Top Stories, Compelling Insights, Accomplished Experts

InCyberDefensePresidential Alert System Is Potentially Vulnerable to Hackers Wes O'Donnell October 15, 2018
Get started on your cybersecurity degree at American Military University.

By Wes O’Donnell
U.S. Army & U.S. Air Force Veteran. Managing Editor, InMilitary.com and InCyberDefense.com. Speaker, filmmaker and veteran advocate.

Last Wednesday, the Federal Emergency Management Agency (FEMA) carried out the first successful test of the “Presidential Alert,” a text message sent simultaneously to all cell phones nationwide. Unlike regional AMBER and weather alert messages, citizens cannot opt out of the Presidential Alert.

According to The Atlantic, the infrastructure to send presidential messages to smartphones has been around since 2012. Immediately following the successful test on October 3, cybersecurity firms began looking into the idea that the Integrated Public Alert and Warning System (IPAWS) could be hacked and compromised by a third party.

As far back as 2013, the security research firm IOActive published a report, stating that a hacker could log into the Emergency Alert System (EAS) server and either disrupt an emergency alert or send out a false one. Furthermore, research by the Huffington Post found that a hacker with only “a moderate skill level” could hack the EAS and gain access to a great deal of information on the server.

Presidential Alert System Could Fall Victim to Man-in-the-Middle or Another Type of Attack

Dr. Kenneth Williams, Executive Director of the Center for Cyber Defense and Program Director for the cybersecurity program at American Military University, says the EAS system is absolutely vulnerable to attack. “Like any modern system, the EAS system is managed by software, making it susceptible to a number of known attacks including a man-in-the-middle attack,” Dr. Williams explained.

In a man-in-the-middle attack (MITM), the perpetrator secretly relays and possibly alters the communication between two parties who believe they are communicating directly with each other.

The ultimate question for cybersecurity researchers is: If an emergency alert system is able to reach all Americans anywhere at any time, is it really safe?

Unlike Radio and TV Alerts, Digital Media Systems Are Easy to Hack

Unlike broadcast radio and television alert messages, digital media systems are notoriously easy to hack. For example, on November 27, 2010, Iowa’s Amber Alert system was hacked and an email with a link to find a missing girl was sent out to recipients. But the alert was old; the teenager in question had already been found and was safe.

In 2012, another hacker managed to broadcast warnings of a zombie attack on television stations in Montana, Michigan, and New Mexico. The hacker used the Emergency Alert System for the broadcasts.

Despite these benign examples, the potential for severe damage is ever-present.

According to Cesar Cerrudo, the chief technology officer of IOActive, “Imagine if you could reach one million people saying there was a tsunami coming, ‘Please, run to the hills.’ People trust the emergency alert system. They don’t think it could be someone with bad intentions making the alert.”

FEMA Taking Steps to Ensure the Security of Its Presidential Alert System

So what precautions is FEMA taking to ensure its system is secure? FEMA spokeswoman Alexa C. Lopez says, “FEMA recognizes the growing sophistication of threats against IT systems.”

According to Peter Moskowitz of Wired, “The first protection against outside agents is stylistic: The alerts are written in a system called the Common Alert Protocol. The style helps keep alerts consistent throughout the country and allows FEMA to weed out the most basic fakes: If they’re written in an unusual format, it might signal a hacker.

“To ward off more refined hacks, FEMA has assigned each of the country’s designated Alert Originators an authentication key. If an alert hits FEMA’s authentication system and doesn’t contain that key, it can’t be sent onward to cell phone carriers.”

“A hacker would have to unearth the key to be successful,” . Graves, who helped build the system, is now chief scientist for cybersecurity policy at the Department of State.

Ultimately, Americans want to trust that their government is performing the most fundamental duty: to protect its people. Nearly 90% of Americans own cell phones, making an alert system that reaches into your pocket perhaps the most powerful communication tool in history. But with such power comes the responsibility to ensure that the technology is hardened from users with ill intent.

View on InCyberDefense