- January 10, 2019
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Hacking, Mobile Devices, Posts with image, Security Management
You can expect more false alarm messages on your phone.
And some may come from people out to scare you, hurt you or take your money.
One year after Hawaii’s false missile alert, the wave of non-emergency emergency messages continues.
Hawaii’s false alert in January last year was just the beginning of a year flush with false warnings.
On Saturday, hackers broke into Australia’s early warning alert system, sending out their own alerts saying, “EWN [Early Warning Network] has been hacked.”
“It woke me from a dead sleep and straight fight-or-flight set in,” wrote Ashlie on Facebook. “A lot of unnecessary panic.”
“I appreciate that there are notifications like this, but how many times has it been accidental in some sort of way #hawaii,” she added. “The next time it happens how am I to know it’s for real for real?”
Officials apologized for the error, but the question remains — and with growing significance.
A Series of Errors
On January 13, 2018, a false missile alert threw Hawaii into a state of panic and confusion.
Just a few days later, Japanese broadcaster NHK sent out a different fake missile alert telling people to take cover.
In February, Accuweather sent a false warning for a tsunami supposedly on its way to cities around the U.S.
In May, a South Florida city warned people of a power outage and zombie alert.
The outage was real. The alert? So far, no zombies.
The technology we use to bring quick emergency info can also bring us panic or doubt.
Some say attackers can use it to manipulate us.
Archer News asked security expert Ernie Hayden of 443 Consulting if emergency communications officials should be protecting their systems from hackers.
“Absolutely!” he responded.
He underscored the fear many people felt during the Hawaii false missile alert.
“Just from the standpoint of people trying to escape, or worrying about where their children are and can they get to the school and are they ever going to see their family again. These are thoughts that nobody deserves to go through. Ever. Ever,” he said in an interview in Waikiki.
Who would do this on purpose and why?
“The motivations for that sort of thing will really run the gamut,” said security expert Dave Lewis, global advisory CISO for Duo Security/Cisco, to Archer News in Honolulu.
Lewis said some people are simply trolls, trying to cause pain or get some laughs.
For example, someone hacked a TV emergency alert system in 2013, broadcasting a zombie warning in five states from Montana to New Mexico.
“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living,” the warning said.
Some would do it for money, like the attackers the same year who demanded $5,000 ransom or they would shut down emergency call systems in Illinois.
Act of War
Some would do it for war.
“If the U.S. government had identified that as an attack, and if these folks had been sophisticated enough to simulate such an attack and direct it towards another nuclear nation or some rogue entity anywhere in the world, we could have had on our hand, this last Saturday, a bona fide nuclear war,” Habibi said to Archer News.
“Do you think there is someone out there who would trigger a nuclear war?” we asked Lewis.
“I’m sure there are people out there that would be more than happy to do that sort of thing,” he responded.
Lewis says the Hawaii scenario is much more likely — a human making a mistake, believing that a drill was the real thing.
Still, he said, officials in charge of emergency communications must prepare.
“There is always that possibility,” Lewis said. “There is always a chance something might happen.”
The Hawaii alert exposed flaws in the system.
An FCC report in April concluded there was inadequate emergency alert software, poor training for staff on how to use the software, and no system to take back a missile alert.
The alert stayed live for 38 minutes.
One year later, Hawaii’s Emergency Management Agency told Archer News it has reviewed and made changes, not just fixing problems from the reports, but also adding more cyber security protections.
Now two people need to approve the emergency alerts before they go out, instead of just one, who could — and did — make a large-scale mistake.
“Every emergency manager in the U.S. needs to learn from what happened in Hawaii,” said Hayden.
As emergency managers step up their game, so do researchers — showing that holes still exist.
But his message is serious — that other governments could set off simultaneous false alarms near power plants and military bases.
“State actors seeking to cause chaos and deepen the distrust in the government’s capability to handle emergency situations could exploit the SirenJack vulnerability,” he said in a video.
More False Alerts
One year later, it is clear that you will get more alerts, some of them false or off target.
“Rather get it and not need it,” wrote Tracy on Facebook about the misguided Oregon 911 message.
“I would rather not have a crappy alert system that doesn’t function correctly and can potentially cause mass panic,” responded Ashlie.
Nuclear war, chaos. A heart attack. Spam and scams.
Maryland is working on laws to ward off people who would use the emergency system info for sales and other nuisance messages.
And another danger?
Disregard or mistrust, if people view the emergency alert system as the boy who cried wolf.
Your role now — to view alerts with a critical eye, aware they could be fake, but always taking care to protect yourself.
“Fear serves no purpose for anyone,” said Habibi.
“The consequence of cyber attacks, especially malicious ones,” he said, “is to cause havoc and create fear and cause harm eventually. As citizens we need to be aware and proactive but not fearful.”