Going Nuclear: Exploiting Mass Emergency Notification Systems

there's going to be some interesting rambling because I'm on like cumulative eight hours of sleep for the past three days so uh if I like freeze for a moment or something like Jared will just he knows to throw something at me so got you cover uh real quick about me uh enough of that I'm I'm going to throw the the typical stuff in here that uh and the only reason I do this is because uh as we're talking about exploiting systems that are designed to keep us safe and provide information that for the the reality is that these systems are are incredibly awesome things you know when it comes to tornado warnings and uh weather alerts and all

these types of things sometimes we get a little bit annoyed with them but they save lives and ultimately they're designed to keep us safe and so um I kind of throw this in here and and and throw that out because in reality wow amazingly uh now I'm getting trolled so uh fun but uh the the issues with these systems are are very egregious and so some of these systems were initially conceived I mean 50 60 years ago and just like iot and you know internet of things and some of the other talks we've heard the what's the value in exploiting them what's the point of sitting here on stage and just blowing them out of the

water and and all that type of stuff it's not an issue of showing like o look at me I you know I've got some awesome exploer I found all these bad vulnerabilities in this really the the motivation to do this after and I'll I'll throw this out there like for the past two years that I've spoken here have been about blue team and defensive Technologies and things like that and how do we improve it and so this is this particular talk and the talk that preceded it uh that I gave at hacker halted and a few other conferences that focused on exploiting the emergency notification system emergency notification systems from the context of RF and

uh radio frequencies and and that type of stuff these these particular sets of vulnerabilities are really about um and I'm already having one of those moments like where I'm like what was I even going to say um yep throw something at me woohoo um but uh the point in this was is not to just like you know do a little root dance or something like that it's really to try to motivate the people that are designing these systems that are implementing these systems to understand that there is long- lasting impact and there is a there's a lot at stake in this and when I've spoken with them the earliest disclosures that I did with uh

on vulnerabilities that I had found uh over five years ago were pretty much the the authorities were like so what um nobody would do that or whatever and we'll talk about here in a little bit that obviously anybody familiar with some of the exploits of this system you know some of the news that's happened about this we'll talk about it in a little bit so here's a little bit of the background um and and I'll provide some there's some articles and other things and this is a link back to the talk that I gave it's called zombies on the airwaves um and uh and if you hit that I know that's kind of a long thing but if

you go to my my blog pentest fell.com you can kind of see some of the links and the other stuff that precedes this and mainly because the the brevity or the the short amount of time that I have I don't have I have to really condense this talk and so that's part of the reason why it's hard for me to like keep my thoughts together because it's been many years in the Bing and and all that type of stuff but that'll talk a little bit more about it so in preparation for this I wanted to do something a little bit interactive and since we've only got like you know 10 people in the room uh go do this real quick I'll leave this

up here for a second um I wanted to make something interactive and kind of create our own little Mass notification system and so this took a a lot of effort I will I'll say it got a little bit more complicated than uh than I initially had thought it might be but uh the intent in this was how can I create something that would that would simulate how we would inject into the system because obviously I can't just go off and uh you know like crack into these systems and and do stupid stuff and you get uh alerts on your phone that you didn't subscribe to and that type of thing I'm not saying that's not possible I'm just saying that

we're not going to do that today but for those that aren't interested in uh texting and subscribing to something I promise I'm not going to spam you and that type of deal because I'm paying like per text message to do this so uh um yeah somebody wants to like see how many thousands of those they can get you know like subscribed or something before the end of this talk and run up my credit card or something my wife is in the back and she'll thank you a lot for that um for those that don't like nobody's no laughs there we go we don't care about your M um I did put up some uh if this then that anybody

like if this then that that type of thing uh obviously if you don't use those then you're not probably not going to go sign up for an account real quick or something like that but really cool Service uh if you like to automate things uh so this is also part of the reason why I didn't get a whole lot of sleep and why I'm a little bit frazzled was because even up until a moment a few this happened actually a couple hours ago the system that you're using that you just hopefully some of you subscribe cribe to uh when I started firing some test alerts uh trying to synchronize all this stuff together because this is there's a

