Re: Insecurity plagues US emergency alert system

[InfoSec News <isn () c4i org>]

Forwarded from: The entropy Technician <delchi () dorsai org>

There are a few things I'd like to add to this .....

I was in the hot seat of a broadcast station for many moons, and EBS (
the system prior to EAS ) was one of my duties.

One of the biggest problems with EBS, that EAS was supposed to solve -
was that quite a few operators responded improperly to EBS
activations. Despite training and retraining things still failed to
happen. These breakdown made the system rather ineffective.

The EBS system worked out of a special EBS receiver. This was tuned to
the regional lead ( I forget teh term, I believe it was PCPS or some
such ) and listened for the magical two tone sound. When that happened
it opened up and you could hear the boradcast of the PCPS. You would
then hear the script ' this is an activation ' and so on. At this
point in a real activation there would be authentication. This
consisted of a code that was spoken, and the operator ( hopefully )
pulled out the little red package and opened it - to find the codes
needed. If they matched, the operator would manually switch in the
broadcast.

The breakdowns here were many and quite preventable. Lost
authentication packs, EBS receivers that were turned down , or had
their antennas disconnected .... and so on. The funny part was that
the weekly mandated tests that were designed to test the gear were
often not performed WITH the gear! Special tapes with the two tone
signal , or audio carts were used to transmit the tests!

One time in my experience , an operator accidently transmitted a EBS
tone, andme being the boy scout I was, followed procedures to the
letter. When I did not hear an authentication or an emergency message,
I called the PCPS and asked WTF was up? They had no idea what I was
talking about. I could hear a guy saying " OH SHIT " over and over in
the backgorund. I ended up calling the head of that station, asking
about a stray EBS activation tone, and got my head handed to me for
it. No fun. In the end, however - it was an accidental tramsnission
and I was patten on the head for following the lines.

One of the most overlooked bits about this whole EAS/EBS thing - is
that the whole system is voluntary! The wods themselves : "The
broadcasters of your area in voluntary cooperation with the Federal,
State and local authorities have developed this system to keep you
informed in the event of an emergency.... "

Now while it is voluntary - the fines and actions that the FCC can
take against your station if you foul up or misuse the EBS can be
extreme. If you were an operator , and Uncle Charle came a knocking -
and asked you to perform an EBS test and you did not know the
procedure ... your station could be fined or worse.....

Now the next bit of fun - the hardware was quite expensive. Still is.
It needs to be made to exacting specs, which means charge em as much
as possible.

So what you end up with is a voluntary system that you have to spend
money on to use, and if you dont do it right you can get fined ( $10k
was a nice starting point ) all in the name of local / national
emergency notification. What happens if you choose not to volunteer ?
In the event of an natioanl activation , you must cease broadcast
right then and there. Shut down.

Thus says the FCC :

11.19 EAS Non-participating National Authorization Letter. This
authorization letter is issued by the FCC to broadcast station
licensees and cable systems and wireless cable systems.  It states
that the licensee, cable operator or wireless cable operator has
agreed to go off the air or in the case of cable discontinue
programming on all channels during a national level EAS message.  For
broadcast licensees this authorization will remain in effect through
the period of the initial license and subsequent renewals from the
time of issuance unless returned by the holder or suspended, modified
or withdrawn by the Commission.


EAS may not be the bees knees, but it is a far cry better than the old
EBS system. While EAS automatically switches the broadcast , any savvy
operator can manually override it if it turns out to be a false
activation. I believe (IMHO) that the lack of secure communication
design in the EAS is not due to poor science, but to economics. A more
secure network, a more hack proof network would cost money. Moey to
design, to get though the legal system , to build, to get station
managers to buy into , and to retrain people. Instead of this, an
automated system that requires little human intervention ( Wargames,
anyone ? ) and that runs automatically was cheaper to build and
impliment.

There are the usual arguments about keeping people in the loop, which
is why there are manual oeprators for EAS on a large scale - and
despite the ease of building I seriously doubt there will be much EAS
hacking going on. Not for the lack of inspiration or people who would
do it - but that in the current state of the country - such an offence
could only result in extreme penalty.

I recall a story from a few years ago about a similar system ( I
believe it was in Europe ) whereby a signal was sent out that forced
all car radios to tune to a specific frequency for emergency
information - it was hacked to pieces and playyed with for a while (
agian , I have to dig in my place to find the articles on this .. .it
was a while ago )

IMHO the ' deep flaws ' in EAS are no more different than the flaws in
airport screeners.

