(Credit: Aaron Parecki / CC by 2.0)
Last week, after a bomb exploded in Chelsea, millions of cell phones around New York City sprang to life. In an unprecedented move, the city had used the Wireless Emergency Alert system, best known for pushing out weather alerts, as a virtual wanted poster. https://twitter.com/KarstenAichholz/status/777841352499400704
The alert didn’t directly lead to the suspect’s capture, but already it has heralded a new frontier in policing. At a press conference, NYC’s top cop hailed it as “the future” of how governments communicate with citizens. Then this week, New York Senator Chuck Schumer demanded that the Federal Communications Commission, which oversees the wireless alert system, update its currently retro technology. “The bottom line is that in the era of Instagram, Facebook, and Snapchat, our Wireless Emergency Alert System needs to get as smart as our phones and be updated so it can deliver photos and other media that has information that can save lives,” Schumer wrote.
Wireless Emergency Alerts allow officials to push a message out to millions of people at once. That’s a great boon to police and emergency workers trying to keep people safe — already WEAs have been credited with saving lives. But they also create the potential for something terrifying: If the government can reach us at any time, who else can? For example, a disgruntled phone company employee playing a practical joke. Or spammers directing recipients to websites loaded with malware. Or a terrorist intent on causing mass panic (i.e., “Tsunami imminent, evacuate immediately”). Is a system that can reach us anywhere, at any time, really safe?
In some ways, the alert systems of today are more secure than the TV and radio warnings of the past. The federal government has spent years building an authentication system to ensure that someone can’t intercept or change an alert, or create an alert of their own.
But any system is hackable—and today that system sits on our bedside tables, is plugged into our ears, and is with us nearly all the time.
For as long as emergency alert systems have existed, they’ve been misused. In 1971, an employee at the National Warning Facility fed the wrong tape into the federal warning system. Thousands of radio and TV stations broadcasted a message that seemed to hint at a looming nuclear attack. Fortunately, the second part of the warning never went out, and the whole thing was redacted less than an hour later.
Digital systems, however, make it easier for outsiders to cause trouble. On the morning of November 27, 2010, Iowa’s Amber Alert system sent an email with a link to a missing girl. But this alert was old, and the teenager in question had already been found safe. The state blamed an outside contractor whose sloppy work reinforcing Iowa’s intranet left entry for a hacker.
Two years later, another hacker managed to broadcast warnings of a zombie attack on stations in Montana, Michigan, and New Mexico. This time, the cause was stupidity: the affiliates who blasted the attack hadn’t changed the default settings for their alert systems, leaving the network vulnerable to anyone who could find the standard password.
Both these breaches were minor. Iowa’s old alert was canceled in minutes and only went out to a group that had voluntarily signed up to receive Amber Alerts; Montana viewers weren’t really worried about zombies. But as alerts move from a scrolling message superimposed over a TV show to one sent directly to a device most of us keep on our body at all times, the potential for fake alarms to have serious consequences increases. “A lot has changed,” says Gerard Meyers, who oversees information technology at the Iowa Department of Public Safety. “To tell anybody that an agency is immune to these attacks would be a grave injustice.”
The U.S.’s emergency alert system is half a century old, a product of the Cold War. It’s the technological successor to earlier methods, tracing as far back as men yelling dispatches on horseback, bells tolling in town squares, and tornado warning sirens. Today’s emergency alert technology has remained remarkably consistent over the last several decades: agencies designated by FEMA as “Alert Originators”—for example the National Weather Service—send a message to FEMA. FEMA, in turn, authenticates the missive and relays it to broadcasters in the affected area. The U.S. is divided into about 550 alert areas, each with at least two broadcasters set up to receive emergency alerts targeted to the local community.
But Wireless Emergency Alerts — the messages that shoot straight to your cell phone, turning a subway car or classroom into a cacophony of bleeps — are relatively new, having launched in a partnership between New York City and FEMA in 2011. Nowadays, they’re available nationwide. And now that the 92 percent of Americans who own cell phones also carry little warning devices in their pockets, security experts say they worry more about a potential hack and are working harder than ever to ensure that one doesn’t happen.
