An American hacker claims to have gained access to both the U.S. and Canada’s Emergency Alert Systems and potentially could have sent out alert messages to millions of people.
According to Input, a hacker with the pseudonym ‘virtrux’ (previously ‘j3ws3r’) said he gained access by scanning for ports utilized by two systems commonly used in emergency alerts. In doing so, virtrux found millions of IP addresses, which he scanned through for keywords likely used in such alert systems. That further narrowed down the list to thousands.
From there, virtrux says he “social engineered some manufacturers of these [systems] to give me either the service password or the default password.” Social engineering is a tactic used by hackers to manipulate users into divulging credentials or other secure data. After trying a few IPs, virtrux said he gained access.
“I was disgusted. This is federal infrastructure, this isn’t a printer left open,” the hacktivist told Input.
Virtrux previously worked on a white hat hacking campaign that hoped to raise awareness of vulnerabilities in printers. The campaign made thousands of printers around the world print out pages in support of YouTuber PewDiePie.
The hacktivist shared evidence of access to the Emergency Alert System on Twitter in late November. The evidence included pictures of screens that allowed him to generate messages for Child Abduction Emergencies, Civil Emergency Messages or Evacuation Immediate alerts.
— virtrux (j3ws3r) (@virtrux) November 23, 2020
The hacker says he’s ‘sure the same is possible’ in Canada
Virtrux told Input that he believes the system access points were available on the open internet for use by properly authorized personnel, but they’re also easily accessible to people who socially engineer the manufacturers of these systems.
“Theoretically, I can send anything from a volcano warning to the entire U.S. to an AMBER alert. If I really wanted, I can send out custom messages too,” virtrux told Input. “As for Canada, I’m sure the same is possible: custom messages to country-wide levels of emergency.”
The hacktivist said that access to these systems could incite panic in the wrong hands. That should come as no surprise to both Canadians and Americans who have already received accidental emergency messages. Earlier this year, an accidental alert about the nuclear plant in Pickering, Ontario, alarmed residents. The provincial government later announced updates to its emergency alert system to prevent a similar incident. In 2018, Hawaii mistakenly sent out a test message about an incoming ballistic missile.
Virtrux told Input that he did not report the breach to either the U.S. or Canadian governments as it “takes months and months” for the government to do anything. Instead, he felt going to the media would get a faster reaction. Input says it reached out to both governments for comment.