This Is Not A Test: Vulnerability Found In US Emergency Alert System
July 9, 2013

This Is Not A Test: Vulnerability Found In US Emergency Alert System

Peter Suciu for - Your Universe Online

The United States Emergency Alert System (EAS), which can interrupt TV and radio programming with critical information about national emergencies, could have a critical flaw. The service, which has long been trusted to deliver information during a crisis, reportedly has a major vulnerability that could allow hackers to break into the system and even broadcast fake messages to the United States.

Security firm IOActive announced on Monday that it had discovered vulnerabilities in the EAS.

According to a report from IOActive, this susceptibility exists in the digital alerting systems -- DASDEC -- application servers. These are used to receive and authenticate EAS messages, and once a station receives and then authenticates the message the DASDEC can interrupt programming and overlay the message onto the broadcast, along with an alert tone.

"An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area. In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems," the IOActive Security Advisory noted.

More ominously, the advisory added, "Without access to vulnerable devices, patches, etc. it is difficult to provide recommendations on how to properly protect."

These vulnerabilities in the DASDEC were reportedly uncovered by IOActive's principal research scientist Mike Davis, who found that the affected devices are the DASDEC-I and DASDEC-II appliances.

"Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is," Davis said in a statement. "These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances."

IOActive has added that it could take a while for companies that are currently using the equipment to apply patches, and that risks of malicious attacks could still occur.

PCWorld noted that in February of this year EAS equipment belonging to broadcasters in Michigan, Montana and New Mexico were hacked, with one message warning, "that the bodies of the dead are rising from their graves and attacking the living."

The current EAS system replaced the iconic Emergency Broadcast System in 1997. That older system, which had been established in the 1960s during President John F. Kennedy's administration, had been designed to "enable the President of the United States to speak to the United States within 10 minutes" following an emergency.

Those alerts under the EBS had been passed among stations using wire services, including UPI and AP, which connected TV and radio stations around the country. As each station received an official notification it would disrupt the current broadcast. The new system does much of the same thing but can also be used locally for tornado, hurricane and other local alerts, and also transmit through analog and digital systems.

Last year the Federal Emergency Management Agency (FEMA) also launched a wireless alert system to deliver text alerts to handsets that are compatible with the alert system. Those wireless alerts were used earlier this year to warn Oklahoma residents during the recent tornadoes and during the Boston Marathon bombing aftermath to tell residents to remain indoors.