Zombie Alert! Are You Ready For The Next Attack?
July 16, 2013
Recent stories regarding the false EAS Zombie Alert should be of continuing concern to radio and television broadcasters. The perpetrator(s) of the Zombie Alert have still not been identified and the potential for a reoccurrence of that Emergency Alert System abuse, or for even a more malicious or even terrorist misuse, exists and can be exploited if broadcasters are not careful to comply with all manufacturers' instructions and updates.
Rumor is that the Zombie Alert occurred because a broadcaster failed to change the default password for access to its EAS equipment. While many participants have been sensitized to this issue and are now regularly updating their EAS equipment password, other serious issues also require attention.
As with all computer software, would-be hackers are constantly searching for vulnerabilities. Every broadcaster should know that responsible purveyors of EAS equipment issue periodic updates to that software and they must be on the alert to install the updates as quickly as possible. The FEMA Community Emergency Response Team (CERT) program has just issued an alert that such issues have been identified, mitigated, but to broadcasters, "Just Install the Software."
Here's an example: Monroe Electronics, a major manufacturer of EAS equipment, maker of the DASDEC™ and One-Net™ emergency alert messaging systems, recently released a notice that its new version 2.0-2 software is available to better protect the security of its devices and to improve operational features in its EAS products. Importantly, this upgrade removes the default SSH key -- the code that authenticates national alerts -- requiring each individual broadcaster to implement unique security measures for each device.
It also changed the password handling feature, made other security enhancements and improved polling of the IPAWS CAP code system. One would think that every broadcaster would update this software immediately. Unfortunately, experience demonstrates that many do not update EAS software for nine or 10 months after such a notice, if ever.
Broadcasters should be aware that section 11.35 of the FCC's rules and the FCC EAS Operating Handbooks make clear that EAS participants have specific maintenance obligations, including assuring that their equipment is installed properly and that the encoding and decoding functions work properly and so that monitoring and transmitting functions are available during operation. EAS Participants must also determine the cause of any failure to receive the required tests or activations. If EAS equipment becomes defective, the participant must repair or replace it within 60 days or request additional time from the FCC Field Office District Director.
It is critical that broadcasters periodically poll the manufacturer of their EAS equipment to determine if there is any update in the software or security fixes that need to be installed and that they be installed as quickly as possible. Monroe has provided a white paper on best practice security measures which is available for broadcasters at: http://www.digitalalertsystems.com/pdf/wpdas-122.pdf
This column is provided for general information purposes only and should not be relied upon as legal advice pertaining to any specific factual situation. Legal decisions should be made only after proper consultation with a legal professional of your choosing.