Hawaii false missile alert reveals shocking vulnerabilities to state's EMA

The false alert yesterday that informed Hawaiians a missile was inbound and told for residents to seek shelter was caused by an employee of the Emergency Management Agency pushing "the wrong button" during a shift change.

How would you feel if you received this text message on your phone?

"BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."

It took EMA about 30 minutes to send out the correction to phones, although the tweet confirming the false alarm went out within a couple of minutes.

But it hardly mattered. That was no doubt the longest 30 minutes in the lives of thousands of people. The warning was sent to radio and TV stations as well.

Here's a timeline of events released by EMA:

Approx. 8:05 a.m. – A routine internal test during a shift change was initiated. This was a test that involved the Emergency Alert System, the Wireless Emergency Alert, but no warning sirens.
8:07 a.m. – A warning test was triggered statewide by the State Warning Point, HI-EMA.
8:10 a.m. – State Adjutant Maj. Gen. Joe Logan, validated with the U.S. Pacific Command that there was no missile launch. Honolulu Police Department notified of the false alarm by HI-EMA.
8:13 a.m. – State Warning Point issues a cancellation of the Civil Danger Warning Message. This would have prevented the initial alert from being rebroadcast to phones that may not have received it yet. For instance, if a phone was not on at 8:07 a.m., if someone was out of range and has since came into cell coverage (Hikers, Mariners, etc.) and/or people getting off a plane.
8:20 a.m. – HI-EMA issues public notification of cancellation via their Facebook and Twitter accounts.
8:24 a.m. – Governor Ige retweets HI-EMA’s cancellation notice.
8:30 a.m. – Governor posts cancellation notification to his Facebook page.
8:45 a.m. – After getting authorization from FEMA Integral Public Alert and Warning System, HIEMA issued a “Civil Emergency Message” remotely.
The following action was executed by the Emergency Alert System (EAS):
1. EAS message over Local TV/Radio Audio Broadcast & Television Crawler Banner.
“False Alarm. There is no missile threat to Hawaii.”
“False Alarm. There is no missile threat or danger to the State of Hawaii. Repeat. There is no
missile threat or danger to the State of Hawaii. False Alarm.”
2. Wireless Emergency Alert (WEA)
“False Alarm. There is no missile threat or danger to the State of Hawaii.”

The weakness of Hawaii's emergency system is terrifying. The fact that a single employee could trigger a warning by making a stupid mistake is beyond belief.

How many billions of dollars have we spent on these systems? Are all state emergency management systems as vulnerable to human error?

Today, I have no doubt that the other 49 states in the nation are looking at their notification systems under a microscope. But what should they look for? What happened in Hawaii?

This is how the system is supposed to work.

CNN:

The first part of that system is that outdoor warning sirens sound a one-minute Attention Alert Signal, or a steady tone, that informs residents to turn on a radio or television for information. That is followed by a one-minute Attack Warning Signal, or a wailing tone, that directs residents to seek immediate shelter, according to the agency.

At the same time, the Emergency Alert System would use Hawaii's broadcast industry -- such as cable TV and wireless cable -- to send an emergency message. This type of system is used with AMBER alerts or in weather emergencies, according to the Hawaii Emergency Management Agency.

In December, Hawaii began monthly testing of a nuclear warning siren system that would be used in case of an impending nuclear missile strike. The tests use both of the above systems. The most recent test was January 2.

In the case of a real emergency, those two pieces would be joined by alerts from the Wireless Emergency Alert system. That system delivers sound and text warnings to mobile phones, according to the agency.

Saturday, the Wireless Emergency Alert system and the Emergency Alert System were used to warn of the false missile threat.

However, there were no reports of sirens going off in the state.

It should be noted that some empty headed leftists are blaming Trump for the SNAFU, but that's just ignorant. The EMA is wholly a state agency and the responsibility for issuing alerts rests completely with the state government.

Someone should tell actress Jamie Lee Curtis that:

"Unstable idiocy"? Check the mirror for that one, Jamie.

In 2013, several TV stations in Montana mistakenly sent out an alert message about a "Zombie apocalypse." A study that looked at what happened found some vulnerabilities:

According to the Cyber Emergency Response Team (CERT), which is sponsored by the Department of Homeland Security, several security issues affecting devices that allowed TV and radio broadcasts to be broken into with emergency information were identified by the the firm IOActive.

“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network’s regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” Mike Davis, principal research scientist for IOActive, said in a statement. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”

CERT in its notice said that the vulnerabilities were found in Digital Alert Systems DASDEC and Monroe Electronics One-Net E189 emergency alert devices. IOActive in its technical report listed the severity of the vulnerability as “critical.”

Hawaii says the alert was sent out because of a mistake made by an employee. Currently, we have no reason to doubt that explanation. But would Hawaii - or any state - announce to the public that the system had been hacked and the entire EMA system was vulnerable to intrusion?

This isn't over - not by a long shot. The FCC is opening their own investigation into the incident and you can bet Congress will also be looking into the false alert as well.

If that happens, the screw up may be a blessing in disguise. Exposing vulnerabilities and dangerous procedures that might lead to the same thing happening elsewhere would be a positive development coming out of this terrifying incident. 

