February 15, 2019
Can the Presidential Alarm System be Hacked?
February 15, 2019
The autumn of 2018 brought something new to the general alert system of the United States. While the country’s old Emergency Alert System (EAS) that’s been in place for decades is still in use, a process for using text message alerts was added. The first test of what has been dubbed the Presidential Alert System appeared to be a success.Alerts by text are nothing new. Early 21st century legislation made it possible for states and other jurisdictions to set up emergency warning systems for their areas. The National Weather Service already has an opt-in system of this nature that sometimes interlines with these regional and state systems. What is different now is the idea of a system that operates on the federal level. Specific carriers participated in the October 2018 test, with plans to roll out the program across all wireless providers. Even as the test results continue to be examined, concerns about this approach have arisen. It is possible for this new initiative to be hacked and used without proper authorization? Unfortunately, the answer is yes. Who’s Overseeing the System?
What’s more properly known as the Wireless Emergency Alert (WEA) system operates under the auspices of the Federal Emergency Management Agency. Specifically, WEA is a new component in FEMA’s Integrated Public Alert and Warning System. The existing system made use of radio and television to alert the public to impending emergencies. In many areas, it coordinates with localized emergency warning measures such as emergency sirens.FEMA’s objective is simple: tap into what has become a major communication source. With such a high percentage of the population carrying smartphones with them everywhere, the WEA has the potential to make contact with and share quick information about the nature of the emergency. As with the older components, the goal is for this new addition to increase the odds of citizens to seek shelter, evacuate, or otherwise take actions to protect themselves and their loved ones. What Sort of Attacks Do Experts Think Could Happen?Hacking can result from a number of actions taken on the part of the hacker. One of the most common is to break or emulate the encryption of the message. This is because the encryption is what preserves the integrity of the message itself. Essentially, the hacker breaks the encryption and either uses it to manipulate the wording of a text, or creates an entirely new one. This creates the potential for two types of threats: 1. Altering an Outgoing Message
In this scenario, the hacker changes the wording so that the intended meaning is skewed. If done quickly, there will be several seconds before the changes are detected. In the meantime, it’s possible for tens of millions of citizens to see and react to the falsified message.2. Creating a Completely Bogus Message
The hacker breaks into the system and creates a message from scratch. It could take the form of announcing a phony emergency, or it could be worded as if it’s coming directly from a high-ranking government official. Given that part of the public backlash about the WEA has to do with detractors’ claims that the Trump Administration is invading their privacy with text messages, it’s safe to say a substantial number of people would accept the message as real and react in a less than constructive manner.Reservations about the WEA don’t rest solely on potential hacks. There’s also concern that the channel of communication would be abused for personal or political gain by a member of the current or future administrations. Are There Any Historical Precedents?TV and radio alerts to have the advantage of more vetting before being released on the air, but sometimes fall victim to hacking also. Email and text messaging currently are more vulnerable than their counterparts. Here are some examples of how both approaches have been abused.
The Zombie Attack of 2012 is a classic example. The hacker accessed the Emergency Alert System to broadcast a message to television stations in Michigan, Montana, and New Mexico. The gist of the message was that bodies were rising from graves, citizens were to take shelter and not attempt to subdue or otherwise stop the zombies.
In 2010, email hacking made it possible to send out an alert about a missing teenager throughout the state of Iowa. Many people shared the email on social media before authorities could confirm the information was old and the teenager had been found in good health long before the alert was sent.
2018 has also seen the rise of scam text messages that seem to be sent from banking institutions. While most people understand that banks don’t send emails urging clients to click on links in order to clear up some issue with their accounts, not everyone understands that banks also don’t send out texts with links. Since the protocols used by financial institutions are similar to those used by the federal government, some see the potential for a nationwide system to be similarly abused.
In the best case scenario, this type of attack would involve an outrageous message – like the zombie attack – that the majority of the public would either be annoyed, amused, or disgusted rather than react with fear. Indeed, the 2012 zombie incident was better at generating monologues on late-night television that in creating alarm. Even so, this scenario would tend to weaken the credibility of the system and motivate people to treat even legitimate messages with less urgency.At the other end of the spectrum, a fake message could result in public panic. A great deal of harm to people as well as property could occur as everyone attempts to protect themselves from the impending threat. This creates a real threat to the basic thread of society, since many might suspend any sense of social responsibility in order to get out of harm’s way. Does the fact that the system can be hacked mean it’s worthless? The answer is no. Like older warning systems, it should be considered a work in progress. When and as vulnerabilities are identified, they must be corrected. Only time will tell if the federal government is capable of ensuring the WEA is stable, focused on its stated purpose, and is not allowed to be misused by hackers or by anyone in authority.