lot of jiggery pokery behind the scenes to make this this little thing work uh the the wonderful people at this group texting deal decided to uh that that I might not be a legitimate person sending like nuclear explosion warnings and things like that so I got my account Frozen and uh I may have come up with a workaround but anybody you getting the Subscribe stuff anything all cool that didn't send anything back all right well oh well we'll see this may be a massive failure I am kind of anticipating that it will be but uh so real quick I'm not going to go through this but just for some background and for posterity and for the purposes of of

having the slides up so that somebody can go back and look at them later the emergency alert system kind of has gone through a bunch of iterations and it's in the process of going through another one right now and I covered this in lot more detail in the previous talks but so if you're interested in kind of the history of it there's a lot of stuff and a lot of resources are posted at the end of the SL of of the talk uh in the slides that I'll that I have today but um initially it was radio and AM radio and things like that and so um the system was initially conceived as Connor rad and the idea was to how do I as the

president in the risk of uh you know nuclear types of situations if you think back to the uh you know the Cold War and that type of stuff the intent was to um notify the public you know that things were going to happen but more importantly what this system was about was that AM radio stations were like huge beacons for bombers and missiles and other things to like hone in on in major metropolitan areas so when you think about 100,000 watt AM station broadcasting they would just kind of say like hone in on that broadcasting thing so I didn't have they didn't have GPS location at the time or you know laser sites and stuff like that so this system

was really intended to uh while on the surface was about protecting people it was more about like allowing the presidential you know staff to take over radio stations to scramble signals for purposes of confusing bombers and things like that so there's some history on that you can go back and read it but it's going through an iteration now where we see things like the integrated public uh warning and alert system or iaw I'll talk you'll hear me say ipaw because that's a mouthful uh and then whis uh as the their videos on this the videos from FEMA are absolutely hilarious uh but whes and the commercial mobile alert system those are those things that how you get the Amber Alerts

and such on your cell phone so uh we won't go into that too much but obviously we know the uh emergency broadcast system followed this is when they started to say how do we use this for something other than nuclear Holocaust because that's not really as likely anymore and now we start getting weather alerts and such on television and radio and the last iteration of this was the uh what we call the emergency alert system and that's getting ready to change again uh some real quick some acronyms the uh index is an encoder decoder device and we'll talk about those a little bit um the big other thing common alerting protocol and actually that's probably the most

important for now but so the way that this this system worked or works now is that a message is seated into a system and stations listen to other stations and so forth and it propagates out into the United States so uh anybody play that old game as a kid telephone you know where you like whisper a secret and you you know you go around like if we were to do that what what happens right the message on the other end anybody you know somebody in the middle likes to you know play a game and do things yeah and there are perfect examples of this where like myy Povich is interrupted by all sorts of crazy

stuff there's some funny hilarious videos on YouTube um well why did this system ultimately like this is kind of what it looks like uh these are slides or or pictures from FEMA um it's it's a fraking mess uh is really what it is and so as this system has kind of grown in in size and scale and that type of thing I you know I don't even know what this means it's the craziest thing so uh this is actually not for the EAS this is kind of a a a discussion for uh the has collect system and stuff like that but they use the same series of AR architectures where people listen to other people

and we'll we'll see what happens here in a bit there's some some uh anecdotal evidence of of how successful this stuff is but we can have some conspiracy theories and stuff like that but the intent of IPA and some of these newer Technologies is to actually put the alerts very close and very targeted to you so down to a particular geographic area for example like if there's a flooding notification or something like that they want to send to just those people that are in that particular area and so uh one of the things that I found kind of funny and kind of preparing for this talk was that Folly Beach has a notification system and you can go and

subscribe to it most of these systems are facilitated by government approved third-party commercial companies so like code red that's down there on the bottom there are just dozens and dozens and dozens of them and if for anything else what I hope this talk shows you is this of how hilarious this is that I pretty much stood up in a notification system similar to those I won't say that it's the same scale or quality or anything else by any means but in a couple of days was able to stand this up and and provide a similar function so what does this look like well it looks like this so we've got approved emergency managers and I say

