This is a spoof, this is only a spoof...

A recent analysis of the Emergency Alert System, which replaced the Emergency Broadcast System (itself heir to CONELRAD), shows the hackability of emergency alerts.

The EAS was launched in 1997 to replace the cold-war era Emergency Broadcast System known best for making the phrase "this is only a test" a cultural touchstone. Like that earlier system, the EAS is designed to allow the President to interrupt television and radio programming and speak directly to the American people in the event of an impending nuclear war, or a similarly extreme national emergency. The system has never been activated for that purpose, but state and local officials have found it a valuable channel for warning the public of regional emergencies, including the "Amber Alerts" credited with the recovery of 150 abducted children.

As first reported by SecurityFocus nearly two years ago, the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves. That places radio and television broadcasters and cable TV companies at risk of being fooled by spoofers with a little technical know-how and some off-the-shelf electronic components. Under FCC regulations, unattended stations must automatically interrupt their broadcasts to forward alerts, making it possible for even blatantly false information to be forwarded without first passing human inspection.

The FCC's review follows a detailed report on the EAS produced by the non-profit Partnership for Public Warning (PPW) in February, which noted that "EAS security is now very much an issue."

"Since attacks involving chemical or biological weapons are likely to require use of the EAS system to provide official alert information to the public, it is possible that an attacker could decide to cripple the EAS or use it to spread damaging disinformation," reads the PPW report.

So, some reasonable alternative to EAS is needed; if the system can be hacked, then a DOS attack or a series of 'cry wolf' false alarm spoofs would render the system useless, as it's been predicted that false alarms would lead people to ignore it. That would be a nice complement to a terrorist action, now, wouldn't it?

An SMS-based system, to address the 2/3 of Portland-area folks with cellphones, would be a nifty idea, and cheap (since it uses existing infrastructure). I've proposed it to the Director of Portland's Emergency Management office. Here's a Washington Post article (free, registration required) describing their system.