EAS Hack: CAP Not the Issue, Internet Security Is
Federal authorities are looking into several incidents in which an unauthorized person or persons interfaced with EAS encoders/decoders that were connected to the Internet, knew or figured out the default password, broke into the device and were able to insert a false message that was transmitted by several stations.
A FEMA spokesperson told RW that the incidents appeared to be a security breach of a product used by some local broadcasters. “FEMA’s Integrated Public Alert and Warning System was not breached or compromised and this had no impact on FEMA’s ability to activate the Emergency Alert System to notify the American public.” FEMA will continue to support the FCC and other federal agencies looking into the matter, according to the spokesperson.
When reached last night, the FCC had no comment on the investigation.
Broadcast engineer and long-time EAS expert Richard Rudman agrees what happened is not an issue with CAP and has nothing to do with IPAWS OPEN, FEMA’s Web interface for alerts. “It’s because [EAS] boxes are connected to the Internet. Mentioning CAP as part of the problem is inaccurate,” Rudman emphasized, speaking for the Broadcast Warning Working Group. “Anybody that has a Part 11 box that’s compliant is now tied to the Internet.”
If a station’s gear that’s tied to the Internet is behind a router with a firewall and protected with a strong password, that will most likely thwart would-be hackers, he suggested. “Even a $50 router will have firewall. There’s some evidence this was tried elsewhere and the EAS gear of stations that had a strong firewall were not hacked,” he said.
While most of the hacking incidents involved television stations, we reported one incident involved a radio group in Utah. Bonneville DOE John Dehnel was able to head off the fake alert on the main signals for KSL AM/FM, but the fake alert did get transmitted automatically on the station’s HD2 channels.
The hackers, he said on the SBE EAS list serve, knew what they were doing, stating that the unauthorized person was familiar with how EAS works and even the type of device his stations have. The person “hacked in and programmed a header they would assume would be something that would auto-forward. It takes some training and instruction to do all of that. A casual hacker, even if he got into the box, would not have known how to do it.”
The station has taken its encoder/decoder offline to preserve any data it may contain that would be useful to the investigation.
Rudman agrees it appeared the hacker knew what he was doing. He tells RW that for the affected stations, it looks like an MP3 file was uploaded to the EAS encoder/decoder and activated as a message. “The box was probably set to send an alert automatically.” He shared with us suggestions he also passed along to the California Broadcasters Association, namely that stations verify they have strong passwords for their Internet interfaces and all their EAS gear is connected through a firewalled router.
“One engineer thought changing the front panel password is enough,” said Rudman, who adds that’s not enough and recommends a Gibson Research site for checking password strength. It’s also recommended by Leo LaPorte and other IT experts.
It’s important to change all of the Web interface passwords for every single EAS encoder/decoder, Rudman said, who recommends contacting the vendor for specific product documentation. “Only then will the new, strong passwords you set have an effect.”
Rudman’s best advice: “Always practice safe Internet!”