Exclusive: The U.S. Emergency Alert system has been hacked

Emergency communications could cause chaos or start a war — and the vulnerability has yet to be patched.

Human head made of particles. Futuristic cyberpunk style vector illustration, concept of malware and...

This American hacker claims to have gained access to the U.S. and Canada’s Emergency Alert Systems, and could have sent out messages through the system to millions of people.

The Emergency Alert System is a nationwide alert system designed to allow the U.S. president (and the government of Canada) to send messages to the population within minutes of a major incident happening. Messages sent through the system would interrupt and take over TV and radio broadcasts, as well as sending SMS-like messages to users’ cell phones.

In 2018, an error meant that citizens in Hawaii were sent a test message about an incoming ballistic missile, which was retracted 38 minutes after it was sent, sending the population into a panic and causing a significant investigation after the fact.

Despite this cautionary tale, sloppy security appears to have left U.S. and Canadian federal emergency infrastructure available for hackers to access online.

A hacker, formerly known as j3ws3r, who now goes by the pseudonym virtrux, and who asked not to be named because accessing the system is theoretically a federal crime, believes he would be able to send a message nationwide using a system he spotted open on the internet.

Virtrux, who has previously been part of a white hat hacking campaign to raise awareness of vulnerabilities in printers by making thousands of them worldwide print out pages in support of YouTuber PewDiePie, claims there are thousands of open access methods to both the U.S. and Canadian Emergency Alert Systems.

We all have bad takes.

By scanning for ports utilized by two systems commonly used in emergency alerts, the hacktivist says he found millions of IP addresses. He then scanned through them for a list of keywords likely to be used in such alert systems, and narrowed that down to thousands.

“I social engineered some manufacturers of these to give me either the service password or the default password, and after trying a few IPs, I was in,” he says. “I was disgusted. This is federal infrastructure, this isn’t a printer left open.”

He posted evidence on Twitter in late November showing a screen enabling him to generate EAS (Emergency Alert System) messages, including Child Abduction Emergencies, Civil Emergency Messages, or Evacuation Immediate [sic] alerts.

The hacktivist believes the system access points are available on the open internet for use by proper authorized personnel, but are easily accessible by people able to socially engineer the manufacturers of the systems.

“You can get whatever you need to gain full access – not to all, as most are updated – but a scary majority,” he says. “This reminds me of the banking systems, they run COBOL because they are too lazy and cheap to upgrade to something more secure and we get left with very old people who know how to program COBOL working on the banking and insurance infrastructure. I think the federal government needs to set up proper training for set up and usage of these devices, and make it illegal to operate if you have not been trained.”

“In the wrong hands, this can and will only incite panic.”

Virtrux believes he could have used his access to the system to send out messages to millions of people. “Theoretically I can send anything from a volcano warning to the entire U.S. to an AMBER alert. If I really wanted, I can send out custom messages too,” he says. “As for Canada, I’m sure the same is possible: custom messages to country-wide levels of emergency.”

That could have huge implications. “In the wrong hands, this can and will only incite panic,” he says. “I wouldn’t go as far as to say the wrong message sent out can theoretically start a war but I don’t think it’s all that impossible.”

Terrifying and dangerous each and every time.Seattle Airwaves

The hacktivist has not reported the breach to the U.S. or Canadian governments, though Input approached both for comment before publication of this story. He justified not alerting both governments by saying they wouldn’t act as quickly as they would if alerted by the media. “With my previous experience on state and federal infrastructure, nothing usually gets done,” he says. “You have to jump through a million hoops for someone to take you seriously, or it takes months and months for the government to contact manufacturers, force the manufacturers to issue a warning to change all passwords immediately, and actually somehow get the owners of these machines to change the passwords.”