approved because we're not going to talk about social engineering in the context of this because that would be one way that you might might I don't know compromise the system is by you know attacking the people at that end but then you got these IA message aggregators and then those feed uh all of the stuff that's Downstream so your traditional emergency alert systems sell your broadcast uh digital EAS which is very key to this this uh this conversation and then uh I'm this is my reminder to send something so did everybody register if you don't do it now I'm going to take a break for here just for

second I know you can't see anything but I'm going to we'll go into this in in a bit so

yay success all right so uh where Where Do We Begin so the first place that I kind of started with this was what is the esas and what are the what comprises it and things like that so I I show this slide just to show like there's a bunch of vendors and providers and so I started by trying to gather some information about what exactly compris this system and who was on it and and what I found was a lot of this type of stuff it's Hardware right when I talk talk about internet of things while all this kind of collides to create a big mish mash of insanity we're going to talk about some crazy

stupid protocols that in bad decisions probably in my and again caveat impor right this is my opinion solely but uh rack mounted devices and things like that that many of these things have been around forever and so I I started out with this next thing and I was like well clearly these are very important devices and they would never be on the internet right um holy crap it's the USA with chickenpox this was uh so I'm going to give you some practical stuff here so this is uh I I kind of had to walk the boundary of what do I give you that you can go do if you really want to find this stuff um and what's just being dumb

that is going to obviously enable somebody to really go and do something stupid with this uh with this information but obviously if it's on the Internet it's not exactly private so I I I'm going to put out some things that I use to find them so uh a little bit of showen and a little bit of Google Dorking and a crapload of Google for uh purposes of uh finding documentation and reading and all that stuff and we're going to talk about this uh actually the the next slide here but um so around this time last year before that presentation I gave last year uh doing the RF stuff there were about 1,900 systems almost 2,000 that I found online

that that that's not to say that all of those are online anybody that's ever used showen anybody audience partip if you haven't go use it it's awesome it's a lot of fun um so using some different things that you know that you can go out there and find but it's definitely down but that doesn't mean that that many systems were really online or really available anyways but uh one of the things that uh that I was thinking about providing to you guys and I had uh anybody have those people in their lives that are like Evan or you know internally you know that's a bad idea don't do that that no um which was going to be to release a uh a an inmap

script that would actually like show you I may or may not have created that would actually go and test like all the default credentials and things like that on these because uh anyways uh I don't know why you'd want to do that but uh as it turns out we don't really need to so ent ent ent uh every time that I would sit here and start trying to bang on something technically I would find stuff and then and we're going to go through a little bit of a a sidebar here or you know through through this stuff so the uh advance so I I start going around and I'm like all right we'll see where I can

find some of these devices and sure enough wow there's they've got them on eBay and some of the things like uh and it's not going to let me do it but like serial number and Mac address and all the that type of stuff that that may be like useful uh in certain scenarios and and and I'm not going to draw too much into that but but obviously this might not be a great a great thing for these critical devices that you know are allowed to retrieve messages and other things from uh the United States government or whoever it may be to uh alert us of of what's been going on or or emergencies that are in our area that are pertinent

to us but uh and so then I start to do some additional stuff and I find these articles like iaws potentially hasn't been exploited well obviously it's too small for you to read but here I thinking oo yeah somebody's a security article somebody's talking about something no what this guy's talking about is he's they're with this Emergency Management Group and they're like man the potential of this thing is yet to be exploited I'm like oh okay but then he starts to talk about like digital sign systems Highway departments with big signs could pick up IPA alerts for their area and put them on campuses and other things and uh so obviously this is this is interesting me

and then I start to find stuff about how fragile the EAS system and some of these devices are with stuff like this where the FCC fined a company $2 million because they put an EAS message inside of this movie trailer and it triggered equipment all over the United States let me think about this for a second so spoiler alert if you go see the other talk on RF that may be exactly what this is about um which is like taking pre-recorded messages or maybe uh and Android apps that help you make joke you know prank your friends with this you know funny app that you can buy on the Android app store for like $3 uh that

