Slashdot Mirror
Emergency Alert Systems Used Across the US Can Be Easily Hijacked (helpnetsecurity.com)
A vulnerability affecting emergency alert systems supplied by ATI Systems, one of the leading suppliers of warning sirens in the USA, could be exploited remotely via radio frequencies to activate all the sirens and trigger false alarms. From a report: "We first found the vulnerability in San Francisco, and confirmed it in two other US locations including Sedgwick County, Wichita, Kansas," Balint Seeber, Director of Threat Research at Bastille, told Help Net Security. "Although we have not visited other locations to confirm the presence of the vulnerability, ATI Systems has customers in the US and overseas from the military, local government, educational and energy sectors.
"ATI features customers on its website around the US including One World Trade Center, WestPoint Military Academy and Entergy Nuclear Indian Point which are all in New York State, UMASS Amherst in Massachusetts, Eastern Arizona College, University of South Carolina and Eglin Air Force Base in Florida, amongst others." The vulnerability stems from the fact that the radio protocol used to control the sirens is not secure: activation commands are sent "in the clear," i.e. no encryption is used.
"ATI features customers on its website around the US including One World Trade Center, WestPoint Military Academy and Entergy Nuclear Indian Point which are all in New York State, UMASS Amherst in Massachusetts, Eastern Arizona College, University of South Carolina and Eglin Air Force Base in Florida, amongst others." The vulnerability stems from the fact that the radio protocol used to control the sirens is not secure: activation commands are sent "in the clear," i.e. no encryption is used.
Nobody expected a proliferation of asshats would cause to be called into question the priorities of making emergency alert systems easily accessible.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. "
The traditional EAS system has many interesting and very complex issues, but this isn't one of them. Sirens are not uniform in area and how they are managed. Most warning sirens are managed by local officials. There are more more interesting vulnerabilities in the EAS system.
I suppose you could use the same argument for the computer networks or your front door. Security is almost always bolted on later, after the asshats start moving in.
It will be fixed... at great public expense.... when the asshats start exploiting it.
My eyes reflect the stars and a smile lights up my face.
You mean the ones blowing up my phone with "Amber Alerts" over custody disputes?
Sirens city-wide in the middle of the night are not fun.
The "good news" is you usually have to be within tens of miles/line of site of a receiving station to pull off this hack. It probably won't be the Russians hacking your sirens.
Damn otto-korrect. "Line of sight."
You paid extra for that feature. Sucker.
Security is almost always bolted on later, after the asshats start moving in.
It will be fixed... at great public expense.... when the asshats start exploiting it.
Maybe they will.
Maybe enough asshats will be caught to deter those doing it for the lulz.
Maybe they will become obsolete and just be turned off, like analog cell services.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I guess it's not news that US things, elections, electricity grids, can be hijacked by miscreants. It'd be news if someone went to prison for this, but not the others...
Those asshats could be the kid living in the basement next door or a foreign country. An easily activated 'false alarm' is of no use to anyone. These scenarios should have been considered by the people who designed the system, by the people who built the system and finally by us taxpayers you bought the system. There are many levels available to ask "can this be abused". I consider each of them a fail when a product like this makes it to final installation. But ultimately, WE have to stop buying this shit without asking the hard questions first.
https://www.youtube.com/watch?...
I had no problem turning off that "feature".
Only the State obtains its revenue by coercion. - Murray Rothbard
Some HAM radio operator kept sending the DTMF tones to the tornado sirens at 1 in the morning, so the city had to disable them.
Also people were complaining to the city that the warnings were in both English and Spanish (SPEAK ENGLISH OR DIE) which somehow has recently become an issue even though this was first instituted in the mid-70's.
You can't build a system designed to broadcast to everybody and hope that it has any chance of being secure.
So now you've built something which will screech and howl to every phone when some kid goes missing and so you can keep the populace in a perpetual state of emergency panic ... and you realize you utterly failed to implement security in it.
This warning system was always a waste, because it was going to be over-used for every stupid little thing and then people would stop checking their damned phones.
Systems like this built in a rush are always going to be utterly lacking in security, because security was never a design goal.
The first time I get a klaxon alarm on my phone because of a missing child, who I don't care about and won't be able to help with because I make it a point to not be around children, will be the point at which all future alerts from this will be disregarded.
