Re: [ISN] Insecurity plagues US emergency alert system

From: InfoSec News (isnat_private)
Date: Fri Sep 13 2002 - 03:59:47 PDT

  • Next message: William Knowles: "[ISN] The Special Operations Warrior Foundation"

    Forwarded from: The entropy Technician <delchiat_private>
    There are a few things I'd like to add to this .....
    I was in the hot seat of a broadcast station for many moons, and EBS (
    the system prior to EAS ) was one of my duties.
    One of the biggest problems with EBS, that EAS was supposed to solve -
    was that quite a few operators responded improperly to EBS
    activations. Despite training and retraining things still failed to
    happen. These breakdown made the system rather ineffective.
    The EBS system worked out of a special EBS receiver. This was tuned to
    the regional lead ( I forget teh term, I believe it was PCPS or some
    such ) and listened for the magical two tone sound. When that happened
    it opened up and you could hear the boradcast of the PCPS. You would
    then hear the script ' this is an activation ' and so on. At this
    point in a real activation there would be authentication. This
    consisted of a code that was spoken, and the operator ( hopefully )
    pulled out the little red package and opened it - to find the codes
    needed. If they matched, the operator would manually switch in the
    The breakdowns here were many and quite preventable. Lost
    authentication packs, EBS receivers that were turned down , or had
    their antennas disconnected .... and so on. The funny part was that
    the weekly mandated tests that were designed to test the gear were
    often not performed WITH the gear! Special tapes with the two tone
    signal , or audio carts were used to transmit the tests!
    One time in my experience , an operator accidently transmitted a EBS
    tone, andme being the boy scout I was, followed procedures to the
    letter. When I did not hear an authentication or an emergency message,
    I called the PCPS and asked WTF was up? They had no idea what I was
    talking about. I could hear a guy saying " OH SHIT " over and over in
    the backgorund. I ended up calling the head of that station, asking
    about a stray EBS activation tone, and got my head handed to me for
    it. No fun. In the end, however - it was an accidental tramsnission
    and I was patten on the head for following the lines.
    One of the most overlooked bits about this whole EAS/EBS thing - is
    that the whole system is voluntary! The wods themselves : "The
    broadcasters of your area in voluntary cooperation with the Federal,
    State and local authorities have developed this system to keep you
    informed in the event of an emergency.... "
    Now while it is voluntary - the fines and actions that the FCC can
    take against your station if you foul up or misuse the EBS can be
    extreme. If you were an operator , and Uncle Charle came a knocking -
    and asked you to perform an EBS test and you did not know the
    procedure ... your station could be fined or worse.....
    Now the next bit of fun - the hardware was quite expensive. Still is.
    It needs to be made to exacting specs, which means charge em as much
    as possible.
    So what you end up with is a voluntary system that you have to spend
    money on to use, and if you dont do it right you can get fined ( $10k
    was a nice starting point ) all in the name of local / national
    emergency notification. What happens if you choose not to volunteer ?
    In the event of an natioanl activation , you must cease broadcast
    right then and there. Shut down.
    Thus says the FCC :
    11.19 EAS Non-participating National Authorization Letter. This
    authorization letter is issued by the FCC to broadcast station
    licensees and cable systems and wireless cable systems.  It states
    that the licensee, cable operator or wireless cable operator has
    agreed to go off the air or in the case of cable discontinue
    programming on all channels during a national level EAS message.  For
    broadcast licensees this authorization will remain in effect through
    the period of the initial license and subsequent renewals from the
    time of issuance unless returned by the holder or suspended, modified
    or withdrawn by the Commission.
    EAS may not be the bees knees, but it is a far cry better than the old
    EBS system. While EAS automatically switches the broadcast , any savvy
    operator can manually override it if it turns out to be a false
    activation. I believe (IMHO) that the lack of secure communication
    design in the EAS is not due to poor science, but to economics. A more
    secure network, a more hack proof network would cost money. Moey to
    design, to get though the legal system , to build, to get station
    managers to buy into , and to retrain people. Instead of this, an
    automated system that requires little human intervention ( Wargames,
    anyone ? ) and that runs automatically was cheaper to build and
    There are the usual arguments about keeping people in the loop, which
    is why there are manual oeprators for EAS on a large scale - and
    despite the ease of building I seriously doubt there will be much EAS
    hacking going on. Not for the lack of inspiration or people who would
    do it - but that in the current state of the country - such an offence
    could only result in extreme penalty.
    I recall a story from a few years ago about a similar system ( I
    believe it was in Europe ) whereby a signal was sent out that forced
    all car radios to tune to a specific frequency for emergency
    information - it was hacked to pieces and playyed with for a while (
