FCC’s proposal to strengthen emergency alert security might not go far enough

The FCC has proposed new rules to bolster the security of the nation’s emergency alerting system (EAS) but some experts think the adoption of next-generation technology could help even more.

Thinkstock

In October, the US Federal Communications Commission (FCC) launched a notice of proposed rulemaking (NPRM) to strengthen the security of the nation's emergency alert system (EAS) and wireless emergency alerts (WEA). These systems warn the public about emergencies through alerts on their televisions, radios, and wireless phones via AM, FM, satellite radio, broadcast, cable, and satellite TV. Although EAS Participants are required to broadcast presidential alerts, they voluntarily participate in broadcasting state and local EAS alerts.

The NPRM proposes to require broadcasters and cable providers to report incidents of unauthorized access to their Emergency Alert System equipment to the commission within 72 hours. It also proposes to require wireless providers that deliver emergency alerts to annually certify that they have a cybersecurity risk management plan and implement sufficient security measures for their alerting systems. Moreover, it proposes requiring wireless providers to transmit sufficient authentication information to ensure that consumer devices display only valid alerts.

NPRM follows newly discovered vulnerability

Concerns about malicious actors exploiting vulnerabilities in the nation's emergency alert services have existed for years and they are not entirely theoretical. In its NPRM, the commission describes incidents that have sparked worry about what could happen if an attacker breached one or many emergency alert providers. The most famous of these was the 2018 "zombie attack" warning broadcast over multiple television stations in the Midwest, a prankster attack that was made possible by the stations’ failure to change the default passwords on their EAS equipment.

The commission was prompted to issue this latest NPRM after Ken Pyle, a security researcher at CYBIR.com, released some alarming research. Pyle discovered a vulnerability in an EAS encoder and decoder device, specifically the Monroe Electronics R189 One-Net DASDEC EAS device widely used by EAS providers. The flaw could allow attackers to access credentials, devices, and servers to send out false messages and lock out legitimate users, disabling any response.

FEMA warned EAS participants

Ahead of a proof of concept presentation by Pyle at DEF CON last August, the Federal Emergency Management Agency (FEMA) issued an alert strongly encouraging EAS participants to ensure that their systems are up to date with the most recent software versions and security patches. FEMA also advised EAS providers to protect their devices using firewalls, monitor devices, and supporting systems, and review audit logs regularly for unauthorized access.

The FCC's Public Safety and Homeland Security Bureau subsequently urged all EAS participants, regardless of the make and model of their EAS equipment, to upgrade their equipment software and firmware to the most recent versions recommended by the manufacturer and secure their equipment behind a properly configured firewall as soon as possible.

The seeming lack of operational readiness on the part of alert providers also underscores the potential for malicious interference in the EAS system. According to data collected by the FCC's Public Safety and Homeland Security Bureau during a nationwide EAS test in August 2021, more than 5,000 EAS participants were using outdated software or equipment that no longer supported regular software updates.

The test also revealed that many EAS participants could not participate in testing due to equipment failure. Compounding concerns about the lack of readiness is the fact that under current FCC rules, EAS participants may continue operations for 60 days despite having defective equipment that precludes their participation in EAS.

The big fear: A national attack

In discussing his research, Pyle said that one of his biggest fears about the vulnerability he found is that an attacker could compromise a single EAS station to send out local alerts that could be relayed over wide swaths of the country. One of the alert systems Pyle studied contained private cryptographic keys and other credentials for sending alerts throughout Comcast, the nation's largest cable operator, and broadband provider. Comcast said it took Pyle's research to heart and made steps to validate his findings and ensure the security of its systems.

The fear that a hacker could create havoc beyond local regions was raised in stark relief in 2018 when a misguided employee at the Hawaii Emergency Management Agency accidentally issued an alert over the EAS and WEA system that a ballistic missile threat was inbound to Hawaii, advising state residents that they should seek shelter because "this is not a drill." Although a mistake in judgment by the employee and not a cybersecurity breach, the false alert nonetheless underscored how vulnerable emergency alerts could be.

When it comes to the prospect of alerts cascading regionally or even nationally, "I would hope that you wouldn't be able to get into the entire system and that it is a little bit more secure than that," Lieutenant General (Ret.) Reynold Hoover, recently retired from the US Army as Deputy Commander of US Northern Command, tells CSO. Hoover, who was instrumental in creating the current emergency alert system and whose long government service includes a stint as FEMA's chief of staff, doesn't rule out such a scenario but says it's unlikely. "I believe there is redundancy, that it would be caught rather quickly and then corrected."

Next-generation alerts and warnings needed

Hoover thinks the FCC's rulemaking is a good thing but isn't sure it will do much to help the readiness of the EAS participants. "I think the reporting [requirement] is good because it raises awareness so that we could identify that there's been a cyber breach of some sort or unauthorized access to the system," he says. "But I don't know that's going to do anything to improve the readiness of the EAS system. I think what's going to improve the readiness of the EAS system is next-generation alerts and warnings. Congress has put $40 million over to FEMA to enhance the capabilities of the alert and warning system, including cyber hardening and active defense in the cyber world."

John Lawson, executive director of the Advanced Warning and Response Network (AWARN) Alliance, composed of broadcasters, companies, and trade associations seeking to incorporate those next-generation technologies into the warning system, applauds the FCC for taking steps to further enhance the integrity of the EAS. "It seems to be part of a whole of government approach" to improving cybersecurity across the board, he tells CSO.

Lawson also thinks the FCC should push the ball further. “I really wish the commission would use its convening power and bring stakeholders together to discuss new and better ways to do emergency learning.”

Interested parties who want to submit comments in the FCC's proceeding must file them on or before December 23, 2002. Reply comments must be filed on or before January 23, 2023.