- Seattle socialist: Minimum-wage discussion skewed by ‘right-wing’ GAO analysis
- U.N. warns of Muslim ‘cleansing’ in Central African Republic
- Senate blocks change to military sex assault cases
- Drug mix may have cured child born with HIV, doctors say
- De Blasio’s wife irks former mansion chef with ‘servant’ remark
- Russia’s neighbors shiver amid Putin’s Cold War moves in Ukraine
- New SAT: The essay portion is to become optional
- Military group can’t march to honor the fallen at Boston Marathon due to security changes
- Senate passes bills deleting ‘retarded’ from laws
- China announces biggest military hike in 3 years: We are not ‘boy scouts with spears’
Over-the-air alerts for emergencies are vulnerable to hacking
The Emergency Alert System designed to warn the public about severe weather and potential disasters can be hacked easily by terrorists, criminals and even pranksters.
"The vulnerabilities we found allow a hacker to get full control," said Gunter Ollmann, chief technology officer of IOActive, a computer security firm. "With that control, you could send out your own emergency alerts, or even pre-empt the signal from the station with your own broadcast."
In February, computer intrusions at TV stations in California, Michigan, Montana and New Mexico enabled hackers to broadcast fake warnings of a zombie apocalypse. "The bodies of the dead are rising from their graves and attacking the living," ran one message.
"I'm surprised it hasn't happened more often," said Mr. Ollmann.
IOActive security engineers found the vulnerabilities late last year in devices that broadcasters recently had begun installing to receive Internet alerts from state emergency management agencies and other authorized users.
"These are basic vulnerabilities, easily found and exploited using popular automated tools," Mr. Ollmann said. "Any developer with any training in writing secure software should know that you don't leave equipment with default passwords or include encryption keys" in publicly available software updates.
Officials said the flaws have been fixed, but Mr. Ollmann noted that there are more devices with the vulnerabilities now than when his company first found the flaw.
The new devices are part of an update to the Emergency Alert System, which dates back to the days of the U.S.-Soviet nuclear standoff and is designed to allow the president to address the nation by pre-empting broadcasters' programming with as little as 10 minutes notice.
The new Integrated Public Alert and Warning Systems (IPAWS) joins the Emergency Alert System to several newer systems, such as the National Oceanic and Atmospheric Administration's Weather Radio All Hazards warning system and the Commercial Mobile Alert System, which delivers messages via text.
When fully deployed, IPAWS will take advantage of cellular, satellite and Internet technology to deliver video and audio messages via mobile devices and social media in addition to existing broadcast and text messages — all activated by an Internet-based communication system.
IPAWS is one of the reforms adopted in the wake of the botched federal response to Hurricane Katrina in 2005.
As part of the IPAWS rollout, the alert-routing and broadcast devices have been connected for the first time to the public Internet, making them vulnerable to hacking.
The Emergency Alert System and IPAWS are managed jointly by the Federal Emergency Management Agency, part of the Department of Homeland Security, and by the Federal Communications Commission.
FEMA declined to make anyone available for comment.
In a brief statement, a spokesman said the vulnerability identified by IOActive were "fixed about two months ago as part of a software update provided by the manufacturer." He did not respond to additional questions.
The manufacturer says it is urging customers to take action to secure their devices by installing the software update and ensuring that the devices are shielded from the Internet behind firewalls.
"Broadcasters should check in periodically with the manufacturer to see if there have been any additional software updates," said Ed Czarnecki of Monroe Electronics/Digital Alert Systems in Lyndonville, NY.
Of the "thousands of units" that had been installed, "fewer than 2.8 percent of our customer base have not yet taken action" to remediate the vulnerability, Mr. Czarnecki said.
He also rejected charges that the company had moved too slowly, saying the firm is "in lockstep" with the federal agencies that manage the system.
"This is a national security system, you don't just act unilaterally," he said.
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
Shaun Waterman is an award-winning reporter for The Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. His reporting on the Sept. 11 Commission and the tortuous process by which some of its recommendations finally became ...
- Senator's memo shows Iran links in Homeland Security's troubled immigration program
- Help wanted: Homeland Security plagued by vacancies at the top
- Dems back bill to fix problems in investor visa program
- Democrats proceed with Mayorkas vote despite pending investigation
- Game players don't think peace has a chance in Syria
Latest Blog Entries
TWT Video Picks
By Tammy Bruce
- Aronofsky's 'Noah' banned in Qatar, Bahrain, United Arab Emirates
- AP Exclusive: Man said to create bitcoin denies it
- Back to the Future: HUVr Tech marketing video goes viral with hoverboard release tease
- Russias Putin nominated for Nobel Peace Prize
- Putin has transformed Russian army into a lean, mean fighting machine
- Unemployment insurance vote could happen next week
- First pot business license issued in Washington
- 1M kids stop school lunch due to Michelle Obamas food standards
- Bill Clinton poses for photo with Bunny Ranch prostitutes
- U.S. tasks Navy destroyer to Black Sea amid Ukraine tensions
Pope Francis meets his 'mini-me'
Celebrity deaths in 2014
Winter storm hits states — again