Why 'zombie' cyberattack is a real concern for Emergency Alert System (+video)
The Emergency Alert System was hacked this week by someone who inserted a warning that zombies were attacking the US. Funny, yes, but the vulnerabilities to cyberattack are real.
(Page 2 of 2)
That fact was highlighted as researchers at IOActive, a Seattle cybersecurity company, reported Thursday on several vulnerabilities in EAS system equipment, which they had documented weeks earlier and reported to the US-Cyber Emergency Readiness Team, an arm of the Department of Homeland Security. IOActive experts said they expected to report those findings at a cybersecurity conference conference later this month.Skip to next paragraph
Subscribe Today to the Monitor
But to other experts, the fact that EAS is vulnerable to being hacked is nothing new.
Matt Krick, chief engineer of New West Broadcasting Systems, Inc. an Arizona radio broadcaster, who also goes by the hacker handle "DCFluX," demonstrated a list of cyber-vulnerabilities in EAS equipment at a 2008 hacker conference. He is concerned, despite newer EAS equipment deployed since.
“The new EAS boxes have all of the same vulnerabilities I outlined 5 years ago, and more,” Mr. Krick writes in an e-mail interview. “It's like a giant electronic Swiss cheese with holes big enough to drive a truck through,” he writes. “My talk outlined the vulnerabilities of the old system in the hopes that someone would take notice and try to improve the current ‘Next generation.’ I even had people from state level EAS committees and FEMA shaking my hand and giving me their cards after the talk.”
Experts on the EAS system also agree that, despite modernized equipment, it is still vulnerable to an unknown degree. As long ago as 2004, the Federal Communications Commission pointed out the system suffers from security holes that leave it vulnerable to Internet-based attacks and could even permit hackers to issue false regional alerts.
“Security and encryption were not the primary design criteria when EAS was developed and initially implemented,” the FCC wrote in a public notice launching a review of the system at that time.
While some improvements have been made in the hardware – and new hardware required to be adopted by broadcasters – potential new vulnerabilities have been created as well, most notably, a requirement that the equipment be connected to the Internet as of June 30, 2012.
“It was absolutely true that the EAS system had vulnerabilities back then – and vulnerabilities still exist at various levels,” says Richard A. Rudman, vice chairman of the California EAS State Emergency Communications Committee. “We’ve got new equipment that has brought in a new level of concern because these EAS devices are now required to be connected to the Internet so they’re capable of receiving messages from the national level of EAS, including tests.”
Poorly configured firewalls to wall off the Internet, and default passwords, are not the end of the problem. Anything connected to the Internet is potentially vulnerable to be hacked and manipulated, Mr. Rudman and other cybersecurity experts note. But the core of the system is still safe, he maintains: the president’s ability to communicate directly to the American people.
“This zombie incident has clearly reminded people to do what should be done in the first place to properly configure firewalls and routers,” he says. “But the likelihood of someone getting into the EAS and causing a major problem throughout the country is remarkably low, almost to the point of being non-existent. Even so, the broadcast community and government are constantly looking at these concerns and trying to improve the security of the system.”