The Emergency Alert System, intended as a last-ditch measure to enable the president to communicate to Americans in national emergencies, was hacked Monday by someone who inserted messages reporting that the nation was being attacked by zombies.
While the episode is not without humor, the hoax highlights that the EAS system is vulnerable to far more serious cyberattacks, cybersecurity experts say.
An EAS alert began unexpectedly at 8:36 p.m. on Feb 11, interrupting programming on two Michigan television stations with a message scrolling across the bottom of the screen, that read: “dead bodies are rising from their graves.” The alert also said the bodies were “attacking the living.”
In all, three Michigan TV stations were affected by the so-called “zombie” cyberattack, and another in Great Falls, Mont., was reported to have issued similar alerts. But the real problem is that such vulnerabilities could leave the nation open to fake alerts that look far more real than the “zombie” message and could potentially panic the public, broadcasters and other cybersecurity experts say.
"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," said Karole White, president of the Michigan Association of Broadcasters told Reuters. Underscoring the seriousness of the hack, federal agencies were reported to be investigating the attack – and no hacking group touted that it was responsible, as is common.
The zombie hack attack was particularly disturbing to broadcast engineers who work on the EAS system because of a series of concerns that preceded them.
The attacks followed an 11-hour outage of a key computer system that runs the Integrated Public Alert and Warning System (IPAWS) being developed by FEMA and the FCC. The system will eventually include not only the EAS, but digital capability to send alerts to cell phones and websites.
They also followed a threat by the hacktivist group “Anonymous” to disrupt President Obama’s State of the Union speech on the Internet.
In an “urgent advisory” this week, the Federal Communication Commission also required TV and radio broadcasters nationwide in the EAS to “take immediate action” including resetting passwords and securing EAS equipment “behind properly configured firewalls and other defensive measures.” The FCC did not respond by press time to requests for comment.
Cybersecurity and EAS experts both agree that at least some elements of the EAS system – which has its roots in the cold war and is intended to be a last ditch measure for the president to communicate with Americans – are vulnerable to intrusion via the Internet.
That fact was highlighted as researchers at IOActive, a Seattle cybersecurity company, reported Thursday on several vulnerabilities in EAS system equipment, which they had documented weeks earlier and reported to the US-Cyber Emergency Readiness Team, an arm of the Department of Homeland Security. IOActive experts said they expected to report those findings at a cybersecurity conference conference later this month.
But to other experts, the fact that EAS is vulnerable to being hacked is nothing new.
Matt Krick, chief engineer of New West Broadcasting Systems, Inc. an Arizona radio broadcaster, who also goes by the hacker handle "DCFluX," demonstrated a list of cyber-vulnerabilities in EAS equipment at a 2008 hacker conference. He is concerned, despite newer EAS equipment deployed since.
“The new EAS boxes have all of the same vulnerabilities I outlined 5 years ago, and more,” Mr. Krick writes in an e-mail interview. “It's like a giant electronic Swiss cheese with holes big enough to drive a truck through,” he writes. “My talk outlined the vulnerabilities of the old system in the hopes that someone would take notice and try to improve the current ‘Next generation.’ I even had people from state level EAS committees and FEMA shaking my hand and giving me their cards after the talk.”
Experts on the EAS system also agree that, despite modernized equipment, it is still vulnerable to an unknown degree. As long ago as 2004, the Federal Communications Commission pointed out the system suffers from security holes that leave it vulnerable to Internet-based attacks and could even permit hackers to issue false regional alerts.
“Security and encryption were not the primary design criteria when EAS was developed and initially implemented,” the FCC wrote in a public notice launching a review of the system at that time.
While some improvements have been made in the hardware – and new hardware required to be adopted by broadcasters – potential new vulnerabilities have been created as well, most notably, a requirement that the equipment be connected to the Internet as of June 30, 2012.
“It was absolutely true that the EAS system had vulnerabilities back then – and vulnerabilities still exist at various levels,” says Richard A. Rudman, vice chairman of the California EAS State Emergency Communications Committee. “We’ve got new equipment that has brought in a new level of concern because these EAS devices are now required to be connected to the Internet so they’re capable of receiving messages from the national level of EAS, including tests.”
Poorly configured firewalls to wall off the Internet, and default passwords, are not the end of the problem. Anything connected to the Internet is potentially vulnerable to be hacked and manipulated, Mr. Rudman and other cybersecurity experts note. But the core of the system is still safe, he maintains: the president’s ability to communicate directly to the American people.
“This zombie incident has clearly reminded people to do what should be done in the first place to properly configure firewalls and routers,” he says. “But the likelihood of someone getting into the EAS and causing a major problem throughout the country is remarkably low, almost to the point of being non-existent. Even so, the broadcast community and government are constantly looking at these concerns and trying to improve the security of the system.”