FCC Requires EAS Participants to Secure CAP Systems to Prevent Unauthorized Use
The FCC required emergency alert system participants to immediately bar unauthorized use of common alerting protocol-triggered EAS alerts to radio and TV stations and subscription-video providers via the Internet, broadcast industry officials said. They said Tuesday’s FCC advisory came after some stations in Michigan and maybe Montana, too, aired a bogus alert about zombies when their CAP systems had security breached, from what appear to be non-U.S. Internet Protocol addresses. CAP isn’t yet being relied on by federal or state agencies to distribute warnings about bad weather and other hazards, since they also transmit those announcements by broadcasts. All EAS participants are required to be able to get the alerts in that format from a Federal Emergency Management Agency website (CD Sept 17 p6), and industry officials said the unauthorized access is a reminder to take security precautions that the affected stations apparently didn’t.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The commission’s unofficial “urgent advisory” on CAP device security said “all EAS Participants are required to take immediate action to secure their CAP EAS equipment, including resetting passwords, and ensuring CAP EAS equipment is secured behind properly configured firewalls and other defensive measures,” according to copies industry lawyers circulated in emails and posted publicly online. “All CAP EAS equipment manufacturer models are included in this advisory,” it said. All broadcast and cable EAS participants “must change all passwords on their CAP EAS equipment from default factory settings, including administrator and user accounts,” said a copy of the alert posted on the website of law firms including Pillsbury Winthrop, which represents radio and TV stations (http://bit.ly/VapNXj). Every pay-TV provider and all radio and TV stations take part in EAS.
IP addresses from a country outside the U.S. were used to access three Michigan TV stations’ encoder/decoders that weren’t adequately protected, said an executive at two of the stations and the Michigan Association of Broadcasters (MAB) official who notified the FCC of the incidents Tuesday. The source was in “a benign country, certainly not one associated with terrorism,” said Station Manager Cynthia Thompson of Lake Superior Community Broadcasting’s WBKP(CW) Calumet and WBUP (ABC) Ishpeming, declining to identify the country. Noncommercial station WNMU Marquette also appeared to have been accessed from a foreign IP address, but the nation wasn’t known, said the MAB official, Director of Technology Larry Estlack. A representative of the station had no comment.
The participants are “urged to ensure that their firewalls and other solutions are properly configured and up-to-date,” said the FCC advisory. It asked them to see if unauthorized alerts were “set (queued) for future transmission.” If a participant can’t “reset the default passwords on your equipment, you may consider disconnecting your device’s Ethernet connection until those settings have been updated,” the alert said. “Federal and state authorities are investigating the source of those hoax alerts, which appear to have come from outside the U.S.,” broadcast lawyer Scott Flick wrote on Pillsbury’s blog (http://bit.ly/VgfK0v). The hoax itself was amusing, though it points up security risks and that a fake message could have bigger consequences if it portrayed a more realistic scenario, said broadcast lawyers including those at Fletcher Heald (http://bit.ly/VSLTNS).
FCC and FEMA systems were unaffected by the security breaches, which appeared to have only affected individual EAS participants, government and industry officials told us. The incidents appeared to have been a “breach of security of a product used by some local broadcasters,” a FEMA spokesman said by email. “FEMA’s integrated public alert and warning system was not breached or compromised and this had no impact on FEMA’s ability to activate the Emergency Alert System to notify the American public. FEMA will continue to support the FCC and other federal agencies looking into the matter.” It was Monroe Electronics’ equipment that was affected, a company executive and broadcast officials said.
National and state associations told members about the FCC advisory after receiving it from the Public Safety Bureau, industry officials said. The bureau worked with EAS stakeholders on an equipment-related issue, a commission spokeswoman said. NAB President Gordon Smith emailed to all of the association’s members the FCC advisory Tuesday night, a spokesman said. NCTA got the alert from the bureau, and passed it onto the association’s members, a spokesman said. The American Cable Association, which also distributed the alert to members, is “ready to work with the FCC, FEMA, and equipment manufacturers to educate” the group’s membership “on recommended best practices that would avoid what occurred in Montana and Michigan,” said Vice President of Government Affairs Ross Lieberman.
The breach was “a great teaching tool, a teaching moment, for anyone else who may use that tool,” Thompson said of CAP. “Everyone has been told what fixes to make,” she added, crediting MAB. Estlack told the Enforcement Bureau agent in the FCC’s Detroit office of the three TV stations that were affected on Tuesday morning, and by evening the agency had issued its advisory, he said. “But it took a long time to get there” from when he first heard WNMU aired the hoax until realizing Tuesday that there was another similar incident in Michigan and alerting the agent and the advisory’s issuance, he said. “We were very concerned it might happen while the president[’s] address was on,” Estlack said of the State of the Union.
"The haste” of the commission’s instructions is shown because they're “not even on FCC letterhead, nor formatted for such a release,” Flick wrote. Rather than self-described recommendations, the advisory requires EAS participants to take action, he said. We couldn’t find the advisory on the bureau’s website, and its spokeswoman had no comment on the alert.
To prevent a future hack, EAS participants could change the passwords on equipment at the time it was shipped to them from the manufacturer, and use a firewall to secure the device, said industry officials including an executive at Monroe, which sold the affected encoder/decoder devices to at least some of the Michigan stations that were subject to the zombie hoax. The affected stations appeared not to have a firewall separating their encoder/decoders, which get CAP messages and pass them along as alerts to viewers and listeners, and also didn’t change the factory-set password, said Ed Czarnecki, Monroe senior director of strategy, development and regulatory affairs. “This is a good learning opportunity,” he said. The company and other EAS equipment makers recommend frequently changing passwords and keeping them secret, ensuring the equipment can’t be accessed through an insecure IP address and using a firewall in equipment such as routers. He cited a 2011 white paper from Monroe (http://bit.ly/VaTsQ8) which is now posted on the company’s homepage.
The security breach also points up that EAS participants face cyberthreats just as other industries do, said Czarnecki. “Like it or not, broadcasters and cable operators have been inserted into the front ranks of this new cyber environment.” A “good built-in firewall” costs about $50, said Wilkinson Barker’s David Oxenford on his blog (http://bit.ly/VSMeQU). “This is not to say that the connection to the Internet required as part of the adoption of CAP did not provide the pathway to get into the station’s systems, only that the CAP system itself was not the way that that fake messages were distributed.”