Devices used by many radio and TV stations to broadcast emergency messages as part of the U.S. Emergency Alert System (EAS) have critical vulnerabilities that expose them to remote hacker attacks, according to researchers from security consultancy firm IOActive.
The EAS is a national public warning system that can be used by the president or local and state authorities to deliver emergency information to the general public. This information is transmitted by broadcasters, cable television systems, wireless cable systems, satellite digital audio radio service (SDARS) providers, and direct broadcast satellite (DBS) providers.
EAS participants are required to install and maintain special decoding and encoding devices on their infrastructure that allow the transmission and relay of EAS messages.
IOActive Labs researcher Mike Davis found several critical vulnerabilities in EAS devices that are widely used by radio and TV stations nationwide, said Cesar Cerrudo, chief technology officer of IOActive.
The vulnerabilities allow attackers to remotely compromise the devices and broadcast fake EAS messages, he said. “We contacted CERT [U.S. Computer Emergency Readiness Team] almost a month ago and CERT is coordinating with the vendor to get the issues fixed.”
At least two products from one of the main vendors of EAS devices are affected, so many radio and TV stations could be vulnerable, he said.
Cerrudo declined to name the vulnerable products or the affected vendor before the vulnerabilities get fixed. He hopes that this will happen soon so that IOActive researchers can discuss their findings at the RSA 2013 security conference in San Francisco later this month.
“We found some devices directly connected to the Internet and we think that it’s possible that hackers are currently exploiting some of these vulnerabilities or some other flaws,” Cerrudo said.
Concerns regarding cyberterrorism was front and center this week among security experts at the RSA security conference in San Francisco, who find that some people with extremist views have the technical knowledge that could be used to breach computer networks.
Cyberterrorism does not exist currently in a serious form, but some individuals with extremist views have displayed a significant level of knowledge of hacking, so the threat shouldn’t be underestimated, said F-Secure’s chief research officer Mikko Hypponen on Thursday at the RSA security conference in San Francisco .
Other security experts agree. “I think it’s something that we should be concerned about. I wouldn’t be surprised if 2012 is the year when we start seeing more cyberterrorism,” said Mike Geide, a senior security analyst at security vendor Zscaler.
Extremists commonly use the Internet to communicate, spread their message, recruit new members and even launder money in some cases, Hypponen said during a presentation about cyberterrorism at the conference.
Based on the data Hypponen analyzed, most groups of radical Islamists, Chechen terrorists or white supremacists seem at this stage more concerned about protecting their communications and hiding incriminating evidence on their computers.
They’ve even built their own file and email encryption tools to serve this goal and they use strong algorithms that cannot be cracked, Hypponen said. However, there are some extremists out there that possess advanced knowledge of hacking, and they are trying to share it with others, he added.
The researcher has seen members of extremist forums publish guides on how to use penetration testing and computer forensics tools like Metasploit, BackTrack Linux or Maltego. “I don’t think they’re using these for penetration testing though,” Hypponen said.
Others have posted guides on website vulnerability scanning, SQL injection techniques, and on using Google search hacks to find leaked data and more, he said.
Although such extremists have mainly succeeded in unsophisticated Web defacements so far, Hypponen believes that cyberterrorists could become the fourth group of Internet attackers after financially-motivated hackers, hacktivists and nation states engaging in cyberespionage.
The closest we’ve come to a real cyberterrorist attack was the DigiNotar breach which resulted in rogue digital certificates being issued for high-profile domain names, said Richard Moulds, vice president of strategy and product marketing at French defense contractor Thales.
Other countries — and many companies — are using social-networking tools to their advantage, while the U.S. government has taken tiny steps forward, said Rand Waltzman, a program manager focused on cybersecurity at the U.S.Defense Advanced Research Projects Agency (DARPA).
The Chinese government pays citizens to patrol social-networking sites and dispute negative talk about all levels of government or any aspect of Chinese life, and companies such as Dell and Best Buy are training workers to respond to complaints on Facebook and other social-networking services, Waltzman said at the Suits and Spooks security conference in Arlington, Virginia.
U.S. regulations prevent the government from undertaking similar campaigns, he said. “Any time you want to go to the bathroom, you need presidential approval,” he said.
The U.S. will not be able to protect its residents if it cannot engage in its own covert social-media operations, Waltzman said.
Waltzman told about a U.S. special forces unit in Iraq in 2009 that attacked an insurgent paramilitary group, killed 16 of the members of the group and seized a “huge” weapons cache. As soon as the U.S. unit left the scene, the Iraqi group returned, put the bodies on prayer mats, and uploaded a photograph from a cheap mobile phone, he said. The group put out a press release in English and Arabic.
The insurgent group “made it look like someone had come in and murdered these guys in the middle of prayer, unarmed,” Waltzman said.
Meanwhile, it took the U.S. soldiers three days to get approval to post their video of the fighting, he added. “In social media time, three days is forever,” he said. “The damage has already been done, and there’s no way to take it back.”
U.S. politicians seem to be conflicted about using social media covertly, Waltzman said. Some denounce China for its social-media propaganda efforts, yet there are several examples in the 2010 congressional election campaigns of astroturfing, of using fake grassroots campaigns to support candidates, he said.