Broadcasters Get Wake-Up Call on Cybersecurity

On Monday, viewers of two television stations in Montana were treated to an Emergency Alert System prank. During a daytime schlock talk show, the EAS system went off at the stations and a message was heard that "the bodies of the dead are rising from their graves and attacking the living." The zombie apocalypse warning prompted a handful of quizzical calls to public safety officials, but no mass panic.
Today, we learned that this EAS hack was not a localized event. Public and commercial television stations in Michigan apparently broadcast the same warning; Radio World reported that other television and radio stations around the country also discovered the message in their EAS systems and some were able to prevent it from airing.
The National Association of Broadcasters, in passing along an advisory from the FCC about the EAS hack, suggests the event played out in "several states." The FCC and FBI are reportedly investigating.
The Emergency Alert System is a complicated network with many parts. Originally just a daisy-chain of broadcast stations throughout the country, the system now interfaces with internet servers, which makes station-level EAS systems accessible outside the station. The system is designed to promulgate such messages far beyond radio and television, to smartphones, tablets, road signs, and other info-outlets.
From what we know presently, hackers penetrated the EAS systems at the individual station-level and inserted the bogus zombie alert there. The fact that stations across the country were affected suggests that they were systematically probed. Those vulnerable hadn’t changed the passwords on their EAS interfaces from the factory default. Thus, as far as hacks go, this one was pretty simple and straightforward.
Even so, it demonstrates that information-security vulnerabilities exist within the U.S. broadcasting system. A zombie-warning is infinitely less disruptive than, say, an Emergency Action Notification message, which would be carried by every single broadcast, cable, and phone provider nationwide. (It would also require hackers to penetrate much further up the EAS network chain.) While the potential of this might be disturbing, it’d be transitory – EAS messages give a hacker mere seconds of control over a radio or television station.
But radio and television stations are automated and networked in many different ways. Those who now operate and program broadcast outlets can be hundreds of miles away from the actual station. Regular maintenance of our broadcast infrastructure occurs almost wholly via remote control. Engineers have been using such systems to monitor and regulate transmitter operation for decades (first via touch-tone phone, now via internet connection).
On the programming front in radio alone, Clear Channel employs regional and format-specific program directors who each maintain the playlists of several stations from wherever they may be based, including the corporate HQ in San Antonio, Texas. For more than a decade now, program hosts have used voicetracking – uploading pre-recorded breaks into station computers, which makes the station sound live and local when it’s not. And some stations have outsourced their advertising traffic management responsibilities to freelancers.
Long gone are the days when the folks you hear and see on your local broadcast outlets actually have to be there. These also present many other possible remote access vulnerabilities, and they suggest a variety of potential outcomes: fake commercials, news/weather reports, and public service announcements; the replacement or deletion of programming on a wholesale scale; and, yes, even the possible hijacking of a station’s actual transmitter.
The scale of these potential vulnerabilities is wholly unknown. Broadcasters admittedly are not keen to talk about it, and there’s been no formal audit of network security in the industry as a whole. The chance of a nationwide broadcast hijacking is infinitesimal, but nothing’s impossible.
That said, there’s also been a growing dilemma within broadcasting over the aging of its engineering workforce, many of whom are better-qualified to mess with RF than IT. Some broadcast engineers predict that the future of the profession will more resemble a network manager than a transmitter-caretaker. Today, the job already calls for maintaining multiple station facilities. Does the personnel and expertise exist to promote best practices of network security in broadcasting?
The FCC itself is not exactly a poster-child for this: in 2011 it discovered that its own computer systems had been heavily breached…and a $10 million project to harden them didn’t fix all the problems.
The EAS hacks should be a wake-up call not only about the fundamental security of our system of broadcasting, but also about the deleterious structural changes in the industry which have exacerbated the likelihood of these problems actually manifesting themselves.