will actually trigger these devices and Trigger these systems um and I'm not saying that I bought that thing on on eBay but I may have a couple of these devices which are not illegal to own okay you can buy them yourself if you want to spend like $5,000 um so oh there we go that all right so fail so then I start trying to go out there and I I go out to vendors and things like that and I've got all these lists of vendors I go to their website so I'm like I'm going to download some of the software I'm going to download documents and manuals obviously ENT right everybody following my progression of what I'm doing I'm

just trying to get information what do these how these things work and so then I start to find stuff where obviously now that they've been there have been some incidents and some accidents and that type of thing I start to find information on how they're no longer just putting this out on the internet that you can't just go and download stuff they want you to be a legitimate person that you have to have some type of free approval to get firmware updates or whatever kind of typical things right not that they would do a whole lot of good if you had them anyways other than for maybe some of the stuff that we're going to do in a little bit um that that

make it a little easier but then they're not exactly the brightest bulbs in the lamp or I don't know insert terrible euphemism but uh just by Google searching I'm finding based on these vendors this these are the passwords to the encrypted or whatever zip files that they're using and so forth so these are out on uh who who knew that uh list serves were still like such valuable sources of information right um so obviously this is awesome well then I find fun stuff like this um this is one of those and I allude to this alluded to this a moment ago um maybe just attacking the people that are the responsible people that can releas the

alerts in the first place who maybe uh and what what's hard to see down there like temporary uh please use the temporary password down below here's your ID and login you know incident one password capital I incident one that's difficult uh oops this was for con only I hit the wrong reply button ouch and now it's archived on the internet for posterity uh or we can go into the forums where we find these Engineers who are trying to understand they understand radio and other things really well but trying to understand how computers and networking work is very hard and so they're trying to get these new IPA devices that once were not internet accessible you know

because they received it over the air from other radio stations now they're getting it over the internet and they're trying to figure out how to put pin holes in their routers and they may or may not have been nice enough to uh you know post that and help each other out so maybe you can drop in there and have fun with those guys if you like to troll them uh and then I ran into to this this deal so I'm starting to find like okay here's here's the links to get information out I started was like well how do I get or how do I connect to FEMA if I wanted to see like to interact with

this these message services and things like that how do I interact with them and so I start to find that you can't just it's even though it's a a very complicated technology uh it's Cutting Edge uh RSS RSS right um yeah so this brand new IPA system uh state-of-the-art Cutting Edge RSS I'm going let that sink in for a second but um so we're gonna we're going to stop here for a second and we we'll do a quick little hopefully a demo

whoop letting you see something all right so we saw so I'm I'm sitting here and I'm like all right well I want to connect to uh oh just going to do

that so I want to connect up to stuff and this is uh you know hard but I want to connect up but I want to see like what these feeds are and what these alerts are coming out of FEMA so I and that's kind of tiny and so I I find the URLs finding the URLs to this stuff is no problem right um but every time I try to connect to it I get this invalid pin stuff and so the previous search that I showed you that was a fail obviously I know it's RSS I know it's you know the basic stuff and and I'm I'm skipping over a lot of research here but are you still

following me okay so I I find the feed and that type of thing and I want to connect up and and get a s and see how these things you how what what are they releasing what all kinds of goodies does uh does FEMA not want me to see clearly because when I try to go to it I get uh I get this you know invalid pin so I start googling for pin right and lo and behold uh you know I find these magical numbers that apparently belong to each vendor that are apparently also embedded in the firmware we'll just keep moving

on so then I start looking at this I'm like obviously this is not a very welld designed type of thing here but um you know I start reading the I'm like s somebody had to do somebody somewhere had to think about this so I mentioned there was a guy in here earlier was talking about Carnegie melon and uh this whole thing that came to light this week obviously the you know where they got paid by the who was FBI or somebody million dollars or whatever I don't know I'm not anybody know what I'm talking about all right uh Google it I guess I don't know I'm not I don't know much about it I just have seen the headlines

