EAS LESSON: Protect Your Station
from Hackers

| February 14, 2013

By Thomas R. Ray, III CPBE, AMD, DRB
Tom Ray Consulting
President
TALKERS
Technical Editor

NEW YORK — By now, you have heard that there was an EAS hack at a TV station the other day.  An alert went out about a zombie attack.  Now, before anyone goes off about EAS, it should be noted that the CAP feed was not affected.  This appears to be strictly a case of computer network security.

And before we go deeper, it should be stated that when something like this happens, it is only natural that it becomes a news story.  And news stories require actualities.  If something goes awry with EAS, please keep in mind that it is OK to play the actual audio message that went out – but it CANNOT contain the EAS data bursts or the two-tone alert signal.  It is illegal to transmit those outside of an actual EAS activation or test, per FCC regulation 47 CFR 11.45.

Back to the hack.  It appears that someone hacked into the computer network of the TV station where the zombie alert originated.  More disturbing, the hacker logged into the EAS encoder/decoder, planted an audio file, and sent the test.  Consider the implications of this if the hacker had originated a National Emergency code.  Any station monitoring the TV station would have had their air seized because of the nature of the alert – and, besides disconnecting the equipment, could not do anything about it.  You do not have the option to abort a National Emergency.

Face it.  Many installed their new CAP compliant EAS equipment and simply left all the factory defaults in place – and that included the user name and password.  It’s not difficult to figure out Admin/Admin.  The FCC has issued a statement that all stations should immediately change the password and/or user name on their EAS equipment, especially if it is the default factory user name and password.  They also recommend that the EAS equipment be placed behind a NAT router/firewall.

A NAT (Network Address Translation) firewall or router isolates the actual outside world Internet IP address from the IP addresses used on your internal computer network.  This should be standard protocol at any broadcast station.  Consider that not only is EAS equipment vulnerable to a hack, so are our digital playback systems.  You may come in some morning to find a hacker playing his greatest hits on your station or, worse, drive in to silence because a hacker has eliminated all the files in your automation system.

If you have the need to log into your systems from outside the building, it would also be a good idea to establish a VPN (Virtual Private Network) tunnel into the station.  This becomes a highly encrypted channel that will allow you into your network just like you are at the station.  But it is secure.   VPN routers can be had at any computer store or big box retailer for around $150.  A wise investment rather than having your entire music and spot library eliminated by someone who hacks into your network.   And they are not really difficult to install and configure.

One final thing to consider is that your station is liable for anything that it transmits.  I know of one network program that broadcast the bogus EAS test in its entirety – EAS codes and all.  The result of this in one state was to trip multiple EAS decoders because the station carrying this show was an LP-1.  I find it utterly flabbergasting that anyone would even consider doing this, but many network program providers do not have broadcast stations they are responsible for and do not know the rules.  They are not liable to the FCC for this inadvertent broadcast – your station is because you aired it.  If this were to happen at your station, I would bring it to the attention of the station’s FCC attorneys, log the incident, and hope there is not a complaint against your station such that the FCC would issue a fine.  I’m not an attorney and wonder what the network’s liability would be in this instance.  I would think it would be to the station.

Ultimately, it would be in your station’s best interest to make sure your computer network is secure – even if that means hiring a local computer consultant.  No system is 100% foolproof; as they say, if you build a better mousetrap, the mice just get smarter.  But making sure your data and your EAS gear is secure I think should be a top priority.

tbugk

Thomas R. Ray, III CPBE, AMD, DRB is president of Tom Ray Consulting and Technical Editor of TALKERS. He can be phoned at 845-418-5065 or emailed at tomray@tomrayconsulting.com.  His website is www.tomrayconsulting.com.  Meet Tom Ray at TALKERS New York 2013 on Thursday June 6. 

 

Tags: , , , , , , , , , ,

Category: Technical