[ISN] Insecurity plagues US emergency alert system

From: InfoSec News (isnat_private)
Date: Wed Sep 11 2002 - 02:04:33 PDT

  • Next message: InfoSec News: "[ISN] VA spruces up security act"

    By Kevin Poulsen, SecurityFocus Online
    Posted: 10/09/2002 at 22:21 GMT
    A national alert system that gives the president the ability to take
    over the U.S. airwaves during a national crisis may inadvertently
    extend hackers the same courtesy, thanks to security holes that put
    radio stations, television broadcasters and cable TV companies at risk
    of being commandeered by anyone with a little technical know-how and
    some off-the-shelf electronic components.
    At issue is the Emergency Alert System (EAS), a nationwide network
    launched in 1997 to replace the cold-war era Emergency Broadcast
    System known best for making the phrase "this is only a test" a
    cultural touchstone. Like that earlier system, the EAS is designed to
    allow the President to interrupt television and radio programming and
    speak directly to the American people in the event of an impending
    nuclear war, or a similarly extreme national emergency. The EAS has
    never been activated for that purpose -- it was not used on September
    11th -- but state and local officials have found it a valuable channel
    for warning the public of regional emergencies, recently including the
    "Amber Alerts" credited with the recovery of several abducted children
    over the summer.
    But even with Amber's successes, the EAS is increasingly under fire by
    critics who charge that its national mission is obsolete in an era of
    instant 24-hour news coverage, and that the technology underlying it
    is deeply flawed. One of the most stinging criticisms: that the EAS is
    wildly vulnerable to spoofing, potentially allowing a malefactor to
    launch their own message that in some scenarios could quickly spread
    from broadcaster to broadcaster like a virus.
    The system works this way: The Federal Emergency Management Agency
    (FEMA) activates the EAS for a national alert through 34 radio
    stations around the country that act as "primary entry points" (PEPs)  
    for the system. Those stations, typically all-news AM stations with
    powerful transmitters, immediately interrupt their programming to
    broadcast the alert on the air.
    The alert begins with a burst of data coded by a low-speed modem,
    repeated three times. It's followed by an eight-second alert tone, and
    then spoken emergency information and instructions -- or a
    presidential address -- before another burst of data terminates the
    'No Security'
    The data header is the key to the system -- it's what allows the same
    broadcast to simultaneously warn the public, and other broadcasters.  
    To radio listeners, it sounds vaguely like the quacking of a duck, but
    encoded within it is a timestamp, a station identifier, a region code,
    an expiration time, and a three-letter event code identifying the type
    of alert.
    EAS boxes at hundreds of radio and TV stations are tuned in to at
    least one of the PEPs, and to them the burst is a wake-up call. The
    equipment reads the header, determines what kind of alert is being
    sounded, and then the station interrupts its programming to retransmit
    it (with its own identifier) on the air, and starts carrying the audio
    Thousands of other stations are tuned to those broadcasters, and they
    do the same, until the message has filtered all the way down the
    hierarchy, even reaching cable T.V. companies which are required to
    interrupt every channel for a national alert.
    The problem, experts say, is that the EAS data headers include no
    authentication whatsoever. That means anyone capable of following the
    specifications and with the skill to build a low-power radio
    transmitter akin to a "Mr. Microphone" toy can get their own messages
    into the system -- commandeering a radio or television station with a
    custom broadcast of their own, which would in turn be picked up by a
    cascade of other stations. An attacker could even omit the
    end-of-message indicator, leaving some stations off the air until
    engineers figure out the snafu.
    "It's very, very simple to generate those messages, and there's
    literally no security," says Richard Burgan, a Columbus, Ohio radio
    engineer who's studied the problem. "If you were to go to one of the
    stations... and get near their antenna and generate a false
    transmission, you could start an EAS message that would lock up all
    the stations down the line.... You wouldn't be able to get the whole
    state that way, but if you were to do a little research you could pick
    the right point to get the most."
    Alternative Plans Proposed
    So-called "replay attacks," in which a spoofer records and retransmits
    a genuine message, would likely be thwarted by the region code and
    expiration time in the header. But the only thing preventing someone
    from generating their own original message are the system's