 

 

 

 

 

 

 

The false alert yesterday that informed Hawaiians a missile was inbound and told for residents to seek shelter was caused by an employee of the Emergency Management Agency pushing "the wrong button" during a shift change.

How would you feel if you received this text message on your phone?

"BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."

It took EMA about 30 minutes to send out the correction to phones, although the tweet confirming the false alarm went out within a couple of minutes.

But it hardly mattered. That was no doubt the longest 30 minutes in the lives of thousands of people. The warning was sent to radio and TV stations as well.

Here's a timeline of events released by EMA:

Approx. 8:05 a.m. – A routine internal test during a shift change was initiated. This was a test that involved the Emergency Alert System, the Wireless Emergency Alert, but no warning sirens.
8:07 a.m. – A warning test was triggered statewide by the State Warning Point, HI-EMA.
8:10 a.m. – State Adjutant Maj. Gen. Joe Logan, validated with the U.S. Pacific Command that there was no missile launch. Honolulu Police Department notified of the false alarm by HI-EMA.
8:13 a.m. – State Warning Point issues a cancellation of the Civil Danger Warning Message. This would have prevented the initial alert from being rebroadcast to phones that may not have received it yet. For instance, if a phone was not on at 8:07 a.m., if someone was out of range and has since came into cell coverage (Hikers, Mariners, etc.) and/or people getting off a plane.
8:20 a.m. – HI-EMA issues public notification of cancellation via their Facebook and Twitter accounts.
8:24 a.m. – Governor Ige retweets HI-EMA’s cancellation notice.
8:30 a.m. – Governor posts cancellation notification to his Facebook page.
8:45 a.m. – After getting authorization from FEMA Integral Public Alert and Warning System, HIEMA issued a “Civil Emergency Message” remotely.
The following action was executed by the Emergency Alert System (EAS):
1. EAS message over Local TV/Radio Audio Broadcast & Television Crawler Banner.
“False Alarm. There is no missile threat to Hawaii.”
“False Alarm. There is no missile threat or danger to the State of Hawaii. Repeat. There is no
missile threat or danger to the State of Hawaii. False Alarm.”
2. Wireless Emergency Alert (WEA)
“False Alarm. There is no missile threat or danger to the State of Hawaii.”

The weakness of Hawaii's emergency system is terrifying. The fact that a single employee could trigger a warning by making a stupid mistake is beyond belief.

How many billions of dollars have we spent on these systems? Are all state emergency management systems as vulnerable to human error?

Today, I have no doubt that the other 49 states in the nation are looking at their notification systems under a microscope. But what should they look for? What happened in Hawaii?

This is how the system is supposed to work.

CNN:

The first part of that system is that outdoor warning sirens sound a one-minute Attention Alert Signal, or a steady tone, that informs residents to turn on a radio or television for information. That is followed by a one-minute Attack Warning Signal, or a wailing tone, that directs residents to seek immediate shelter, according to the agency.

At the same time, the Emergency Alert System would use Hawaii's broadcast industry -- such as cable TV and wireless cable -- to send an emergency message. This type of system is used with AMBER alerts or in weather emergencies, according to the Hawaii Emergency Management Agency.

In December, Hawaii began monthly testing of a nuclear warning siren system that would be used in case of an impending nuclear missile strike. The tests use both of the above systems. The most recent test was January 2.

In the case of a real emergency, those two pieces would be joined by alerts from the Wireless Emergency Alert system. That system delivers sound and text warnings to mobile phones, according to the agency.

Saturday, the Wireless Emergency Alert system and the Emergency Alert System were used to warn of the false missile threat.

However, there were no reports of sirens going off in the state.

It should be noted that some empty headed leftists are blaming Trump for the SNAFU, but that's just ignorant. The EMA is wholly a state agency and the responsibility for issuing alerts rests completely with the state government.

Someone should tell actress Jamie Lee Curtis that:

"Unstable idiocy"? Check the mirror for that one, Jamie.

In 2013, several TV stations in Montana mistakenly sent out an alert message about a "Zombie apocalypse." A study that looked at what happened found some vulnerabilities:

According to the Cyber Emergency Response Team (CERT), which is sponsored by the Department of Homeland Security, several security issues affecting devices that allowed TV and radio broadcasts to be broken into with emergency information were identified by the the firm IOActive.

“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network’s regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” Mike Davis, principal research scientist for IOActive, said in a statement. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”

CERT in its notice said that the vulnerabilities were found in Digital Alert Systems DASDEC and Monroe Electronics One-Net E189 emergency alert devices. IOActive in its technical report listed the severity of the vulnerability as “critical.”

Hawaii says the alert was sent out because of a mistake made by an employee. Currently, we have no reason to doubt that explanation. But would Hawaii - or any state - announce to the public that the system had been hacked and the entire EMA system was vulnerable to intrusion?

This isn't over - not by a long shot. The FCC is opening their own investigation into the incident and you can bet Congress will also be looking into the false alert as well.

If that happens, the screw up may be a blessing in disguise. Exposing vulnerabilities and dangerous procedures that might lead to the same thing happening elsewhere would be a positive development coming out of this terrifying incident.