How a poor user interface design caused the Hawaii missile scare

Experts slam emergency alert system's lack of safeguards, after worker selects wrong drop-down option

A poorly-designed user interface was reportedly behind the false alarm regarding an incoming missile that sent Hawaiian residents into a panic over the weekend.

People in the US state received a notification on their smartphones on Saturday warning of an imminent ballistic missile strike, advising them to "seek immediate shelter" and that "this is not a drill". Fortunately, it was.

The alert was supposed to have been an internal test of the Hawaii Emergency Management Agency's (HEMA's) missile alert system, conducted semi-regularly since tensions between the US and North Korea began escalating last year. According to The Washington Post, an employee mistakenly selected the wrong option from a drop-down list, issuing a genuine missile alert to the public instead of a dummy alert to HEMA staff.

The two options were labelled almost identically ('test missile alert' and 'missile alert') and placed one after another, while the only safeguard to prevent accidental alert launches was a single confirmation prompt.

The incident has drawn criticism from some experts, who say that such an important system should not be so open to human error.

"Even though the menu option still required confirmation that the user really wanted to send an alert, that wasn't enough, on this occasion, to prevent the worker from robotically clicking onwards," explained security expert Graham Cluley.

"There was an 'are you sure?' message, but the user clicked it anyway. Clearly the 'are you sure?' last-chance-saloon wasn't worded carefully enough, or didn't stand out sufficiently from the regular working of the interface, to make the worker think twice."

Federal Communications Commission chairman Ajit Pai also slammed the error, calling it "absolutely unacceptable". "Based on the information we have collected so far, it appears that the government of Hawaii did not have reasonable safeguards or process controls in place to prevent the transmission of a false alert," he said in a statement.

Compounding the problem was the fact that it took more than half an hour for HEMA to send out a follow-up message after the first alert to reassure people that it was an error. Sending the retraction required an elevated level of permissions, and had to go through the Federal Emergency Management Agency (FEMA) for approval.

HEMA said it has now modified the system, requiring all genuine alerts to be confirmed by a second person before they are issued, as well as adding a cancellation button allowing citizens to be immediately notified in the event of another false alarm.

Picture credit: Shutterstock

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
'Robin Hood' hackers donate stolen Bitcoin to charity
ransomware

'Robin Hood' hackers donate stolen Bitcoin to charity

21 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020