    non-standard 500 baud modems. That's not much protection: the modem
    specs are published in the FCC regulations, and the technology is
    simple and slow enough to be easily emulated by any off-the-shelf PC
    with a sound card. A transmit-only modem could even be built from
    scratch with a few dollars in components, according to Burgan.
    "The only thing that's mentioned in any document I have relating to
    security is that you have to transmit the message clearly three
    times," says Burgan. "And that's not security. I think they overlooked
    it entirely because it's too complicated to do." The FCC adapted the
    EAS from an older National Weather Service system used to issue severe
    weather warnings.
    Large broadcasters have personnel assigned to handle EAS alerts
    manually, and the humans in the loop provide a common-sense bulwark
    against obviously false alerts. But many smaller stations and
    automated broadcasters turn their transmitters over to the EAS
    automatically upon receiving an alert. A false alert could trigger
    widespread panic, and undermine public confidence in genuine warnings.
    Though it's not known to have ever been exploited, the spoofing risk
    is one of the factors quietly driving calls to reform the EAS. In a
    paper published earlier this year, Columbia University researchers
    Henning Schulzrinne and Knarig Arabshian proposed enhancing the system
    with an Internet-based emergency notification system, noting that
    under the current design "it would not be hard to drive by an EAS
    receiver with a small transmitter and make it distribute a false
    Peter Ward, chairman of the Partnership for Public Warning, a
    nonprofit group formed this year to explore advanced warning systems,
    would phase out the EAS, and replace it with an all-digital network
    tied to cell phones, digital televisions and pagers, turning any
    networkable device into a "smart receiver that would know the wishes
    of the owner, and could provide them with the information they want to
    receive." He says the potential for spoofing is only one the EAS's
    problems, and one that's "not likely to be corrected soon."
    FCC Silence
    In fact, with weak security etched into FCC standards, the system
    effectively creates open backdoors into broadcast stations across the
    country that the broadcasters are forbidden by law to secure. Burgan
    says the government should shoehorn security into the existing system,
    possibly by digitally signing EAS headers. "It wouldn't have to be
    very complicated to make it highly secure," he says. So why didn't the
    FCC build in security in the first place? "It's a classic case of
    something that was designed by committee," he says.
    Other experts say that's unfair. "I really think that the EAS has
    provided a great service, and it needed to be simple to go into these
    mom and pop radio stations, literally running their own business with
    a transmitter in the back field," says Mark Manuelia, engineering
    manager at WBZ Radio in Boston, one of the primary entry points for
    the system. "These things stand alone in little radio station that
    have no Internet access... That's something we don't think of where we
    are in big cities."
    Manuelia says the FCC isn't to blame, because information security
    wasn't on anyone's mind when the they were working on the plan in
    1995. "They were doing something that was better than was there
    before," he says. "Whether they were thinking ahead to the year 2002
    -- I guess they weren't."
    The FCC is mum on the question -- indeed, on the entire issue. John
    Winston, assistant chief of the enforcement bureau overseeing the
    system, says the commission doesn't comment on EAS security. They're
    more talkative on the system's popular new role in Amber Alerts,
    through which parts of the country not prone to tornados and floods
    are becoming acquainted with EAS for the first time.
    Under Amber, in the minutes or hours immediately following a child
    abduction, state officials use EAS to broadcast critical information
    like a description of a suspect's vehicle to the public. (Highway
    signs also disseminate Amber Alerts, and are not a part of EAS). The
    programs are gaining in popularity: last week, New York became the
    17th state to adopt a statewide Amber Alert plan, and Senators Kay
    Bailey Hutchison and Dianne Feinstein introduced a bill that would set
    up a nationwide Amber program.
    Ward says the successful Amber programs demonstrate that the killer
    app for warning systems is local alerting, not the national
    duck-and-cover message that the EAS, and the Emergency Broadcast
    System it replaced, was built for. "In the cold war days when we were
    talking about missiles coming over the poles there was a much stronger
    fear that all the broadcast authorities might have disappeared, and we
    needed a way for the President to commandeer the surviving
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 04:45:41 PDT