Part 1: Exploiting the Emergency Alert System

Introduction…

The context...

This is the writeup of a presentation I created but never gave publicly over 2 years ago.  My initial research and interest goes back at least 4 years and the exploit is DECADES old.  I'm just now discussing it because recent EVENTS highlighted the fact though they used more complicated methods.

My father is in radio broadcasting and has been nearly all my life.  I grew up around 100,000 watt FM transmitters, large sound systems, COM/SAT gear, and all the junk that you'd expect from that.  I got my start in computers in a recording studio...

The background…

2 years ago I was speaking with the South Carolina Law Enforcement Division (SLED), some SC congresspeople, SC Emergency Management Division (SCEMD), and others about attacks on state/local resources.  They were preparing to conduct emergency management exercises and I was given the opportunity to speak with them about "cyber" and/or technical attacks that could create or exacerbate emergency management, law enforcement, or state/local operations.

Having experienced and supported emergency management gear from the context of a broadcaster, I knew about the age and antiquated state of most broadcast systems for audio, video, and communications.  I worked in the stations, I built custom gear (my favorite being a 15-pin game controller port to multiple broadcast relays that triggered multiple digital audio recording feeds…software wanted clicks…I gave it a gamepad!), and I knew about how the physics of terrestrial communication worked.  I dealt with with fresnel zones, heat inversions, surface-of-the-earth calculations, and most importantly signal overlap, shadowing, and amplitude…we'll get into this soon.

The inspiration…

While on a holiday visit back to my parents home, my father asked me to install a Sage Digital ENDEC Emergency Alert System (EAS) device as a favor.  They were replacing an old one to comply with new federal regulations which created a new EAS distribution protocol (CAP) and new devices to support delivery of EAS alerts via digital delivery (otherwise known as the "inter-thingy"). 

Needless to say, when I saw an ethernet jack, install instructions including IP configuration, and an HTML setup screen it was ON!  Having setup tons of "professional" networked audio equipment, I knew I'd be lucky if this thing even supported password authentication (it did, but not over 6 characters with NO specials).

The research…

The EAS system, implemented in 1997, is only the second iteration of a nationwide broadcast system purposed to broadcast “Presidential messages” and national emergency messages, though it has never been used for this purpose.  For the sake of brevity, you can google CONELRAD which was implemented in 1951 and replaced in 1963 by the Emergency Broadcast System (EBS).


You can read an FCC writeup which includes the history and some lead into our exploit HERE (posted it because FCC website is down due to gov't shutdown!).  It also details the CAP standard and its requirements (notice the LACK of ANY security ANYTHING!!).

EAS uses a relay distribution method which is very unreliable and not very secure.  It is referred to as "over-the-air relay" and relies on seeding stations who authenticate the messages then forward them to listening stations who rebroadcast until complete distribution.  Though messages are specially formatted, the formatting (the crazy sounds you hear) is public knowledge.  A guy named Flux presented back at DEFCON several years ago on how to create your own EAS messages.  His presentation was the reason I never submitted this exploit as a talk at any conferences though he doesn't specifically discuss it.

The problem…

Over-the-air relay uses the premise that only authorized broadcasters can transmit loudly enough (amplitude) on FCC regulated frequencies (FM/AM/VHF/UHF, etc.) and therefore the messages are "trusted" when received.  The listener stations monitor FCC assigned seed stations (usually 2 if available) and when a message is received the equipment immediately buffers the message, interrupts current broadcasting, and replays the message.


The rub comes in that frequencies (FM/AM/VHF/UHF, etc.) can change owners more frequently than when the system was first conceived.  Think how often radio stations change format, etc.  The other issue is that broadcasters are licensed to broadcast UP to certain amplitudes but not refrained from broadcasting BELOW a certain amplitude (there is a lot more to it than that, but this is a generalization).  Things like transmitter equipment failures, power bills (100,000 watts is a LOT of power), maintenance, equipment relocations, buildings, seasonal changes, and other things can significantly impact the quality of reception in relay.

Any of you Amateur Radio operators out there know the rules on broadcasting on certain frequencies, amplitudes, etc.  But the reality is catching people is next to impossible!  Unless someone repeatedly breaks the rules, causes interference regularly, or is so egregious, the FCC doesn't have the bandwidth to enforce the rules.  In some instances, equipment can be deployed to triangulate the offender, but that requires a lot of work and I'm not aware of it happening anytime recently.

To be continued…

Delta jacked up my flight schedule and I now have to drive 5hours home instead of flying and finishing this post…coming soon!

Comments