- Gentlemen, start your drones: Judge’s ruling opens door for commercial use
- Soldier who hid, bragged about not saluting flag to be punished — in secret
- ‘Maverick’ of the seas: ‘Top Gun’ school for U.S. ship officers to launch
- Putin declares Sochi Paralympics open amid Ukrainian protest
- ‘In Jesus name, we pray’ sparks ire at Ohio council meeting
- Navy’s first laser weapon ready for prime time; drone killer to deploy this summer
- Billionaire backer: Rick Santorum ‘needs to be heard’ in 2016
- Obamacare fallout: 49 percent pessimistic; 45 percent ‘scared’
- DHS accused of holding U.S. citizen at airport, using emails to pry into her sex life
- Seattle socialist: Minimum-wage discussion skewed by ‘right-wing’ GAO analysis
Over-the-air alerts for emergencies are vulnerable to hacking
The Emergency Alert System designed to warn the public about severe weather and potential disasters can be hacked easily by terrorists, criminals and even pranksters.
"The vulnerabilities we found allow a hacker to get full control," said Gunter Ollmann, chief technology officer of IOActive, a computer security firm. "With that control, you could send out your own emergency alerts, or even pre-empt the signal from the station with your own broadcast."
In February, computer intrusions at TV stations in California, Michigan, Montana and New Mexico enabled hackers to broadcast fake warnings of a zombie apocalypse. "The bodies of the dead are rising from their graves and attacking the living," ran one message.
"I'm surprised it hasn't happened more often," said Mr. Ollmann.
IOActive security engineers found the vulnerabilities late last year in devices that broadcasters recently had begun installing to receive Internet alerts from state emergency management agencies and other authorized users.
"These are basic vulnerabilities, easily found and exploited using popular automated tools," Mr. Ollmann said. "Any developer with any training in writing secure software should know that you don't leave equipment with default passwords or include encryption keys" in publicly available software updates.
Officials said the flaws have been fixed, but Mr. Ollmann noted that there are more devices with the vulnerabilities now than when his company first found the flaw.
The new devices are part of an update to the Emergency Alert System, which dates back to the days of the U.S.-Soviet nuclear standoff and is designed to allow the president to address the nation by pre-empting broadcasters' programming with as little as 10 minutes notice.
The new Integrated Public Alert and Warning Systems (IPAWS) joins the Emergency Alert System to several newer systems, such as the National Oceanic and Atmospheric Administration's Weather Radio All Hazards warning system and the Commercial Mobile Alert System, which delivers messages via text.
When fully deployed, IPAWS will take advantage of cellular, satellite and Internet technology to deliver video and audio messages via mobile devices and social media in addition to existing broadcast and text messages — all activated by an Internet-based communication system.
IPAWS is one of the reforms adopted in the wake of the botched federal response to Hurricane Katrina in 2005.
As part of the IPAWS rollout, the alert-routing and broadcast devices have been connected for the first time to the public Internet, making them vulnerable to hacking.
The Emergency Alert System and IPAWS are managed jointly by the Federal Emergency Management Agency, part of the Department of Homeland Security, and by the Federal Communications Commission.
FEMA declined to make anyone available for comment.
In a brief statement, a spokesman said the vulnerability identified by IOActive were "fixed about two months ago as part of a software update provided by the manufacturer." He did not respond to additional questions.
The manufacturer says it is urging customers to take action to secure their devices by installing the software update and ensuring that the devices are shielded from the Internet behind firewalls.
"Broadcasters should check in periodically with the manufacturer to see if there have been any additional software updates," said Ed Czarnecki of Monroe Electronics/Digital Alert Systems in Lyndonville, NY.
Of the "thousands of units" that had been installed, "fewer than 2.8 percent of our customer base have not yet taken action" to remediate the vulnerability, Mr. Czarnecki said.
He also rejected charges that the company had moved too slowly, saying the firm is "in lockstep" with the federal agencies that manage the system.
"This is a national security system, you don't just act unilaterally," he said.
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
Shaun Waterman is an award-winning reporter for The Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. His reporting on the Sept. 11 Commission and the tortuous process by which some of its recommendations finally became ...
- Senator's memo shows Iran links in Homeland Security's troubled immigration program
- Help wanted: Homeland Security plagued by vacancies at the top
- Dems back bill to fix problems in investor visa program
- Democrats proceed with Mayorkas vote despite pending investigation
- Game players don't think peace has a chance in Syria
Latest Blog Entries
TWT Video Picks
Taxpayers must pay the freight for over-budget train projects
- Kim Jong-un calls for execution of 33 Christians
- Rand Paul wins 2014 CPAC straw poll, Ted Cruz finishes a distant second
- Bill Clinton cashes in on struggling nonprofit hospital
- Vietnam says it may have found door of missing Malaysian jet as intel look into stolen passports
- CPAC 2014 straw poll results
- Bill Clinton poses for photo with Bunny Ranch prostitutes
- PIPES: Islam's inadvertent adverse effects on adherents
- CARSON: Why did the founders give us the Second Amendment?
- Italy outraged over U.S. gun dealer's 'David' ad
- WEBER: Obamacare cuts home healthcare for millions of seniors
Pope Francis meets his 'mini-me'
Celebrity deaths in 2014
Winter storm hits states — again