“Wireless emergency alerts are a very powerful tool that can reach a really large amount of people, even millions,” says Cesar Cerrudo, the chief technology officer of IOActive, a security company that’s studied emergency alert systems. “Imagine if you could reach one million people saying there was a tsunami coming, ‘please run to the hills.’ People trust the emergency alert system. They don’t think it could be someone with bad intentions making the alert.”
Here’s how the Wireless Alert Systemworks: Someone—say, the New York City Department of Emergency Management—creates an alert. That alert is transmitted via messaging software, built by a group of security contractors to FEMA. FEMA receives roughly 40,000 messages per month, but only a small number—approximately 500—are routed through the WEA system and sent to our cell phones.
According to FEMA, making sure that only accurate alerts get sent is top priority. “FEMA recognizes the growing sophistication of threats against IT systems,” Alexa C. Lopez, a FEMA spokeswoman, wrote in an email, adding that they are “evaluating additional measures” to keep the systems secure. The first protection against outside agents is stylistic: The alerts are written in a system called the Common Alert Protocol The style helps keep alerts consistent throughout the country and allows FEMA to weed out the most basic fakes: If they’re written in an unusual format, it might signal a hacker.
To ward off more refined hacks, FEMA has assigned each of the country’s designated Alert Originators an authentication key. If an alert hits FEMA’s authentication system and doesn’t contain that key, it can’t be sent onward to cell phone carriers. A hacker would have to unearth the key to be successful, says Neil Graves, who helped build out the system and is now chief scientist for cybersecurity policy at the Department of State.
If the message does contain the code, FEMA determines where it should go — either by marking an area around designated cell phone towers, or plugging in a county. It then sends the message to all the cell carriers in that area that are in FEMA’s database. Those carriers then relay the message to customers’ phones.
What Graves worries about is someone on the inside—either a contractor working on the platform, or an employee at a local agency — phishing for the authentication code and skirting past FEMA’s security measures. The system grows weaker as you move to the carriers, he says, as employees there could send out a message on their own with relative ease.
Carol Woody, a professor at Carnegie Mellon who has studied wireless emergency alerts for the Department of Homeland Security, agrees that humans are the weakest link. As more government agencies gain access to the technology, Woody says, there’s a higher chance that an employee will leave an authentication system open to a breach. Someone with malicious intent — a hacker, a terrorist, or just a practical joker—might even get a job at one of these agencies. From there, it’s not hard to send out a false alert, or prevent a potentially life-saving message from going out.
The closest we’ve come to a false WEA dispatch was in 2011, when Verizon, in an attempt to test its system, instead pushed out an alert telling people to “take shelter now” across part of New Jersey. 911 calls in one county doubled in an hour. Yet people remained calm; they searched for more information. “It was more concern than panic,” a spokesperson from the sheriff’s department told CBS at the time.
That reaction is right in line with what research has found, according to Jeannette Sutton, a disaster sociologist at the University of Kentucky. When people feel anxious based on a small piece of information, their first reaction is to panic or to seek out more information, or both. Which reaction we embrace—panic or research—could spell the difference between a potential hack causing either disaster, or nothing. That’s especially true now that alerts can reach millions of people at once
Part of the problem with the WEA system, Sutton believes, is that it offers just a hint of information, leaving its recipients to question what to do next. Sutton suggests that FEMA, the FCC, and local affiliates develop a system capable of distributing more than a few lines of text. The more information people have, she says, the better they can interpret it and act rationally. That’s something the Department of Homeland Security is currently considering.
Whatever future alerts look like — a line of text, an image, a link—their biggest challenge will be in courting our convictions. As government agencies rely more heavily on wireless alerts, the risk of a false alarm multiplies. Sure, a false alarm might send a community into panic. But there’s the very real risk of a false alarm undermining our faith in the system. If WEAs become the boy who cried wolf, eventually it becomes hard to know when to stay calm, and when to act.
