Picture this: It's Thursday night and you're watching television with your family.
Suddenly, an alert like this pops up, warning you about a "radiological hazard" in your area:
This is exactly what many residents of Washington state's Olympic Peninsula saw on their televisions.
The scariest part, though? The warning was fake and the work of a hacker.
The Washington state emergency alert was a hack
At first, Jefferson County's 9-1-1 could only reassure residents that the alert was some sort of error by taking to Facebook:
"This message is coming across WAVE channels in our community. It is being investigated and appears to be an error. Do NOT call 9-1-1 to report this or to ask for an update—we do not have ANY information other than this message is being broadcast and that authorities are investigating it as an erroneous message. So far it appears to only be happening in Jefferson County. The State Department of Emergency Management has no information and no other counties are reporting this alert at this time."
By the time they got the message out, however, some people were already cautious, like one viewer of KING 5 News (NBC) in Seattle:
"We experienced an hour of pure terror. We evacuated our house with our dogs and drove to Sequim [WA] to my parents, wondering when and if we would die."
County confirms hacking linked to IoT devices
And then state and county officials, and those from Wave Broadband, started to investigate.
Jefferson County then posted an update:
"HACKING NEWS: Wave Broadband confirms system hacked; 3,000 Jefferson County subscribers see/hear message due to 'non-malicious' hack or security breach."
However, the post went on to say it was not the Emergency Alert System (EAS) that was hacked, but rather the cable boxes in homes, as part of an Internet of Things (IoT) hack:
"Wave Broadband has since confirmed that approximately 3,000 cable subscribers in Jefferson County were targeted by the alerts, and any customers watching television at that time, on any channel, would have seen them.
Upon notification of the alerts, Wave took immediate action to prevent additional non-official emergency alerts from being sent, and is in the process of developing and implementing mitigating protocols that will prevent such a breach from occurring in the future."
The cost of a hacker sending emergency alert messages
No one was hurt or killed as a result of this fake alert sent by a hacker. However, the cost of a breach like this can be seen long after the cyberattack is over.
Robert Ezelle, Director of Washington State Emergency Management, explains it this way:
"You over warn, people are going to turn them off and tune them out. But if you put out false warnings, you undermine the credibility of the systems. You need to make sure the integrity is there."
More work to prevent fake alerts needs to be done.