The US emergency broadcast system set up to enable the president to talk to the country within 10 minutes of a disaster can be hacked, researchers have warned.
IOActive discovered that the root privileged authentication key for the alert-issuing appliances is distributed as part of the firmware.
This key would allow an attacker to log in as root over the internet to an alert appliance and then manipulate any system function, according to IOActive.
Lead researcher Mike Davis said the system needs to be re-engineered, because an attacker who gains control of the appliances that deliver emergency messages could disrupt broadcasters’ ability to transmit and could disseminate false emergency information over a large area.
In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other emergency message delivery systems.
Read more about protecting critical infrastructure
- UK takes cyber threats to infrastructure seriously
- Is UK critical national infrastructure properly protected?
- Government to monitor companies supporting critical national infrastructure
- Critical infrastructure security: Electric industry shows the path
- GRC Management and Critical Infrastructure Protection
- NetWars CyberCity missions to improve critical infrastructure protection
- Steve Lipner on the Microsoft SDL, critical infrastructure protection
However, a security notice on the website of the firm that supplies the alert appliances urges customers to ensure they have installed the latest software update.
This indicates that the device makers may have heeded IOActive’s advice to update the firmware to resolve the security issues.
The notice also advises customers to change the factory default password and make sure all network connections are behind secure firewalls.
No similar emergency broadcast system exists in the UK, but the government is set to begin trials later in the year of a new public emergency alert system, according to the BBC.
The plans include alert systems that span multiple platforms, including the internet and mobile phone networks, with social media being a key component, according to a consultation document.
"The popularity of social media makes it an ideal platform for communication with people and for disseminating additional information in the aftermath of an emergency," the document says.
However, the document also notes that security must be a high priority to prevent false alarms.