- NYT’s David Brooks: Obama has ‘manhood problem’ in Middle East
- Ted Cruz thanks Obama for denying visas to terrorists
- Survivors recall chaos, fear in Everest avalanche
- General Mills apologizes for ‘right to sue’ confusion, reverses policy
- Dealer wanted in U.S. for art fraud nabbed in Spain
- Easter morning delivery for space station
- Boxer Rubin ‘Hurricane’ Carter dies at 76
- Probe could complicate Rick Perry’s prospects
- Ukraine, Russia trade blame for eastern shootout
- Obamas head to church on Easter morning
Over-the-air alerts for emergencies are vulnerable to hacking
The Emergency Alert System designed to warn the public about severe weather and potential disasters can be hacked easily by terrorists, criminals and even pranksters.
"The vulnerabilities we found allow a hacker to get full control," said Gunter Ollmann, chief technology officer of IOActive, a computer security firm. "With that control, you could send out your own emergency alerts, or even pre-empt the signal from the station with your own broadcast."
In February, computer intrusions at TV stations in California, Michigan, Montana and New Mexico enabled hackers to broadcast fake warnings of a zombie apocalypse. "The bodies of the dead are rising from their graves and attacking the living," ran one message.
"I'm surprised it hasn't happened more often," said Mr. Ollmann.
IOActive security engineers found the vulnerabilities late last year in devices that broadcasters recently had begun installing to receive Internet alerts from state emergency management agencies and other authorized users.
"These are basic vulnerabilities, easily found and exploited using popular automated tools," Mr. Ollmann said. "Any developer with any training in writing secure software should know that you don't leave equipment with default passwords or include encryption keys" in publicly available software updates.
Officials said the flaws have been fixed, but Mr. Ollmann noted that there are more devices with the vulnerabilities now than when his company first found the flaw.
The new devices are part of an update to the Emergency Alert System, which dates back to the days of the U.S.-Soviet nuclear standoff and is designed to allow the president to address the nation by pre-empting broadcasters' programming with as little as 10 minutes notice.
The new Integrated Public Alert and Warning Systems (IPAWS) joins the Emergency Alert System to several newer systems, such as the National Oceanic and Atmospheric Administration's Weather Radio All Hazards warning system and the Commercial Mobile Alert System, which delivers messages via text.
When fully deployed, IPAWS will take advantage of cellular, satellite and Internet technology to deliver video and audio messages via mobile devices and social media in addition to existing broadcast and text messages — all activated by an Internet-based communication system.
IPAWS is one of the reforms adopted in the wake of the botched federal response to Hurricane Katrina in 2005.
As part of the IPAWS rollout, the alert-routing and broadcast devices have been connected for the first time to the public Internet, making them vulnerable to hacking.
The Emergency Alert System and IPAWS are managed jointly by the Federal Emergency Management Agency, part of the Department of Homeland Security, and by the Federal Communications Commission.
FEMA declined to make anyone available for comment.
In a brief statement, a spokesman said the vulnerability identified by IOActive were "fixed about two months ago as part of a software update provided by the manufacturer." He did not respond to additional questions.
The manufacturer says it is urging customers to take action to secure their devices by installing the software update and ensuring that the devices are shielded from the Internet behind firewalls.
"Broadcasters should check in periodically with the manufacturer to see if there have been any additional software updates," said Ed Czarnecki of Monroe Electronics/Digital Alert Systems in Lyndonville, NY.
Of the "thousands of units" that had been installed, "fewer than 2.8 percent of our customer base have not yet taken action" to remediate the vulnerability, Mr. Czarnecki said.
He also rejected charges that the company had moved too slowly, saying the firm is "in lockstep" with the federal agencies that manage the system.
"This is a national security system, you don't just act unilaterally," he said.
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
Shaun Waterman is an award-winning reporter for The Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. His reporting on the Sept. 11 Commission and the tortuous process by which some of its recommendations finally became ...
- Senator's memo shows Iran links in Homeland Security's troubled immigration program
- Help wanted: Homeland Security plagued by vacancies at the top
- Dems back bill to fix problems in investor visa program
- Democrats proceed with Mayorkas vote despite pending investigation
- Game players don't think peace has a chance in Syria
Latest Blog Entries
TWT Video Picks
Women losing coverage under Obamacare, too
- Scalia to students on high taxes: At a certain point, 'perhaps you should revolt'
- Former Ranger breaks silence on Pat Tillman death: I may have killed him
- Special Forces' suicide rates hit record levels casualties of 'hard combat'
- Army goes to war with National Guard, seizes Apache attack helicopters
- Feds approve powdered alcohol; 'Palcohol' available later this year
- NYT's David Brooks: Obama has 'manhood problem' in Middle East
- Rep. Debbie Wasserman Schultz: Vulnerable Democrats must 'run their own race'
- WILLIAMS: Bill Maher, comedian or bigot?
- U.S. Navy to turn seawater into jet fuel
- Supreme Court weighs appeal to concealed-carry gun laws
Top 10 handguns in the U.S.