Emergency Alert System Vulnerabilities Could Allow Terrorists To Manipulate A Disaster

civil unrestThe United States Emergency Alert Systems (EAS) is as vulnerable to cyber hackers as the power grid itself. A security review of the EAS revealed that terrorists could hack into the system and send false orders to first responders during and emergency and send inaccurate information to Americans who have suddenly found themselves in the middle of a disaster zone.

The recent Baltimore riots, Ferguson riots and Boston Marathon bombing clearly illustrated how quickly a typical American neighborhood can be turned into a war zone. Maneuvering home safely during a period of civil unrest would be a dangerous enough endeavor without those who caused the chaos garnering control of the radio waves and internet to further their violent goals.

The United States Emergency Alert System (EAS) has “critical vulnerabilities” according to a recent review by IOActive, a security firm. The ability of the federal government to warn citizens about man-made and natural disasters is key to the survival of the populace. The IOActive Emergency Alert System report stated what would likely unfold if cyber hackers could broke into the system and broadcast fake warning messages to American citizens.

Emergency Broadcast System alerts were shared via wire services. Radio and television stations around the nation received the information from an official government source, and then the details were shared with the general public. The current EAS system is designed to function in the same manner, with the addition of direct presidential sharing ability. Unfortunately, not a single Oval Office holder has attempted to use the modern system since it was put into place nearly 20 years ago. Whether or not the system will function as planned on a national scale remains unknown. The EAS is primarily used to share local alerts and information about tornado and hurricane movements.

An excerpt from the report reads:

“A hacker who gains control over one or more of the system’s servers could disrupt these stations’ ability to transmit and could disseminate false emergency information over a large geographic area.”

The EAS vulnerability report was concerning enough on its own, but since perhaps the least organized federal agency in America controls the system, more red flags are raised. Yes, you guessed it, FEMA is in charge. To date, the Federal Emergency Management Agency has yet to respond to media requests for comments about the ability of cyber hackers to issue fake alerts over television and radio waves.

Civil unrest will happen quickly after a terrorism attack, power grid down scenario, or even a natural disaster. The panic and scramble for food and water in metropolitan areas will likely turn violent quickly. If the man-made or natural disaster was larger than a regional incident, tractor-trailers would not be able to deliver food to grocery stores or gas to convenience stores.

A fully-functional and secure emergency alert system would be integral to disaster relief, law enforcement, firefighter, and EMS functions during a terrorism attack or other equally devastating doomsday scenario.

Despite the importance of a secure and fully functional Emergency Alert System, it is really not surprising that the warning measures have become severely vulnerable. One just has to look at the state of the power grid to grasp the lack of attention the federal government has paid to life-saving infrastructure.

Although it would take a very twisted mind, a cyber hacker could quickly impact the movements and actions of Americans during a true disaster by sending out false instructions over the EAS system. A coordinated effort by terrorists to first enact a man-made disaster and then send out a fake alert which actually sends citizens running and first responders towards danger, would achieve a higher death toll.

Imagine, for a moment, a scenario similar to the tragic Boston Marathon bombing. After pressure cooker bombs go off, emergency responders and heroic citizens rush in to help, while a massive crowd attempts to quickly exit the area. A fake EAS alert authored by cyber hacking terrorists instructs residents to assemble in a specific area for shelter. Before local officials have time to digest the misinformation during the emergency, additional bombs go off in the supposed shelter areas. The carnage which would occur would not only kill innocent people, but police officers, firefighters, and medics attempting to redirect the marauding crowds and correct the misinformation.

Hacking into the EAS system would take advanced computer skills right? Wrong. According to a ZDnet report, the SSH key allows any person with limited knowledge to gain access to the system at the root server level and manipulate operating functions.

The panic and civil unrest which could easily result from a fake emergency alert could cost an untold number of lives. Image the reaction in a major metropolitan area if an Emergency Alert System warning stated a terror attack with a dirty bomb had occurred.

Before local law enforcement could confirm the terror alert was fake and attempt to share such information with citizens, thousands would have clogged the streets attempting to escape the city. Hospitals, schools, and assisted living centers would likely enact emergency protocols within seconds of an emergency alert, creating further chaos and the unnecessary movement of severely ill individuals.

IOActive discovered the critical vulnerabilities in the Emergency Alert System in multiple programs which include the DASDEC-II, DASDEC-I, and other Linux-based DAS computer platforms. A Mashable report stated that when a firmware update occurred recently a Private Secure Shell (SSH) that allows remote access to a server in order to garner root access.

The IOActive report also revealed this about the vulnerable state of the United States Emergency Alert System:

“DASDEC is one of a small number of application servers that now fill the role of delivering emergency messages to television and radio stations. DASDEC encoder/decoders receive and authenticate EAS messages delivered over the National Oceanic and Atmospheric Administration radio or relayed by a Common Alerting Protocol (CAP) messaging peer. After a station authenticates an EAS message, the DASDEC server interrupts the regular broadcast and relays the message onto the broadcast preceded and followed by alert tones that include some information about the event.”

All the computer jargon may be difficult for many of us non-techies to grasp, but it surely does not sound good. The bottom line of the issue surrounds the ability for hackers to manipulate alert system functions remotely. The Emergency Broadcast System (EBS) was replaced with the existing EAS system in 1997. The original alert system was designed to share both local and nationwide emergency and disaster information. The current alert system was created to allow the president to address the entire country as quickly as 10 minutes after an emergency occurs.

IOActive advised the administration to correct the EAS vulnerabilties by re-evaluating existing firmware and by pushing all updates to all the system “appliances” to fix the critical vulnerability issue. The IOActive Emergency Alert System report was issued just after a successful hacking attempt at the KRTV News station in Montana. Cyber hackers were able to transmit a false EAS release about zombies. The fake alert quickly went viral, prompting chuckles from many—but the grins would surely disappear quickly if hackers tried again with a more realistic alert.

Cyber warfare was ranked above an economic collapse or banking crisis in an insurance industry survey. A global pandemic was the top worry for the industry. According to the Towers Watson survey results, the “extreme risk” most on the minds of the industry involved a worldwide pandemic that would spread a fatal disease around the world and significantly impact crops, people, and animals.

More than 30,000 surveys were completed for the Towers Watson report.  Many preppers consider their self-reliance and off grid living purchases and training a part of an overall insurance plan, just like paying monthly premiums to protect homes from fires, floods, and to cover the costs of health emergencies, and car accidents. Most of the man-made and natural disasters those who issue the policies worry about, are the same topics on the minds of the more than three million preppers in the United States. Apparently, insurance industry executives and the self-reliance community have a lot in common.

Do you think a failed or hacked Emergency Alert System could make a disaster scenario worse and allow terrorists to manipulate the situation?

1 comment

    • messenger on May 7, 2015 at 7:53 pm

    Good read and thanks, but it the end, does it really matter if false signals or commands are sent to First Responders, the Police, EMS, and Fire Departments? When teotwawki hits, and it will, then these professionals are going to be so overwhelmed with or without false signals that it will meaningless to call 911 anyway. The big one is on its way and when it zaps us, we are on our own, starting from scratch. It is not, and now, never can be a matter of living through the collapse, it is simply a matter of how one can live into it…a minute…hour…day…month…year…longer. Panic, chaos, despair, injury, hunger, thirst, and loneliness will be our new best/worst friends. Again, good article, thanks for the effort, and make it as far as you can. God bless, always.

Comments have been disabled.