    agian , I have to dig in my place to find the articles on this .. .it
    was a while ago )
    IMHO the ' deep flaws ' in EAS are no more different than the flaws in
    airport screeners.
    As for the concerns... here is my take :
    > The problem, experts say, is that the EAS data headers include no
    > authentication whatsoever. That means anyone capable of following
    > the specifications and with the skill to build a low-power radio
    > transmitter akin to a "Mr. Microphone" toy can get their own
    > messages into the system -- commandeering a radio or television
    > station with a custom broadcast of their own,
    I think that the Mr Microphone reference is a bit too much here. In
    order to trick the EAS rcvr into tripping you would have to :
    1. Be on the same frequency as the PEP ( Primary Entry Point )
    2. Be strong enough so that the target station EAS rcvr would reject
       the true PEP signal
    3. Transmit the correct data burst, and
    4. Continue to transmit, to insert the rogue audio stream
    This may seem simple on paper, and even in the smoky beer sodden rooms
    of the Alexis Park this has been discussed - however in reality it
    would not be a simple feat to build, construct, and keap stealthy such
    a thing.
    ( Now by saying this, I can already hear people telling me I'm full of
    it, or that I underestimate the hacker spirit and so on. My experience
    shows that it's rare that things on this scale ever happen. I'm not
    saying that it is impossible, but it's not likely. The mottovation,
    money and skill needed are not in as ready a supply as one might think)
    Now aside from this, let's say a rogue signal does get out there. Oh
    so now we are listening to a false EAS transmission. Let's say we are
    listening to Mc Hawking or some such .... the rogue signal is going to
    stick out like a sore body part - and any operator on duty will have
    the switch in hand rather quickly.
    > non-standard 500 baud modems. That's not much protection: the modem
    > specs are published in the FCC regulations, and the technology is
    > simple and slow enough to be easily emulated by any off-the-shelf PC
    > with a sound card. A transmit-only modem could even be built from
    > scratch with a few dollars in components, according to Burgan.
    This strikes me as more fo the 'scary hacker ' bugaboo that is
    normally used to bilk ignormant C*O's into buying things. How many
    people do you think are capable of walkign into a store with ' a few
    dollars ' and building this. From that how many people would do it ?
    From that, how many people are motivated to do that instead of sitting
    in front of a stadium all night to get brittney tickets? The numbers
    just don't justify the scare tatic. In perspective, you could go into
    a store with a few dollars and build a device to insert a rogue signal
    into a cable TV head end, or to transmit your old beastie boys vinyl
    24/7 on 101.5 FM. You could build a garage door opener and open every
    one on your block ( well ok , in the old days you could .... ) and 
    so on.
    > it entirely because it's too complicated to do." The FCC adapted the
    > EAS from an older National Weather Service system used to issue
    > severe weather warnings.
    Again, I think the answer was money. Mooolah.
    > Though it's not known to have ever been exploited, the spoofing risk
    > is one of the factors quietly driving calls to reform the EAS. In a
    > paper published earlier this year, Columbia University researchers
    > Henning Schulzrinne and Knarig Arabshian proposed enhancing the
    > system with an Internet-based emergency notification system, noting
    > that under the current design "it would not be hard to drive by an
    > EAS receiver with a small transmitter and make it distribute a false
    > alarm."
    Ok, time for some more IMHO. good idea, badmethod. If we are to get
    paranoid about the EAS, yes by all means let us sit down and make a
    better one. Let us NOT however rely on the internet at all. Any
    security admin can tell you that the net is ugly enough without a
    method of waking up every device in the nation.
    By the way kids, National Network Override is already part of the IP
    header. I spoke about this a bit ago - no one seemed to think much of
    it as it's not normally looked at - but some people looked at me like
    their hari was on fire when I talked about exploiting it.
    > Peter Ward, chairman of the Partnership for Public Warning, a
    > nonprofit group formed this year to explore advanced warning
    > systems, would phase out the EAS, and replace it with an all-digital
    > network tied to cell phones, digital televisions and pagers, turning
    > any networkable device into a "smart receiver that would know the
    > wishes of the owner
    And that is going to cause SO MUCH screaming - I can already hear it
    now. If we don't allow V-chips in our TV's , and so on ... how do you
    expect THAT to wash over ? I'm sure that if such a system were to come
    into existance that there would be more commercial exploiting than
    spoofing of such a system. ( Ps : I'm not comparing a notification
    system to the censorship of the V chip - but many people will see it
    as a form of big big brother.)
    All in all, the EBS/EAS has served well in their time - and if we do
    need a new system, then one should be designed with effeciency, ease
    of use, and sound technicial design in mind - not economics and scare
    Sic Transit, 
    				- D
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 13:08:59 PDT