Thursday, November 17, 2011

EAS and Anonymous

The timing is undoubtedly due to the publicity given the National EAS Test earlier this month, but now the hacker group Anonymous is claiming that they plan to "take over" radio stations via EAS, by exploiting the lack of security inherent to the system.   The attitude seems to be half showing solidarity with the Occupy Wall Street movements, half trying to call attention to a glaring security hole.

FEMA is responding that the system is secure enough, thank you very much.

Who's correct?  Read on...

FEMA is correct that it would be exceedingly difficult for a hacker to take over the entire EAS system.  The exact procedure for EAS at the national level is not public knowledge, and would probably require physical intrusion into secure federal facilities.  Not to mention knowledge of certain code-words to authenticate with the network of over thirty National Primary / Primary Entry Point broadcast radio, TV, satellite and cable participants.

Similarly, it'd probably be tough to spoof sometime statewide, too.  You'd need to know certain protocols that - for the most part - aren't public knowledge.  And you'd still need to physically get into the right location at the top of a statewide EAS network.   Some of those "tops" are broadcast stations, which are private businesses but nevertheless are far more accessible to the public than a federal building usually is.  Even so, it'd be hard to initiate a spoofed EAS event without station personnel realizing it so quickly that the perpetrator would be stopped before getting very far.

The real rub is the Local Primary radio stations.   These stations depend on receiving EAS alerts from the Primary Entry Point stations via over-the-air reception of the PEP broadcasters, especially in radio.  While the protocols are relatively unknown, which stations are the PEP's is public knowledge.

So a hacker armed with a reasonably cheap low-power FM transmitter, software to generate the right EAS tones, and a microphone could drive close to a Local Primary's studios (again, these aren't hard to find) and start transmitting a pirate broadcast on the same frequency as the PEP station's.  Since they'd be physically close to the LP station's studio, the pirate broadcast would override the PEP's signal and allow clean reception of the pirate EAS broadcast.   The hacker then simply transmits EAS data tones for an Emergency Action Notification (EAN) which tends the LP's station to immediately override all programming and put the PEP station on the LP station's airwaves.   Now the hacker has control of the LP station and plays his message.

Not only does the hacker's message go out on the LP station's airwaves; every other station in the area that's monitoring the LP station will similarly be affected.  And depending on the state, there could be dozens of stations "down the line" that are monitoring that LP station.   So the effect, while inherently local, could still be very widespread within that locality.

Plus it doesn't take much funding or coordination to have several hackers set up at several different LP stations and coordinate their efforts.  A dozen people could effectively take over most of an entire state's broadcasting infrastructure.

Granted, the takeover would be limited in time, as it won't take long for a hijacked LP station to recognize what's happened, go to their EAS encoder/decoder, and manually override it.   But that'd still leave a window of two to five minutes for the hackers to work in.   Significant mischief can be done even in that narrow a time window; think Orson Welles' infamous War of the Worlds broadcast.  The hacked programming wouldn't have to sound like an EAS alert; once the data tones are passed, it could sound just like normal programming; and thus be subtle enough to fool a lot of listeners.   Or it could sound just like a real emergency alert and thus be convincing enough to scare the heck out of a lot of listeners.

And given how many stations rely heavily on unattended operation for much of the day, the right (or wrong) conditions could mean an LP station could be hijacked for several minutes, or even hours, before the hijacking was overriden.

And the greater concern is how relatively cheap and easy this would be.  The pirate transmitters can be obtained for a few hundred dollars a piece.  Most of these hackers would already have laptop computers and cars.  The EAS encoding software is $800 or likely could be hacked for free with a little time and ingenuity.  Or simply purchase an EAS encoder/decoder box for less than $2500.  Worst of all, a clever hacker could initiate this from the safety of a car a block or two distant from the station.  In anything but very rural environments, this means the hacker could initiate the attack, monitor simply by listening to a car radio, know exactly when the attack was overriden, and then safely shut off and drive away long before any authorities could find them.

Equally problematic is that there is no defense against these hacks currently available within the operational framework.  The whole point of EAS is quick dissemination of information that can occur even without the help of a human operator.  That's important in the modern age; stations are required to be staffed during business hours by a minimum of two people: one manager and one staff member.  But there's no rule about having multiple stations simultaneously using those same two people.   What if they both go out to lunch (which is allowed) or it's a weekend or holiday?   Unattended operation is key.   But it also leaves the system painfully vulnerable to outside assault as described above.

The incoming Common Alert Protocol (CAP) systems may be able to provide some layer of authentication to an incoming over-the-air alert.  But any internet-based system is still vulnerable to a determined hacker, and thus is not much of a deterrent.   And the deadline for CAP isn't until June 2012; "Anonymous" is indicating they'll attack sooner than that anyways.

What's the solution?  There isn't a good one that's quick or cheap.  Probably the best is one that requires a less-easily-overriden path of sending EAS alerts...satellite downlinks or other digital/data links that can't be as easily spoofed as simple AM/FM broadcasts can.   This is not without its own problems, as certain environmental conditions can easily render various alternative audio delivery methods...satellite, telephones, internet...inoperable in times of real crisis.

Or requiring stations to man their studios 24/7/365 to provide a human to receive the alert and seek authentication (perhaps a code word over the phone, as CONELRAD used to do) in the event of an alert.  While this might make for better-sounded radio overall, it would certainly put substantial fiscal strain on the broadcast industry to hire all those people.

Other than that.  All that can be asked is that the FCC takes an understanding view of enforcement against a radio station when and if a hacker causes an illegal EAS activation.

No comments: