Thanks to a new notification service launched by the United States government in 2018, the President now has the power to issue alerts to every citizen with a working cell phone. The technology for this service, known as the Wireless Emergency Alerts (WEA) system, has been around for a number of years and has been implemented for events like Amber Alerts, where a child has been declared missing or kidnapped. To date, the new presidential alert system has only been used for an initial test. The expectation is that it will only be used during national emergencies or to warn of an impending crisis similar to how emergency broadcast alerts are distributed to all televisions and radios. But like with any computer-based system, the threat of hacking is always present. Attackers are likely already plotting ways to infiltrate the new addition to the WEA system and use it to their advantage. Read on to learn more of what's at stake and how critical it is to prevent such hacks.
Previous Hacking Incidents
Although the concept of a presidential alert system is new at the national level, individual states, counties and cities in America have set up similar notification services in the past. For the most part, these have been successful implementations, but there have been a few instances of cyberattacks that should provide warning to the national government. For example, residents of Montana received a spooky alert on their cellphones back in 2013 claiming that a zombie apocalypse was about to hit the state. After a thorough investigation, authorities found that a local television station's IT systems had been hacked and had failed to detect the rogue outgoing message. A TV station in Michigan experienced a similar incident of cybercrime that same year when a zombie-related warning was issued to residents in several counties. Investigators later determined that the attack originated from outside the United States.
Vulnerabilities in Alert Systems
The Federal Emergency Management Agency (FEMA) is the government arm responsible for the rollout and oversight of the new presidential alert system. The IT infrastructure involved in such a system is surely complex. Therefore, so is the task of protecting it from attacks. Malicious actors are normally pictured as seedy individuals working for nefarious organizations or international spy agencies, but the truth is that a lot of cybercrime can originate from within the host organization. This means that FEMA must start by looking inward when it comes to network security, as any rogue employee could pose a risk to the alert system. Meanwhile, external hackers will be looking for any sign of vulnerability within the WEA system, both from a hardware and software perspective. Like many modern corporations, the U.S. government has begun to shift many of its IT systems of resources onto cloud hosted environments. The cloud offers a range of benefits for government agencies, including high network performance and global data reliability, but it also can introduce more risk. For example, if the presidential alert system were to have interfaces with a cloud platform, it would bring outside hackers one step closer to being able to carry out successful attacks. Many experts speculate that such a cloud-based system could be infiltrated by a single individual with relatively basic hacking knowledge.
Steps to Protect
With a service like wireless alerting that has to span an entire country, the amount of hardware, software and networking involved is staggering. The government must take a firm approach when building its industrial control system (ICS) security approach. First, all individual devices need to be locked down within a secure environment. If a hacker were to gain physical access to a server or router, they could potentially intercept traffic on the alert system and either delay or modify the contents. Web software is another major key when it comes to protecting these types of alerting systems. In the cases where Montana and Michigan residents received a rogue warning about zombies, the root cause was that hackers had managed to log in through administrative consoles online with a default administrative password. Software applications will typically come installed with a single local administrator account and a password that is easy to guess. Changing that password to something unique and complex is a good start towards better security, but it's still not enough to fully protect against outside attacks. Any web portal where passwords are entered should be configured with a secure sockets layer (SSL) certificate. This will encrypt all communications sent between a user's web browser and the server hosting the application. It means that even if a hacker manages to infiltrate the local network and spy on web traffic, they will not be able to decode the messages or steal the password.
Impact and Fallout
In the cases of the Montana and Michigan zombie alert messages, the incidents amounted to little more than a prank. No devices were compromised or held for a ransom payment. The groups behind the hackings were simply looking to expose a gap in the alert system's security setup and make a joke out of it. But the next cyberattack that occurs, especially if it targets the nationwide presidential alert system, could have much more damaging ramifications. An easy example is the warning message that went out to residents of Hawaii in January of 2018 stating that a missile was about to hit the island area. This proved to be an accidental test, but it still shows the kind of panic that such a message can cause. Perhaps the biggest danger in regards to wireless alert hacking is the trust factor. If the presidential notification system gets hacked just once, it will ruin the service's reputation, and FEMA will have a challenge to repair its image. Without that level of trust, future alerts during a real emergency could be ignored and put lives in actual danger.
About the Author: Gary Stevens is an IT specialist who is a part-time Ethereum dev working on open source projects for both QTUM and Loopring. He’s also a part-time blogger at Privacy Australia, where he discusses online safety and privacy. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
