- January 10, 2019
- Posted by:
- Categories: Archer News, Cyberattack, Hacking, Mobile Devices, Posts with image, Security Management
You can expect more false alarm messages on your phone.
And some may come from people out to scare you, hurt you or take your money.
One year after Hawaii’s false missile alert, the wave of non-emergency emergency messages continues.
Watch here:
False Alerts
Hawaii’s false alert in January last year was just the beginning of a year flush with false warnings.
On Saturday, hackers broke into Australia’s early warning alert system, sending out their own alerts saying, “EWN [Early Warning Network] has been hacked.”
In December, a late-night 911 alert went to people in Oregon, though it was intended for Washington state.
“It woke me from a dead sleep and straight fight-or-flight set in,” wrote Ashlie on Facebook. “A lot of unnecessary panic.”
“I appreciate that there are notifications like this, but how many times has it been accidental in some sort of way #hawaii,” she added. “The next time it happens how am I to know it’s for real for real?”
Officials apologized for the error, but the question remains — and with growing significance.
One of the most dramatic moments coming out of #Hawaii today, parents sheltering their children in a storm drain. pic.twitter.com/6kRwBZa2ch
— We The People (@WTPMagazine) January 14, 2018
A Series of Errors
On January 13, 2018, a false missile alert threw Hawaii into a state of panic and confusion.
Video showed people running for shelter, putting their children into storm drains and huddling in houses.
Just a few days later, Japanese broadcaster NHK sent out a different fake missile alert telling people to take cover.
In February, Accuweather sent a false warning for a tsunami supposedly on its way to cities around the U.S.
Just got a Tsunami Warning for New York, but apparently it’s just a test. Thank you for the morning panic attack, @accuweather! 🤦🏻♀️ pic.twitter.com/0Be0helrbw
— Katia Del Negro (@KatiaDelNegro) February 6, 2018
In May, a South Florida city warned people of a power outage and zombie alert.
The outage was real. The alert? So far, no zombies.
The power went out at this Florida city. The 'zombie alert' came next. https://t.co/AqJecM94Zk pic.twitter.com/4kwh6zd8n0
— Miami Herald (@MiamiHerald) May 22, 2018
Manipulation
The technology we use to bring quick emergency info can also bring us panic or doubt.
Some say attackers can use it to manipulate us.
Archer News asked security expert Ernie Hayden of 443 Consulting if emergency communications officials should be protecting their systems from hackers.
“Absolutely!” he responded.
He underscored the fear many people felt during the Hawaii false missile alert.
“Just from the standpoint of people trying to escape, or worrying about where their children are and can they get to the school and are they ever going to see their family again. These are thoughts that nobody deserves to go through. Ever. Ever,” he said in an interview in Waikiki.
Motivation
Who would do this on purpose and why?
“The motivations for that sort of thing will really run the gamut,” said security expert Dave Lewis, global advisory CISO for Duo Security/Cisco, to Archer News in Honolulu.
Lewis said some people are simply trolls, trying to cause pain or get some laughs.
For example, someone hacked a TV emergency alert system in 2013, broadcasting a zombie warning in five states from Montana to New Mexico.
“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living,” the warning said.
Some would do it for money, like the attackers the same year who demanded $5,000 ransom or they would shut down emergency call systems in Illinois.
Act of War
Some would do it for war.
“If the U.S. government had identified that as an attack, and if these folks had been sophisticated enough to simulate such an attack and direct it towards another nuclear nation or some rogue entity anywhere in the world, we could have had on our hand, this last Saturday, a bona fide nuclear war,” Habibi said to Archer News.
“Do you think there is someone out there who would trigger a nuclear war?” we asked Lewis.
“I’m sure there are people out there that would be more than happy to do that sort of thing,” he responded.
False Ballistic Missile Attack Alert Causes Panic In Hawaii https://t.co/AMXpLoF1ct https://t.co/UqxFZRtGkl pic.twitter.com/MC3J8YGZ7D
— Honolulu Civil Beat (@CivilBeat) January 13, 2018
Mistakes
Lewis says the Hawaii scenario is much more likely — a human making a mistake, believing that a drill was the real thing.
Still, he said, officials in charge of emergency communications must prepare.
“There is always that possibility,” Lewis said. “There is always a chance something might happen.”
Flaws
The Hawaii alert exposed flaws in the system.
An FCC report in April concluded there was inadequate emergency alert software, poor training for staff on how to use the software, and no system to take back a missile alert.
The alert stayed live for 38 minutes.
Images of the confusing alert system interface and of emergency staff showing their password on a sticky note made some Hawaiians lose confidence.
The Agency That Messed Up Hawaii's Nuclear Alert Keeps Passwords on Post-Its https://t.co/MQc2ASW8vo pic.twitter.com/0wSTG6pkSK
— VICE UK (@VICEUK) January 17, 2018
Fixes
One year later, Hawaii’s Emergency Management Agency told Archer News it has reviewed and made changes, not just fixing problems from the reports, but also adding more cyber security protections.
The protections include encryption, multi-layered firewall security, cybersecurity awareness training, and two-factor authentication.
Now two people need to approve the emergency alerts before they go out, instead of just one, who could — and did — make a large-scale mistake.
“Every emergency manager in the U.S. needs to learn from what happened in Hawaii,” said Hayden.
More Holes
As emergency managers step up their game, so do researchers — showing that holes still exist.
Bastille Researcher Balint Seeber showed in April how attackers could easily take over siren systems in San Francisco and across the country with a rickroll.
But his message is serious — that other governments could set off simultaneous false alarms near power plants and military bases.
“State actors seeking to cause chaos and deepen the distrust in the government’s capability to handle emergency situations could exploit the SirenJack vulnerability,” he said in a video.
Also in April, the Department of Homeland Security warned about research showing that smart city sensors and systems can be hacked, allowing attackers to trigger false alarms and alerts.
More False Alerts
One year later, it is clear that you will get more alerts, some of them false or off target.
“Rather get it and not need it,” wrote Tracy on Facebook about the misguided Oregon 911 message.
“I would rather not have a crappy alert system that doesn’t function correctly and can potentially cause mass panic,” responded Ashlie.
Possible consequences?
Nuclear war, chaos. A heart attack. Spam and scams.
Maryland is working on laws to ward off people who would use the emergency system info for sales and other nuisance messages.
And another danger?
Disregard or mistrust, if people view the emergency alert system as the boy who cried wolf.
Your role now — to view alerts with a critical eye, aware they could be fake, but always taking care to protect yourself.
“Fear serves no purpose for anyone,” said Habibi.
“The consequence of cyber attacks, especially malicious ones,” he said, “is to cause havoc and create fear and cause harm eventually. As citizens we need to be aware and proactive but not fearful.”