutes notice.
The new Integrated Public Alert and Warning Systems (IPAWS) joins the Emergency Alert System to several newer systems, such as the National Oceanic and Atmospheric Administration’s Weather Radio All Hazards warning system and the Commercial Mobile Alert System, which delivers messages via text.
When fully deployed, IPAWS will take advantage of cellular, satellite and Internet technology to deliver video and audio messages via mobile devices and social media in addition to existing broadcast and text messages — all activated by an Internet-based communication system.
IPAWS is one of the reforms adopted in the wake of the botched federal response to Hurricane Katrina in 2005.
As part of the IPAWS rollout, the alert-routing and broadcast devices have been connected for the first time to the public Internet, making them vulnerable to hacking.
The Emergency Alert System and IPAWS are managed jointly by the Federal Emergency Management Agency, part of the Department of Homeland Security, and by the Federal Communications Commission.
FEMA declined to make anyone available for comment.
In a brief statement, a spokesman said the vulnerability identified by IOActive were “fixed about two months ago as part of a software update provided by the manufacturer.” He did not respond to additional questions.
The manufacturer says it is urging customers to take action to secure their devices by installing the software update and ensuring that the devices are shielded from the Internet behind firewalls.
“Broadcasters should check in periodically with the manufacturer to see if there have been any additional software updates,” said Ed Czarnecki of Monroe Electronics/Digital Alert Systems in Lyndonville, NY.
Of the “thousands of units” that had been installed, “fewer than 2.8 percent of our customer base have not yet taken action” to remediate the vulnerability, Mr. Czarnecki said.
He also rejected charges that the company had moved too slowly, saying the firm is “in lockstep” with the federal agencies that manage the system.
“This is a national security system, you don’t just act unilaterally,” he said.
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
Shaun Waterman is an award-winning reporter for The Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. His reporting on the Sept. 11 Commission and the tortuous process by which some of its recommendations finally became ...
- Senator's memo shows Iran links in Homeland Security's troubled immigration program
- Help wanted: Homeland Security plagued by vacancies at the top
- Dems back bill to fix problems in investor visa program
- Democrats proceed with Mayorkas vote despite pending investigation
- NSA monitored 'World of Warcraft' players
Latest Blog Entries
TWT Video Picks
- Geraldo Rivera: Matt Drudge 'doing his best to stir up a civil war'
- Al Gore's climate-changers at EPA hearings foiled by cool temperatures
- Catholic League slams Obama: 'Do Christian lives mean so little to you?'
- Lois Lerner hated conservatives, new emails show
- HURT: Impeaching Obama is a losing strategy for the GOP
- House unveils bill to speed deportations of illegal immigrant children
- Obama thanks Muslims for 'building the very fabric of our nation'
- CARSON: Rudderless U.S. foreign policy
- Federal judge grants 90-day stay in D.C. gun case
- 'Big Bang' star Mayim Bialik helps send bulletproof vests to IDF
Obama's biggest White House 'fails'
Celebrities turned politicians
Athletes turned actors
20 gadgets that changed the world