Can the national Emergency Alert System survive the great Zombie Apocalypse?
On a Sunday evening back in the fall of 1933, millions of radio listeners across the United States were thrown into a state of panic when they heard news alerts announcing the arrival of Martians on planet Earth. Many packed their cars with family members and possessions, fleeing into the countryside.
In fact what the radio audience heard was a portion of Orson Welles' adaptation of the well-known book, War of the Worlds by H. G. Wells. Many of the listeners believed what they heard on the radio was real because it was coming from a trusted source.
Eighty years later, residents of Great Falls, Montana, and Salt Lake City, Utah, experienced a variation on the Martian invasion theme, as the Emergency Alert System broadcast warnings of zombie attacks on Feb. 11 following what FEMA reported as hacks to the computer network through which these alerts flow. Other media stations in Michigan, California and New Mexico also broadcast warnings of the impending Zombie Apocalypse.
Standard EAS messages arrive pre-recorded and go directly into a station’s computer network system that controls emergency announcements. Unfortunately, for the stations that allowed the unfiltered news of attacking zombies to reach their respective listeners, it was a perfect storm of botched security practices. Normally, station personnel don’t or can’t interrupt EAS messages. Couple this with a lack of simple firewalls on station servers and failure to change factory default passwords on these same servers, hackers had an open door to chaos.
In 1997, the United States Emergency Alert System (EAS) replaced the older and better known Emergency Broadcast System (EBS) used to deliver local or national emergency information. The EAS is designed to "enable the President of the United States to speak to the United States within 10 minutes" after a disaster occurs. In the past, these alerts were passed from station-to-station using the Associated Press (AP) or United Press International (UPI) wire services, which connected to television and radio stations around the U.S. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would manually disrupt its current broadcast to deliver the message to the public.
Today’s EAS process is simple for broadcasters. Application servers such as the DASDEC-I and DASDEC-II manufactured by Monroe Electronics/Digital Alert Systems in Lyndonville, N.Y., automatically interrupt regular programming broadcast by TV and radio stations and relay an emergency message, which is preceded and followed by alert tones. In addition to tampering with the delivery of legitimate emergency messages, attackers who use the SSH key (Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices) to log into vulnerable systems could make unauthorized changes to the server and glean potentially sensitive configure information that could lead to additional hacks.
For Ed Czarnecki Ph.D. the senior director for strategy, development & regulatory affairs for Monroe Electronics/Digital Alert Systems, makers of the compromised servers, addressing issues of zombie attacks was the last thing he thought he’d be doing in 2013.
"I never thought at my age I’d being chasing zombies," he quipped. "I hate to call the zombie incident a hack. It was a front door walk-through using a default password to compose and send out bogus alerts. Out of the thousands of devices that are out on the broadcast market there have been no reports of intrusions by customers who have the proper firewall protections in place."
Czarnecki said his company was notified in January by FEMA’s CERT officials of some potential vulnerability and began looking into it. He said they were extremely proactive, issuing a soft release of a software mitigation solution in March and a full solution in April.
"During that time we notified all of our customers of the potential vulnerabilities and the software mitigation now available from us, with the goal of initiating this software update and making sure they had all critical data behind appropriate firewalls and had replaced the default password. This was all basic network security best practices," he said. "The FCC and FEMA both released advisories in early spring to change passwords, use firewalls and make sure you installed the updated software from us."
Czarnecki is passionate about continuing the security conversation. He sees a market sector almost void of IT policies for software, access and control of networks.
"We would recommend that a community of interest around cyber security and the media industry be built. One successful outcome from all of this has been an open dialogue between the agencies and the broadcast industry and closer scrutiny on getting the industry to mandate stricter security policies," he continued. "If you can install basic firewalls on your home computers there is no reason you can’t do them same for these critical EAS systems in your facilities. You don’t have to be an IT expert. The question for the FCC is whether or not good security practices among broadcasters shall be a regulatory issue and fall under their purview.
"There is a growing public/private partnership discussion at play here as well regarding the issue of security in this niche industry sector. A huge challenge is dealing with the nature of disclosure and how it is perceived by the general public. The sensationalism of a disclosure could certainly be seen as damaging to the very nature of the EAS function and the trust the public has with broadcasters charged with delivery of the message."