and made me laugh because uh in the context of this so guess who did the assessment risk you know the assessment of risk and strategy and security architecture for this entire thing the wonderful people of Carnegie melen University I've read it and other than putting me to sleep a couple of times the amazing lack of substance in the context that the entire idea was that somebody attacking the FEMA system itself so attacking iaws as an RSS server so they put it behind aami and they put it behind all these things they've got this great architecture of how you can't take it down and blah blah blah blah blah but yet nobody really thought about uh you know and

we'll see this here in a moment there there's some major missing things in that you know like wait a minute all I'm going to do is attack FEMA okay well we just saw a moment ago like obviously the US with chickenpox anybody I'm going to like throw that link back you know us with chickenpox well maybe there's some devices out there that are trying to talk to that so maybe we can talk to those but uh so then I find also from our friends at Carnegie melon this awesome uh GitHub repo full of what is it it's a web client for simple cap authoring the uh then I see cap collector server to authenticate sign Aggregate and Ford cap

alerts that could be fun um so I'm going to take us back to this this diagram so we've got the people up there that we've seen obviously probably aren't necessarily the greatest with uh I don't know you know security operations or uh are keeping their their pth passwords even off of email lists and so forth that go out to the world and then the next piece of this is this security around this IA system that you know that Carnegie melon did and it's obviously very secure so I probably ought to leave that alone but I also saw that wait a minute I have this so maybe and then I I know where all those devices are that

they're out there on the internet and I have this so maybe I can make this myself and uh and so then we let's let's just keep going so I kind of keep some research and so we we talked about it earlier previous exploits on the system anybody hear about the zombies on the you know in Montana or whatever that took over a morning radio show this is back in 2013 anybody hear about that one nobody so pretty much what happened was is that early one morning a television show or a TV station in Montana gets a somebody apparently breaks in using these keys and so forth and then later it C came out that it wasn't really

these SSH Keys it was the uh they had not changed the default credentials on the on the appliance and so somebody got in there and released a funny message that then propagated a bit and went out on television stations and so forth and so shortly after I mean this got articles and Wired Magazine and all this other type of stuff and I'm just going to call bull crap because that really yes I have validated that that vulnerability exists in that version of the firmware release and things like that but there are so many more awful things that uh would have been way easier to do so I kind of take this and I'm like obviously this would

be a fun one to get into right this Daz deck Appliance or whatever that's part of this particular set of vulnerabilities that ioactive found and so I start going out there and and I like I said earlier you know they they started locking the stuff up right you had to have passwords to get to the firmwares and other things and so then I find a pdf online from the company that just released this that maybe has the password that I blurred out there that you can download all of the firmware and yes this does still work so that's why I blurred it out um not that you can't go and find it but obviously this is my opinion that this is failing

and then I also had some firmware from and some configuration utilities from some of the other vendors that made it possible to like wait a minute what is this accept bad signature why would you put that in there right we're only going to talk to FEMA right um maybe verify signature oh I can uncheck that not never mind it wasn't checked by default anyways uh require a signature even I can turn all this stuff off these are features right uh no SSL check and then I can configure my own so let's do that has anybody uh received any notifications yet no wow this is g to suck all right so uh let's do this real

quick so I'm going to show you what what I went over here and did a moment

ago so that that wonderful software that we talked about a little bit ago that uh the people from Carnegie melon were so nice to uh to provide to us uh I may have stood that up and uh that may be something that you can uh go and interact with and as I mentioned before the people at car melon are really great about telling us that we made this and uh you know that this is open source and so forth so uh yeah you can go and play with this if you want to uh Jango server I absolutely learned to hate it using this because it sucks but um just again my opinion and then I can create things

like this uh you know RSS feeds that are cap compliant and so forth so let's look at what it what how difficult it is with this software Now to create a message I want to issue a new alert and uh you know of all the things I can say is this actual is it a test see should I make that a little bigger you guys see it okay now is this an actual alert what is this um I'm going to I'm going to say that this is actual um you know who do I want to release it to pivate public restricted so all this is part of the standard that was created around these emergency not

