- Jury awards Ventura $1.8M in defamation case
- Government OKs Arab-owned company to operate U.S. cargo port
- Defense lawyer: McDonnell’s wife had ‘crush’ on CEO
- Chinese hackers stole ‘huge quantities’ of sensitive data on Israel’s Iron Dome
- House unveils bill to speed deportations of illegal immigrant children
- Californians protest middle school for hiring white man to teach cultural studies
- Killer’s sentencing overturned because mother couldn’t find seat in courtroom
- Hillary: ‘Dead broke’ comment was ‘inartful,’ but insists it was ‘accurate’
- Fla. mom arrested for allowing 7-year-old son to walk to park alone
- Appeals court upholds Obamacare tax as constitutional
Over-the-air alerts for emergencies are vulnerable to hacking
Question of the Day
The Emergency Alert System designed to warn the public about severe weather and potential disasters can be hacked easily by terrorists, criminals and even pranksters.
“The vulnerabilities we found allow a hacker to get full control,” said Gunter Ollmann, chief technology officer of IOActive, a computer security firm. “With that control, you could send out your own emergency alerts, or even pre-empt the signal from the station with your own broadcast.”
In February, computer intrusions at TV stations in California, Michigan, Montana and New Mexico enabled hackers to broadcast fake warnings of a zombie apocalypse. “The bodies of the dead are rising from their graves and attacking the living,” ran one message.
“I’m surprised it hasn’t happened more often,” said Mr. Ollmann.
IOActive security engineers found the vulnerabilities late last year in devices that broadcasters recently had begun installing to receive Internet alerts from state emergency management agencies and other authorized users.
“These are basic vulnerabilities, easily found and exploited using popular automated tools,” Mr. Ollmann said. “Any developer with any training in writing secure software should know that you don’t leave equipment with default passwords or include encryption keys” in publicly available software updates.
Officials said the flaws have been fixed, but Mr. Ollmann noted that there are more devices with the vulnerabilities now than when his company first found the flaw.
The new devices are part of an update to the Emergency Alert System, which dates back to the days of the U.S.-Soviet nuclear standoff and is designed to allow the president to address the nation by pre-empting broadcasters’ programming with as little as 10 minutes notice.
The new Integrated Public Alert and Warning Systems (IPAWS) joins the Emergency Alert System to several newer systems, such as the National Oceanic and Atmospheric Administration’s Weather Radio All Hazards warning system and the Commercial Mobile Alert System, which delivers messages via text.
When fully deployed, IPAWS will take advantage of cellular, satellite and Internet technology to deliver video and audio messages via mobile devices and social media in addition to existing broadcast and text messages — all activated by an Internet-based communication system.
IPAWS is one of the reforms adopted in the wake of the botched federal response to Hurricane Katrina in 2005.
As part of the IPAWS rollout, the alert-routing and broadcast devices have been connected for the first time to the public Internet, making them vulnerable to hacking.
The Emergency Alert System and IPAWS are managed jointly by the Federal Emergency Management Agency, part of the Department of Homeland Security, and by the Federal Communications Commission.
FEMA declined to make anyone available for comment.
In a brief statement, a spokesman said the vulnerability identified by IOActive were “fixed about two months ago as part of a software update provided by the manufacturer.” He did not respond to additional questions.
The manufacturer says it is urging customers to take action to secure their devices by installing the software update and ensuring that the devices are shielded from the Internet behind firewalls.
“Broadcasters should check in periodically with the manufacturer to see if there have been any additional software updates,” said Ed Czarnecki of Monroe Electronics/Digital Alert Systems in Lyndonville, NY.
Of the “thousands of units” that had been installed, “fewer than 2.8 percent of our customer base have not yet taken action” to remediate the vulnerability, Mr. Czarnecki said.
He also rejected charges that the company had moved too slowly, saying the firm is “in lockstep” with the federal agencies that manage the system.
“This is a national security system, you don’t just act unilaterally,” he said.
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
Shaun Waterman is an award-winning reporter for The Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. His reporting on the Sept. 11 Commission and the tortuous process by which some of its recommendations finally became ...
- Senator's memo shows Iran links in Homeland Security's troubled immigration program
- Help wanted: Homeland Security plagued by vacancies at the top
- Dems back bill to fix problems in investor visa program
- Democrats proceed with Mayorkas vote despite pending investigation
- NSA monitored 'World of Warcraft' players
Latest Blog Entries
TWT Video Picks
- Boehner rules out impeachment: 'Scam started by Democrats'
- Federal judge grants 90-day stay in D.C. gun case
- GOP Senate candidate: Obama needs to visit Central America
- Obama thanks Muslims for 'building the very fabric of our nation'
- Smugglers, rainstorm combine to poke holes in border fence
- California's Jerry Brown cites God, 'religious call' to embrace illegals
- D.C. seeks to stay judge's order allowing gun owners to carry in public
- Kerry's credibility questioned as fighting in Gaza rages
- Hillary Clinton: Forget Obama, George W. Bush made her 'proud to be an American'
- Appeals court upholds Obamacare tax as constitutional
Obama's biggest White House 'fails'
Celebrities turned politicians
Athletes turned actors
20 gadgets that changed the world