[ISN] US Emergency Alert System open to hack attack

InfoSec News isn at c4i.org
Fri Aug 13 13:03:09 EDT 2004


By Kevin Poulsen
13th August 2004 

The US Emergency Alert System (EAS) that lets officials instantly 
interrupt radio and TV broadcasts to provide emergency information in 
a crisis suffers from security holes that leave it vulnerable to 
denial of service attacks, and could even permit hackers to issue 
their own false regional alerts, federal regulators acknowledged 

"Security and encryption were not the primary design criteria when EAS 
was developed and initially implemented," the Federal Communications 
Commission (FCC) wrote in a public notice launching a review of the 
system. "Now, however, emergency managers are becoming more aware of 
potential vulnerabilities within the system. For example, the complete 
EAS protocol is a matter of public record and potentially subject to 
malicious activations or interference."

The EAS was launched in 1997 to replace the cold-war era Emergency 
Broadcast System known best for making the phrase "this is only a 
test" a cultural touchstone. Like that earlier system, the EAS is 
designed to allow the President to interrupt television and radio 
programming and speak directly to the American people in the event of 
an impending nuclear war, or a similarly extreme national emergency. 
The system has never been activated for that purpose, but state and 
local officials have found it a valuable channel for warning the 
public of regional emergencies, including the "Amber Alerts" credited 
with the recovery of 150 abducted children.

Despite its regional successes, the EAS is increasingly under fire by 
critics who charge that its national mission is obsolete in an era of 
instant 24-hour news coverage, and who deride its quaint reliance on 
analog radio and broadcast and cable television. On Thursday, the FCC 
responded by opening a formal review of the EAS, beginning a public 
comment period on how the network might be improved. One of the issues 
the FCC is probing is the security of the system.

As first reported by SecurityFocus nearly two years ago, the EAS was 
built without basic authentication mechanisms, and is activated 
locally by unencrypted low-speed modem transmissions over public 
airwaves. That places radio and television broadcasters and cable TV 
companies at risk of being fooled by spoofers with a little technical 
know-how and some off-the-shelf electronic components. Under FCC 
regulations, unattended stations must automatically interrupt their 
broadcasts to forward alerts, making it possible for even blatantly 
false information to be forwarded without first passing human 

The FCC's review follows a detailed report on the EAS produced by the 
non-profit Partnership for Public Warning (PPW) in February, which 
noted that "EAS security is now very much an issue."

"Since attacks involving chemical or biological weapons are likely to 
require use of the EAS system to provide official alert information to 
the public, it is possible that an attacker could decide to cripple 
the EAS or use it to spread damaging disinformation," reads the PPW 

With Thursday's Notice of Proposed Rulemaking, the FCC acknowledged 
the vulnerabilities "could be exploited during times of heightened 
public anxiety and uncertainty" to distribute false information to the 
public, or that alternatively the "EAS signal could be subject to 

Among the questions the FCC is pondering: how best to protect 
broadcasters from legal liability if they inadvertently rebroadcast a 
false EAS message; who should be responsible for system security; how 
can the authenticity of EAS messages be verified; and "what security 
standards, if any, should be implemented?"

"The Commission must now buckle down and do what it is we are asking 
state and local officials to do - assess vulnerabilities, create a 
plan for better service, and review and update that plan as 
communications technologies evolve," said commissioner Jonathan 
Adelstein in a statement.

There are no reported cases of the EAS vulnerabilities being 
exploited, and the PPW report concludes that the potential 
consequences of spoofing attacks are limited. "Research into the 
behavior of warning recipients suggests that a single false alarm, 
without corroboration from other credible sources, generally elicits 
only limited reaction from the public."

More information about the ISN mailing list