and you can go in and create all sorts of nifty stuff I'm going to save us some time and uh I'll just create another one here that uh you know that I you can make templates and so forth and and do all sorts of fun things um Hazard threat make preparations do whatever how long you want it to last uh then you've got to do things like who's issuing this alert obviously this is very difficult to to put text in a box right um anybody that lose you already I know that it's the afternoon and I'm not really making a whole lot of sense at this point anyways um it's fine it's fine all right all right I'm dragging this out

this is okay uh we hate you Evan uh so anyways I'm gonna trying to put it in my phone you got on the screen oh yeah yeah yeah um yeah alert. pentest fail.com you are more than welcome to go there and so then this is kind of a fun thing I'm going to zoom this out just a little bit so it's easier to kind of interact with um is they provide this mechanism so I mentioned before that the idea behind the system is to create geolocation you know very specific targeted alerts that that can be released by local authorities and so forth and so the idea with this system is is that they can you know a county or

a city or even that level can issue alerts that just go to their their particular area of authorization so you know in that context geoinformation becomes kind of important to some of these alerts and so their utility had to create you know this is very complicated uh you know who receives this alert everybody let's just send it to the whole freaking world uh if I wanted to because what ends up happening is is that as systems receive this the idea behind the system is that pretty much everybody receives the alerts okay so every system receives it and based on codes and other things that are in it that are either you know what type of

message it is and other things they're programmed what to do with it you know if it's an alert for Alabama and I'm an EAS system sitting in Georgia I don't care about it so I'm not going to replay it um but it's in the configuration and it's in those goys and other things that I showed you you know very briefly earlier and I talk about that this a little bit more in the previous talk I really don't have the time to dig into it and talk and show some of the rest of this but uh because I'm running short on time already but the idea is that everybody would receive this they would filter it

out based on their policy and so because of that it's rampant for misconfiguration and so what I forget oh so I'm going to create a uh oh I can even do multiple areas and so forth I didn't even realize that learn something new every time so then it gives me the output of this that that'll be helpful maybe I'll stop stuttering or something clearly I have a problem so this is what it it looks like and so like I said this is uh I didn't talk about this much uh just because I don't really think it's that important but uh is anybody familiar with Oasis they're a one of kind of like ietf in a manner of speaks but

Oasis they manage a lot of different standards and things like that uh so they're responsible for for this protocol and and the fields and the format and other things so this is a regulated type of thing so that's why we know that it will work everywhere and the idea behind this is that you have to digitally sign these messages and so forth that whoever's releasing them is approved and I know that this is a little small so I'm going to release an alert and so we see this you know valid I don't know what I just did but sorry guys it uh more or less what it said was that yes your credentials are correct

it's signed it's authenticated so on and so forth and so that's where that stuff in the system came back from like trust the you know digitally and that's where the FEMA and Carnegie melon they have in in the base context and the and of how they built the system that the idea is that it's going to do a validation on these signatures like who signed that message who created it and do I trust that and so forth well clearly in this instance I don't really have to worry about that because I'm standing up my own I'm not pretending to be FEMA at this point I'm alerts. pentest fail.com and it may or may not be trivial to go

and find some of those devices and just add those configurations to them I know I'm kind of skipping around here a little bit but there's not really a good flow of like exactly it didn't come in one solid stream of stuff right um this was a lot of research over a lot of time but uh but now I've I've released another alert and I see that this feed gets updated well the way that those systems and all the other devices work is they pull this RSS feed at an interval and once they get it they pull the information in they decide what to do with it based on their configuration and they release the alert or not well like

I said now I've got my own iPod server that Carnegie melon was so nice to provide to me for free even uh under a BSD license and now I may or may not be able to find and fingerprint those devices which you now have some of the stuff that shows how you might go and find them and if you're creative you may try some of the default credentials for some of these and probably get into a lot of them um not going to say exactly how many not going to say that that even happened um what am I talking about clearly I'm delirious but uh so let's go back