As for the concerns... here is my take :

> The problem, experts say, is that the EAS data headers include no
> authentication whatsoever. That means anyone capable of following
> the specifications and with the skill to build a low-power radio
> transmitter akin to a "Mr. Microphone" toy can get their own
> messages into the system -- commandeering a radio or television
> station with a custom broadcast of their own,

I think that the Mr Microphone reference is a bit too much here. In
order to trick the EAS rcvr into tripping you would have to :

1. Be on the same frequency as the PEP ( Primary Entry Point )
2. Be strong enough so that the target station EAS rcvr would reject
   the true PEP signal
3. Transmit the correct data burst, and
4. Continue to transmit, to insert the rogue audio stream

This may seem simple on paper, and even in the smoky beer sodden rooms
of the Alexis Park this has been discussed - however in reality it
would not be a simple feat to build, construct, and keap stealthy such
a thing.

( Now by saying this, I can already hear people telling me I'm full of
it, or that I underestimate the hacker spirit and so on. My experience
shows that it's rare that things on this scale ever happen. I'm not
saying that it is impossible, but it's not likely. The mottovation,
money and skill needed are not in as ready a supply as one might think)

Now aside from this, let's say a rogue signal does get out there. Oh
so now we are listening to a false EAS transmission. Let's say we are
listening to Mc Hawking or some such .... the rogue signal is going to
stick out like a sore body part - and any operator on duty will have
the switch in hand rather quickly.


> non-standard 500 baud modems. That's not much protection: the modem
> specs are published in the FCC regulations, and the technology is
> simple and slow enough to be easily emulated by any off-the-shelf PC
> with a sound card. A transmit-only modem could even be built from
> scratch with a few dollars in components, according to Burgan.

This strikes me as more fo the 'scary hacker ' bugaboo that is
normally used to bilk ignormant C*O's into buying things. How many
people do you think are capable of walkign into a store with ' a few
dollars ' and building this. From that how many people would do it ?
> From that, how many people are motivated to do that instead of sitting
in front of a stadium all night to get brittney tickets? The numbers
just don't justify the scare tatic. In perspective, you could go into
a store with a few dollars and build a device to insert a rogue signal
into a cable TV head end, or to transmit your old beastie boys vinyl
24/7 on 101.5 FM. You could build a garage door opener and open every
one on your block ( well ok , in the old days you could .... ) and 
so on.


> it entirely because it's too complicated to do." The FCC adapted the
> EAS from an older National Weather Service system used to issue
> severe weather warnings.

Again, I think the answer was money. Mooolah.


> Though it's not known to have ever been exploited, the spoofing risk
> is one of the factors quietly driving calls to reform the EAS. In a
> paper published earlier this year, Columbia University researchers
> Henning Schulzrinne and Knarig Arabshian proposed enhancing the
> system with an Internet-based emergency notification system, noting
> that under the current design "it would not be hard to drive by an
> EAS receiver with a small transmitter and make it distribute a false
> alarm."


Ok, time for some more IMHO. good idea, badmethod. If we are to get
paranoid about the EAS, yes by all means let us sit down and make a
better one. Let us NOT however rely on the internet at all. Any
security admin can tell you that the net is ugly enough without a
method of waking up every device in the nation.

By the way kids, National Network Override is already part of the IP
header. I spoke about this a bit ago - no one seemed to think much of
it as it's not normally looked at - but some people looked at me like
their hari was on fire when I talked about exploiting it.

> Peter Ward, chairman of the Partnership for Public Warning, a
> nonprofit group formed this year to explore advanced warning
> systems, would phase out the EAS, and replace it with an all-digital
> network tied to cell phones, digital televisions and pagers, turning
> any networkable device into a "smart receiver that would know the
> wishes of the owner

And that is going to cause SO MUCH screaming - I can already hear it
now. If we don't allow V-chips in our TV's , and so on ... how do you
expect THAT to wash over ? I'm sure that if such a system were to come
into existance that there would be more commercial exploiting than
spoofing of such a system. ( Ps : I'm not comparing a notification
system to the censorship of the V chip - but many people will see it
as a form of big big brother.)

All in all, the EBS/EAS has served well in their time - and if we do
need a new system, then one should be designed with effeciency, ease
of use, and sound technicial design in mind - not economics and scare
tatics.

Sic Transit, 
                                - D



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.