In the last two days, several radio and television stations across the country had their station’s EAS systems hacked – and ended up broadcasting alerts dealing with zombie attacks that went out using the standard EAS systems and appeared or sounded to the viewer or listener to be real alerts. The FCC and others involved in the EAS program fear that other fake alerts have already been inserted into stations’ systems and may be broadcast soon – perhaps during events like the State of the Union address or other widely-viewed programs. To combat these issues, the FCC has issued the following advice to all stations:
All EAS Participants are required to take immediate action to secure their CAP EAS equipment, including resetting passwords, and ensuring CAP EAS equipment is secured behind properly configured firewalls and other defensive measures. All CAP EAS equipment manufacturer models are included in this advisory.
All Broadcast and Cable EAS Participants are urged to take the following actions immediately
1. EAS Participants must change all passwords on their CAP EAS equipment from default factory settings, including administrator and user accounts.
2. EAS Participants are also urged to ensure that their firewalls and other solutions are properly configured and up-to-date.
3. EAS Participants are further advised to examine their CAP EAS equipment to ensure that no unauthorized alerts or messages have been set (queued) for future transmission.
4. If you are unable to reset the default passwords on your equipment, you may consider disconnecting your device’s Ethernet connection until those settings have been updated.
5. EAS Participants that have questions about securing their equipment should consult their equipment manufacturer.
Stations should follow these guidelines immediately and take other actions to secure their EAS systems. Obviously, the FCC and other agencies involved with the EAS system, which only recently became at least partially Internet-based with the introduction of the new internet-based Common Alert Protocol (CAP), will need to look at this issue in more detail in coming months, as a system like this could become a target of future attacks. Until any further mandates are issued, stations should take the steps outlined above immediately.
Update – 2/12/2013 – 10:25 PM EST - I heard from an engineer who has been very involved in EAS issues the following:
There was some speculation earlier that this event had something to do with the Common Alerting Protocol that is built in to all of the new EAS devices. Not true. According to all information that the Broadcast Warning Working Group has been able to sift through this is simply a case of making sure that all entities subject to Part 11 EAS compliance immediately change factory default passwords to strong new passwords (if not already done), and that all EAS devices are behind routers with good built-in firewalls. Operations that have installed internet connectivity just for EAS compliance should make sure that they also have installed a router with a good built-in firewall. Such routers are available in the $50 range.
This is not to say that the connection to the Internet required as part of the adoption of CAP did not provide the pathway to get into the station’s systems, only that the CAP system itself was not the way that that fake messages were distributed. Many in the public safety community view CAP as providing great benefits for being able to convey much more detailed and robust information about emergency issues. Thus, it is important to recognize that the system itself did not cause the issues here, just the connection to the Internet. This just reminds broadcasters that any of their systems connected to the Internet need to be secured to make sure that these kinds of issues do not arise in the future – through some other avenue into a broadcaster’s programming systems.