I guess I so uh make sure I didn't skip over something here ah I didn't I did I didn't whatever see yeah I'm I'm gonna have a couple extra minutes so I'm gonna I kind of skipped over something because I don't know I didn't know how much time I was going to have if I could dig into this or not but uh some of the research I we're about to dig into in a moment was not Poss would not be possible if not for Tom who had to leave a bit ago he was he was here and and wasn't able to stay but also my buddy James uh both of them are kind of my couple of mentors

that helped me a lot so things like uh anybody know what a lexor graphical or a Lex analyzer is or like Lex code and things like that so some of these yeah go ask your elders because I had to do the same thing um and I don't mean that in a insulting way that's it's there are just things that we don't the concept of taking machine-based code and that you know anyways go go Google it it'll uh you'll see it and it'll blow your mind the idea of like multi-stage compiling anybody okay so that's really what Lex is it's a stage in compiling code and and anyways that's about where my level of knowledge stops so to

reverse engineer some of the firmware and some of the utilities and other things that I found I then had to rely on some of my uh mentors to be able to help me reverse engineer it so that we could um show you some of the stuff that we're going to show you here in a second so with that being said I I put I've got more links and references in here than I've ever had in any other talk because there is just tons and tons and tons of resources and tons and tons and tons of information that's available to this and I'm going to throw this this last slide up here and then what I'll do

is I'll I'm going to stop the the recording once uh unless we have any questions or anything real quick but I'm going to show you uh so all of that effort to and I'll you can keep it going for just a second but all of that effort that I'm not went into now that we've stood up the system and now that we've fingerprinted them and we know where they are and that type of thing what are some other mechanisms that we could use to potentially control them so we know that there are vulnerabilities that there have been patches for them there's user releases and things like that from the daz DEQ uh from the ioactive uh vulnerabilities

that that they found but uh there may or may not be like a few hundred others that uh could potentially be exploited which I'm not going to video or talk about uh in that context but any questions I know that this hasn't made a whole lot of sense and uh this is probably one of the crappiest talks I've ever given but uh I'm not I'm not exactly impressive by any means so my fault I should have given you theer earlier yeah that would plus you're editing this be like new yeah I'm going to be like that kid you know with the golf ball retriever you know um a lot of people um so the thing is like because

of how you retrieve it there's not really a way to know um I would say that the majority of people are not most of it's commercial so most of the stuff that's out there um and the question was I guess for video purposes was uh are a lot of people using the Carnegie melon software and I think the reason was that that Carnegie melon kind of was tasked or asterid it or something like that was that most of those systems are really expensive because I looked at just you know subscribing to one of them and uh and you know making my own campus area alert system or something like that and push things out to televisions and all

this other type of stuff and the reality was is that but a I couldn't do it in the time frame uh because they have all sorts of approval processes that and like that and the setup fees for them are insanely expensive these are not inexpensive things so like the code red deal that Folly Beach has and stuff like that they're trying to do so most of the system is just like it's based on the idea that they're going to do all of the vetting up front that you have to be a vetted person that you can't just release these alerts or that the people that are important aren't going to do it again what I was hoping to demonstrate

was that so what most of those people are idiots anyways they don't know a whole lot about security I'm sorry that I'm definitely going to have to edit the video now cuz I'm going to get trolled on this like just called those people stupid but yeah when you I mean any it's not even about being stupid it's about any number of mistakes that get made that I accidentally reply to all with a password or something like that that then goes out and get shared and and can be found and used and so we just know from reality that that's not very good but some of the additional ENT from like research or like where they

were doing working groups to determine how they were going to do and organize you know these the agendas to deploy the system to the United States they list every single person from every single state that's part of their Emergency Management divisions and who's in charge of it and who's this you got their emails and their phone numbers and their addresses and all this stuff because these are all government documents so it may or may not be fairly trivial to you know I now have the entire list of people that I'm going to start sending fishing emails too for example so um the reality is is that that's just not a very sound strategy and so never mind the fact that the

system itself isn't particularly well architected to while it may be very resilient for emergency purposes it's definitely not very secure from a uh uh from a technology standpoint and so on that not any other questions death threats General insults

I just woke up what do you want no um all right so with that thank you stop the video and I'm going to show something real quick