A Blog from QualiTest

Are You Sure?!?!?

Death and destruction is imminent!  … or maybe not.  At least that was the false message in Hawaii and Japan earlier this month regarding incoming...

Death and destruction is imminent!  … or maybe not.  At least that was the false message in Hawaii and Japan earlier this month regarding incoming nuclear missiles.  All it takes is making the wrong menu pick, or believing that you’re in a simulation instead of reality.  But how red and flashing and glaring does an “Are you sure?” have to be?  It needs to be annoying enough to be noticed, but not annoying enough to be, well, annoying because it ruins the user experience.  I am assuming that user experience is behind EMV chip readers beeping a little less loud with their “remove your card already; don’t leave it by accident!”  Of course, there is a different level of emergency between “Please remove your card that a moment ago you needed to keep in for scanning purposes” and “Do you really want to tell the population that they’re all about to die without any further explanation of how they should proceed?”

The U.S. currently uses the Emergency Alert System (EAS), which replaced the Emergency Broadcast System in 1997, and is jointly coordinated by FEMA, the FCC and the National Weather Service.  In 2008, work began on including smartphone notifications, with individual state rollouts beginning early 2013.  On November 9, 2011, a federal test of the system was performed.  While it mostly worked, there were various bugs reported:

  • 18% of stations failed to either receive or retransmit the alert which included some hard-coding preventions in EAS systems to prevent playing the 30-second Emergency Action Notification (EAN) due to expecting a 75-second message or longer
  • Due to a feedback loop, the test played several times in the background, and the EOM code was sent twice, violating EAS rules
  • The alert code that would have allowed the President to speak was missing
  • DirecTV users heard Lady Gaga’s “Paparazzi” in the background due to an off-air channel mix-up (my vote would be for her “The Edge of Glory” which dropped 6 months to the day before the test)
  • A large-delay reverb effect and noisy background levels.

In addition to these fixable bugs and the false alarms above (and other false alarms), incidents have included:

  • EAS tones being broadcast that were embedded in recorded ads (which can result in FCC fines and/or license renewal declination) or in movies/movie trailers (which were broadcast on TV) or video games
  • Hacking (EAS hardware which was still using the default passwords; each event has included the same “zombies rising from their graves” audio track) — not coincidentally, anything hacked to no longer be the brain in charge can be referred to as being a zombie
  • Testing errors (where testing was not expected to be broadcast live)

But what can we learn from all of this?  EAS, like IoT and medical devices, can have their default passwords hacked.  It is important to know the difference between live and test environments.  Following proper procedures and heeding Are-you-sure’s is critical.  And most importantly, testing helps improve your System Under Test.

Note: Had this been an actual emergency, QualiTest does not specifically endorse or reject the idea of playing Lady Gaga music as nuclear missiles head your way.