Skip to content
Naked Security Naked Security

Hawaii missile alert triggered by one wrong click

The false alarm about a missile was too easy to make and too hard to stop

What amounts to a bad graphical user interface (GUI) – one that makes it too easy to click the “send the state’s population an emergency alert” option when you mean to click “test the emergency alert that sends people running for their lives” – terrified the population of Hawaii on Saturday morning.
The mistakenly sent emergency alert about an incoming ballistic missile was the first, adrenaline-gushing glitch. The second was that nobody at the state’s Emergency Management Agency (HI-EMA) corrected the error for a full 38 minutes.
According to the Washington Post, this tweet, from Rep. Tulsi Gabbard (D-Hawaii), was the first indication many received about the alarm being a glitch. She sent it out within about 15 minutes of the false alarm.

During the 38-minute delay between the emergency alert system sending the alarm and and its subsequent alert that the alarm had been false, the emergency message showed on phones and TVs and played on radio stations across the state.
As CNN reported, people sought shelter by crawling under tables in cafes, were ushered into military hangars, and huddled around TVs to watch the news for the latest developments. Some put their kids into the bathtub, others sought shelter in tunnels, while some tried to get to the airport to clear out before the heavens rained down ruin.
Apologies for the false alarm have come from HI-EMA and from Hawaii Gov. David Ige, who explained that the mistake was made “during a standard procedure at the changeover of a shift [when] an employee pushed the wrong button.”
The state has released a timeline (PDF) of the incident.
It shows that officials knew within 3 minutes of the alert going out that there had been no missile launch. They didn’t post notifications about the error until 8:20 a.m., when they published alert cancellations on their Facebook and Twitter accounts. It wasn’t until 8:45 a.m. that the emergency alert system issued the “false alarm” notification.
In the aftermath, Federal Communications Commission (FCC) boss Ajit Pai initiated an investigation, saying that the false alarm was “absolutely unacceptable”. Pai blamed Hawaii government officials, saying that they didn’t have “reasonable safeguards or process controls” that could have stopped the alert’s transmission.


HI-EMA says it has indeed started a review of cancellation procedures to “inform the public immediately if a cancellation is warranted.” Otherwise, we’ll get a reputation as the EMA who cried wolf, both the agency and Pai said. From HI-EMA:

We understand that false alarms such as this can erode public confidence in our emergency notification systems. We understand the serious nature of the warning alert systems and the need to get this right 100% of the time.

On Sunday, HI-EMA spokesman Richard Rapoza told the Chicago Tribune that the situation was particularly bad as there wasn’t a system in place to correct the initial error. The agency had standing permission through the Federal Emergency Management Agency (FEMA) to use civil warning systems to send out the missile alert, but not to send out a subsequent false alarm alert, he said.
That’s where that 38-minute lag came in, Rapoza said:

We had to double back and work with FEMA [to create the false alarm alert], and that’s what took time.
In the past there was no cancellation button. There was no false alarm button at all.

That part of the problem has already been fixed, Rapoza said:

Now there is a command to issue a message immediately that goes over on the same system saying ‘It’s a false alarm. Please disregard.’ as soon as the mistake is identified.

…Which leaves the “how do we keep these types of mistakes from happening in the first place” piece of the puzzle still to go. HI-EMA has said it’s suspended all internal drills until an investigation is completed.
Also, it’s initiated a requirement that two people are needed to activate and to verify tests and actual missile launch notifications.
The employee who made the mistake has been temporarily reassigned, but he won’t be fired, Rapoza said. Really, anybody could have made the same mistake, and that’s a problem with the procedures in place, not with the human who did what humans do: make mistakes.
Rapoza is right, of course, if a little late to the party. It isn’t news that poor design is a security and safety issue and the basic elements of good graphical user interface design have been understood for decades.
As interface design guru Don Norman wrote:

Bad design and procedures lead to breakdowns where, eventually the last link is a person who gets blamed, and punished.
… Does human error cause accidents? Yes, but we need to know what caused the error: in the majority of instances human error is the result of inappropriate design of equipment or procedures.


13 Comments

Before the alert is actually transmitted, the GUI needs to pop up a big red flashing box with a screaming siren sound in front of the operator that says: “You are about to scare the pants off everyone and send them running screaming for the hills. Are you SURE you want to do this?” [Click NO to cancel this alert or click YES to start the panic.]

As far as I know, that did happen. The media frenzy around this being a “bad GUI” is a bit of a red herring if you ask me. The procedural side seems to be the issue here. A real alert is something you might expect will be used zero times or once every century, say. So who accepted a workflow like this? Why is the same person allowed to select and to approve an alert? If this is really testing the *actual missile alert process*, how come people didn’t seem to know how to respond, what to do, where to go? If it was just testing the SMS part of the system, then it’s not really a “test alert”? Why no process for following up one alert with another (something that ought to be tested, too)?
My own opinion is that, for all that the GUI might be garbage, blaming it is a bit too convenient – and the authorities, bless them, seem to ve taking a wide view of this in what they are looking to change and improve.

One indication the GUI is bad… the label next to the checkbox:
test the emergency alert that sends people running for their lives
:,)

Ajit Pai: “Hawaii government officials … didn’t have “reasonable safeguards or process controls” that could have stopped the alert’s transmission..”
Unlikely to find many of his fans here, but while his statement comes from an understandable place, the *head of the FCC* should grasp that a jittery, panic-stricken agent in an actual emergency shouldn’t be required to navigate a labyrinth of “are you sure?” popups, since seconds count in disseminating actual alerts.
I’m looking forward to his Greatest Hits album, featuring “Selling Out The Neighbors,” “What’s Yours is Mine and What’s Mine is Verizon’s,” and “Investigating You Distracts From Investigating Me.”

There was a HI spokeswoman on TV stating that the delay in rescinding the alert was due to officials having to “download an app” to send out the false alarm alert. Does anyone know what she was referring to? It brought an image of this process relying on someone holding a smartphone and desperately trying to find the ‘recall alert’ app in Google Play…

shit happens :D
https://www.cbsnews.com/news/japans-public-tv-sends-missile-alert-by-mistake/

We covered that one, too…
https://nakedsecurity.sophos.com/2018/01/16/its-raining-fake-missiles-japan-follows-hawaii-with-mistaken-alert/
Testing stuff reliably is harder than you think. Spare a thought for my Sophos colleagues who test our products against real malware…it requires a very keen attention to detail. Programming is all very glamorous but it’s in QA where the rubber hits the road :-)

Never going to believe this was accidental at all. Seems like politics being played here, and it’s sad if true, people could/may have been hurt in the ensuing panic.

Given the facts that have come out subsequently, there doesn’t seem to me to be any way that anyone could have intended any of this to happen.

Hardcore…waking up to a warhead in trajectory alert. Can you imagine the relief after the ‘false alarm’ was posted! I wonder if there will be an increase in babies being born 9 months from now…

I dunno… I see your point, but on the other hand, there can’t be too many things that would be more effective as a mood-killer than getting that warning!

Feb 19, 2017, false missile alert issued to all air personnel in NATO base, Spangdahlem Germany.
Jan 13, 2018, false incoming missile alert issued by Hawaii
And now Japan does the same thing.
Human error!? How effen stupid do they think we are? They’re testing the systems. And human actions.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?