Inside the Emergency Alert System
by Tokachu
The Emergency Alert System, commonly called EAS, originates from the FCC-mandated Emergency Broadcast System (formerly known as CONELRAD), which was nothing more than a long multi-frequency tone generator and detector.
Before the Kennedy Administration, such signals were only accessible for major networks and by the early 1990s the system was showing its age.
Some cable companies resorted to building their own unique alert systems using old phone equipment because the 30 year old system was, quite literally, falling apart. In 1994, after three years of research and development, the FCC introduced what is now the modern EAS, and in 1997 the system was made mandatory.
Network Topology
The original EBS worked in a daisy-chain fashion, where the authorities would notify one radio station, that radio station would notify another station, and so forth.
The EAS works in a hierarchical manner, where the notifying party (civil authorities, the National Weather Service, or law enforcement) notify the largest station in the area.
From there, other smaller radio stations actually have a receiver hooked up to the EAS encoder/decoder (the "endec") that listens for the big radio station, and the endec will cut into the radio station's signal to transmit at least three bursts of data along with the attention signal.
Data Format
I'll be brief in the data format: it's FSK-encoded (one tone is a mark, or "1" in binary, and another tone is a space, or "0"), which limits its transmission speed to about 1200 bps.
However, it operates at a very strange baud: 520.83 bps, or one bit every 1.92 milliseconds. The space frequency is the bitrate multiplied by three (exactly 1562.5 Hz), and the mark frequency is the bitrate multiplied by four (approximately 2083.3 Hz).
Each byte is a regular 8-bit byte containing ASCII data (the most significant byte is ignored when receiving the data format), so it's very easy to modulate data.
The header consists of 16 bytes with binary value: 10101011
As the bitrate and transmission protocols are constant, there is no need to transmit bitrate calibration signals or mark/space information.
Here is a sample transmission, preserved in 8-bit format:
The sixteen funny symbols at the beginning is the 16-byte header, along with another 4-byte header of ZCZC to indicate ASCII data.
WXR is the notifying party (the National Weather Service, for this example).
HUW is the message code ("Hurricane Warning"), and 037183 is the affected area, noted in undashed FIPS PUB 6-4 format.
The first digit is the region, which is usually set to "Nationwide" (0) and ignored; the second and third digits note the state (North Carolina), and the last three digits are the county number (Wake County).
To store more than one location, the format might look like H###H#HHHHHHHH+, with each #HH#HH#H- being a six digit location code and with the last code ending with a plus rather than a minus symbol. The four digits after the plus symbol represent the length of time the alert is effective for (exactly three hours in this example).
For the next seven digits, the first three are a Julian-formatted date (066 means the 66th day of the year, or May 7th in 2005).
The last four digits are the starting time (1830 = 6:30 pm).
The next eight characters hold the call sign of the radio station sending out the alert. It is space-padded at the end, and any dashes in the call sign are replaced with slashes.
The message ends with a single dash.
What is not shown here is the two-tone signal of 853 Hz and 960 Hz, which must be emitted for at least eight seconds after the data is sent at least three times.
From there, data with ''''''''''''''''NNNN transmitted exactly three times acts as the signal for the end of the transmission.
For some really detailed information, you should read document FCC Title 47 CFR §11, available on fcc.gov.
Security
I'm sure you're thinking something along the lines of "If there's nothing to authenticate or encrypt the information, what's keeping people from breaking into machines and sending fake signals?" Well, there's a few things you should know.
First, most radio stations have a live person to confirm whether or not to forward any message received. Second, these machines are not hooked up like computers; they're placed alongside transmission equipment, and are not hooked up to any network or external computer (with the exception of video crawls in television stations, but those still require manual intervention to function).
I can tell you that every time I hear that little "duck quack," I do flip out, but even though I have a legal obligation to forward the message, I can call the radio station afterwards to confirm it (and if it's fake, I can break back into the radio circuit to let people know).
But let's say you happen to get into the radio station and get physical access to the machine (which you won't) or happen to somehow break into the remote transmission facilities to interrupt the audio and use your own EAS endec (which you probably won't).
The FCC can find you easily because you'd have to be very close or inside the radio station to pull such a task off. You would then be prosecuted and your message might not even be forwarded!
The only vulnerability I can find is the fact that the FCC mandates that there be either a weekly or monthly test of the EAS endec. Unfortunately, that means that a rogue attacker could very likely be able to inject a test signal into a cable television network, which would not only interrupt one station, but every station in that area.
This kind of message would not result in another The War of the Worlds scenario, but would still result in loss of revenue by the television stations. Then again, a test only lasts a few minutes and unless the attacker struck during the Super Bowl commercial break, the losses would be negligible. I'll keep the door locked, just in case you get any ideas.
Conclusion
While it is very easy to make a signal generator for the EAS, there is no real use for it beyond the transmitter.
If you're daring, you could modify a radio packet program to use the frequencies and bitrate of the EAS to automatically log emergencies. RadioShack used to sell a radio scanner that could tune into FM stations and TV audio carriers and decode EAS signals for about $70 some time ago, although it might be a bit more expensive nowadays.
Nonetheless, until the EAS is completely integrated into consumer appliances such as cellular phones, there is nothing to worry about when it comes to "breaking into" the system, and with the FCC collecting comments on the next generation of the EAS, it will probably be very stable and very secure in the days to come.