The national Emergency Alert System was tested yesterday to see if it would work properly (it wasn’t a great success).  I did a bit of reading on how the system works, and it seems like the system is open for attack.  Imagine if terrorists were to use the system against us to spread false information/create panic right before/right as they’re executing a traditional attack.

This article over at The Register points out that the system is vulnerable to jamming or message falsification since the specifications for the system are public knowledge.  Here’s a bit of how some of the system works (from Wikipedia):

More than thirty radio stations are designated as National Primary Stations in the Primary Entry Point (PEP) System to distribute Presidential messages to other broadcast stations and cable systems.

The FCC requires all broadcast stations and multichannel video programming distributors (MVPD) to install and maintain FCC-certified EAS decoders and encoders at their control points or headends unless they have been been designated a non-participating station by the FCC. These decoders continuously monitor the signals from other nearby broadcast stations for EAS messages. For reliability, at least two source stations must be monitored, one of which must be a designated local primary.

Participating stations are required by federal law to relay EAN (Emergency Action Notification) and EAT (Emergency Action Termination) messages immediately (47 CFR Part 11.54).

Here in Utah, KSL radio is a primary station for the Utah Emergency Alert System.  I haven’t looked, but I wouldn’t be surprised if it was a primary station for the national system, too.  Here’s how I could see the system being hacked: a malfeasor calls into the radio station and over the phone line while on the air plays the three tones that you hear at the beginning of the message that causes the automated systems on those listening to the primary station to cut programming and repeat the broadcast from the primary station.  This would effectively hijack the Emergency Alert System for a single market (or, in this case, the entire State of Utah).  Do this across the country and you can cause some massive chaos.

Where could you get the tones?  Well, there are quite a few recordings out there that have the tones.  They do actually differ (while sounding mostly the same to mere mortals), but some incidents with the system have had the system trigger even with some codes that shouldn’t have set it off.  Yesterday’s test just broadcast the nationwide, presidential alert tone to as many people in America as possible (so, yeah, it’s out there).  Even without all that, the standard is public knowledge, too.

If calling in is too hard, what if a terrorist were to drive to the transmitting point of one of these stations and managed to somehow swap the signal arriving at the tower from the broadcast origin with their own signal (turning the tower into broadcasting their own content instead of the station’s content)?

Could this really work?  Perhaps the radio station could cut the caller off after the three tones were issued, but that could still cause the other stations listening in to go off the air.  See this:

On October 19, 2008 KWVE-FM of San Clemente, California was scheduled to conduct a Required Weekly Test; however, it conducted a Required Monthly Test by mistake, causing all stations and cable systems in the immediate area to relay the test. In addition, the operator aborted the test midway through, leading the station to fail to broadcast the SAME EOM burst to end the test, causing all area outlets to broadcast KWVE-FM’s programming until those stations took their equipment offline. On September 15, 2009, the Federal Communications Commission fined its licensee, Calvary Chapel of Costa Mesa, $5000 for the botched EAS test. After the fine was levied, various state broadcast associations in the United States submitted joint letters to the FCC, protesting against the fine, saying that the FCC could have handled the matter better. On November 13, 2009, the FCC rescinded its fine against KWVE-FM, but had still admonished the station for broadcasting an unauthorized RMT, as well as omitting the code to end the test.

So the terrorist might be able to get the other stations off the air, but probably not get an audio message out (at least through the call-in method).  Those first three tones, however, contain encoded within them the message that scrolls across the screens of television stations.  Even with the call-in method, the operators at the radio station might not identify the source of the sounds as being from the caller and allow the entire fake transmission to take place (and be automatically repeated on the other stations listening in).

Certainly scary.  Seems like a system that operated over the Internet (designed to last through a nuclear attack) and contained proper authentication and authorization mechanisms would be more reliable and capable (video streams, perhaps).  Imagine if the most popular websites were required to deliver a special webpage upon receipt of proper messages from the authorized issuer.  That would make the message even more accessible.  Perhaps the message could be sent out over the cellular networks as well, prompting a text message (or similar) alert to appear on cell phones all across the country.

Not convinced the system is fragile?  Check out these other stories of incidents with the system on Wikipedia.  One story there describes an ARCO commercial that triggered the system to activate in some areas.  The commercial contained a sped up version of the audio headers (with the pitch also changed) for the alert system that still triggered the systems.  You can read more about that (and listen to the original, pretty funny recording) here.