How attackers can use false alerts to hurt you
You can expect more false alarm messages on your phone.
And some may come from people out to scare you, hurt you or take your money.
One year after Hawaii’s false missile alert, the wave of non-emergency emergency messages continues.
Hawaii’s false alert in January last year was just the beginning of a year flush with false warnings.
On Saturday, hackers broke into Australia’s early warning alert system and sent out their own alert messages saying that “EWN [Early Warning Network] has been hacked.”
“It woke me from a dead sleep and straight fight-or-flight set in,” wrote Ashlie on Facebook. “A lot of unnecessary panic.”
“I appreciate that there are notifications like this, but how many times has it been accidental in some sort of way #hawaii,” she added. “The next time it happens how am I to know it’s for real for real?”
Officials apologized for the error, but the question remains — and with growing significance.
A Series of Errors
On January 13, 2018, a false missile alert threw Hawaii into a state of panic and confusion.
Just a few days later, Japanese broadcaster NHK sent out a different fake missile alert telling people to take cover.
In February, Accuweather sent a false warning for a tsunami supposedly on its way to cities around the U.S.
In May, a South Florida city warned people of a power outage and zombie alert.
The outage was real. The alert? So far, no zombies.
The technology we use to bring quick emergency info can also bring us panic or doubt.
Some say attackers can use it to manipulate us.
Archer News asked security expert Ernie Hayden of 443 Consulting if people in charge of emergency communications should be protecting their systems from hackers.
“Absolutely!” he responded.
He underscored the fear many people felt during the Hawaii false missile alert.
“Just from the stand point of people trying to escape or worrying about where their children are and can they get to the school and are they ever going to see their family again, these are thoughts that nobody deserves to go through. Ever. Ever,” he said in an interview in Waikiki.
Who would do this on purpose and why?
“The motivations for that sort of thing will really run the gamut,” said security expert Dave Lewis, global advisory CISO for Duo Security/Cisco, in an interview with Archer News in Honolulu.
Lewis said some people are simply trolls, trying to cause pain or get some laughs, perhaps like the person who hacked an emergency alert system in 2013 and broadcast a zombie warning on TV’s in five states from Montana to New Mexico.
“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living,” the warning said.
Some would do it for money, like the attackers the same year who demanded $5,000 ransom or they would shut down emergency call systems in Illino
“If the U.S. government had identified that as an attack, and if these folks had been sophisticated enough to simulate such an attack and direct it towards another nuclear nation or some rogue entity anywhere in the world, we could have had on our hand, this last Saturday, a bona fide nuclear war,” Habibi said to Archer News.
“Do you think there is someone out there who would trigger a nuclear war?” we asked Lewis.
“I’m sure there are people out there that would be more than happy to do that sort of thing,” he responded.
Lewis says the Hawaii scenario is much more likely — a human making a mistake, in this case, believing that a missile alert drill was the real thing.
Still, he said, officials in charge of emergency communications must prepare.
“There is always that possibility,” Lewis said. “There is always a chance something might happen.”
The Hawaii alert exposed flaws in the system.
An FCC report in April concluded there was inadequate emergency alert software, poor training for staff on how to use the software, and no system to take back a missile alert.
There was no system set up to take back a false alert, and the missile warning stayed live for 38 minutes.
One year later, Hawaii’s Emergency Management Agency told Archer News it has reviewed and made changes, not just fixing problems from the reports, but also adding cyber security protections like encryption, multi-layered firewall security, cybersecurity awareness training, and two-factor authentication.
Now two people need to approve the emergency alerts before they go out, instead of just one, who could — and did — make a large-scale mistake.
“Every emergency manager in the U.S. needs to learn from what happened in Hawaii,” said Hayden.
As emergency managers step up their game, so do researchers — showing that holes still exist.
But his message is serious — that other governments could set off simultaneous false alarms near power plants and military bases.
“State actors seeking to cause chaos and deepen the distrust in the government’s capability to handle emergency situations could exploit the SirenJack vulnerability,” he said in a video.
More False Alerts
One year later, it is clear that you will get more alerts, some of them false or off target.
“Rather get it and not need it,” wrote Tracy on Facebook about the misguided Oregon 911 message.
“I would rather not have a crappy alert system that doesn’t function correctly and can potentially cause mass panic,” responded Ashlie.
Nuclear war, chaos. A heart attack. Spam and scams.
Maryland is working on laws to ward off people who would use the emergency system info for sales and other nuisance messages.
And another danger?
Disregard or mistrust, if people view the emergency alert system as the boy who cried wolf.
Your role now — to view alerts with a critical eye, aware they could be fake, but always taking care to protect yourself.
“Fear serves no purpose for anyone,” said Habibi.
“The consequence of cyber attacks, especially malicious ones,” he said, “is to cause havoc and create fear and cause harm eventually. As citizens we need to be aware and proactive but not fearful.”