[EAS] Next Generation

ray at electronicstheory.com ray at electronicstheory.com
Wed Nov 12 08:23:34 CST 2014 

Look folks - lets make this as simple as we can:

First look at the problem:

Are we trying to prevent accidental triggering, or intentional triggering by a
hacker?

I would say the correct answer to the above is: BOTH.

So where do we stand now?

1) We have a fixed encoding scheme which is published.
2) I have personally built a codec years ago out of transistors and microchips.
With today's off the shelf hardware, it isn't rocket science.  Most ham radio
operators can do it, many without thinking too hard.
3) The tones which trigger an EAN can easily be generated by any computer with a
sound card. Let's face it - it is rehashed rtty.
ergo:
4) Any computer monkey with a bent can read the regs, and purposely generate an
EAN.  This isn't rocket science.  It is about 6 hours worth of programming (less
than 2 if you do it for a living).   Creating a complete set of EAS codec
software that meets FCC reg - a bit more time consuming, but you don't need all
that if your intent is to be malicious.  You just need a computer with a sound
card, a little code that turns ascii into 2 tone signal, and a low power FM
transmitter.... which leads to my next point:
5) The radio relay system does have a weak point.  I could cut
power/transmission line on the LP1 in Washington DC, use a 100W back of the van
transmitter, and generate an EAN on the LP1 frequency.  Viola - I just hacked
the entire EAS system across the entire country.

So what is the fix?

DUPLICATE streams of data.

Either:
1) An encrypted code must be sent in the stream unlocking the box's ability to
pass an EAN (this could still be hacked easily)...or
2) A "red envelope" method must be used with the box having received the
unlocking code on a weekly/monthly basis. (Code could be sent via internet and
stored for later use) which unlocks the radio signal when it arrives...or
3) TWO EAN's must arrive at the box from 2 different sources (one from radio,
one from CAP?) within a given period of time that must match in order to pass an
EAN...or...
Now of course we don't want to create a system that won't go off when we need it
to, but there may be many ways to skin this cat.  The point is, if one stream of
data contains all the code necessary to trigger an EAN, then I can generate that
signal on the spot.  If I can do it, then any malicious hacker can also do it,
and it is simply a matter of time before they do.

More information about the EAS mailing list