You wanted the "panic the populace" system. Now, you have it, and you've realized it's probably lacking in some pretty basic safeguards.
than the 4:15 AM informal alarm clock I get from every random kid that goes missing for more than 10 minutes in a wal-mart parking lot. Seriously. I'm a sysadmin, not Harvey Dent. The only time I see the Batman is when I summon him with the Netflix logo.
Good people go to bed earlier.
"Emergency Alert
BALLISTIC MISSILE THREAT INBOUND TO NEW YORK. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."
I suppose that security isn't at all important with those kinds of systems. Nah.
Considering that thing didnt go off on 911, it seems the only reasons that thing would possibly go off is the tests and a hack. who cares at this point.
Encrypting the transmission only increases the time required to receive the instructions / warning. Being forced to wait for a decryption process to complete is the last thing anyone wants to do in a life or death scenario. "Where's the nearest checkpoint / safehouse?" "Hang on, it's still decrypting..... and the phone died. We're screwed." Further, encrypting the transmission makes no sense from a strategic perspective. It's plainly obvious what the instructions were either by the nature of the incident, or the actions of those that have received the message. I.e. The general public.
The real issue here is a lack of authentication. Knowing where the message originated. I.e. Is the message from a government agency, or some random black hat messing around? You need digital signatures and not encryption. That way those that need / want to verify the source can do so, while everyone else can just get the cleartext message and move on.
The next thing is clearly going to be Facebook integration. Fuck Zuck!
The complaint here is that the programmers weren't trying to idiot-proof the system, they were trying to make something that works when required to. A bit like how police and fire department advice can easily be at odds.
On another note, this doesn't require encryption per se, but authentication. That is often based on encryption, but even so. All in all the usual panicky "computer security" fare. Not really that interesting or impressive, but sufficiently breathlessly worded it'll get some attention from the idiot tech press anyway. The computer security industry s'kiddies are pretty much all attention whores, seeking attention is what they do.
I've worked with these types of systems.
Authentication isn't really a thing for them, generally: They follow the same KISS ideas as things like SMTP.
The simplest of these systems (outdoor warning sirens) work with simple tone sequences or, if really fancy, DTMF... all in the clear with normal frequency modulation on a published radio frequency.
Kid-proof tablet..
They keep setting it off for Seattle when something happens at the border with Idaho, more than 3 hours drive away.
Oh.
You meant it was supposed to be a stupid system like that?
-- Tigger warning: This post may contain tiggers! --
Considering that a lot of the tornado sirens around the country can be activated by sending a DTMF sequence over radio in the clear (often 450MHz), all one has to do is listen until the authorities send one and record the tone. Keep it for later. Hilarity ensues.
I wouldn't mind so much if I didn't get alerts for places that are hours away at times when I'm not that likely to be going anywhere further than the corner store. Meanwhile, tornado warning in my area = silence from the phone.
Only Lawbreaking technically-advanced asshats ought to be capable of causing trouble. They may be using cleartext control, but the radio frequencies almost certainly require a license to legally transmit on.
Also, you can probably hijack these US right-wing talking shows on AM radio. Build a 300-meter high mast and do some 100 kW broadcast.
More down to the Earth and with no sarcasm, things were more interesting in the days of analog TV. Straight pirate TV was possible, but what I once heard about in a documentary was cheaper and funnier. Some cheap home computers were able to display blocky graphics or characters over a video signal - perhaps almost out of the box, with some cheap glue hardware. Think about how the On-Screen Display works on a TV from 1992. These computers used a TVs as their primary output anyway and had a main CPU with a frequency related to the PAL (or SECAM or NTSC) signal. I'm not breaking any ground there : 1.79MHz NES, 3.58MHz SNES, 7.16MHz Amiga, NTSC versions, run hardware at some fractional multiple of some NTSC clock.
So, in some Eastern block countries, there were pirate broadcasts that added text characters (either all white or all black, whichever works better) on top of the boring official broadcast!
Many state universities not in tornado alley installed warning sirens after the VA Tech shooting. I absolutely think RF was the right way to do this, because it allows for a much more resilient system.
You can query the FCC ULS for a lot of these places and just look at the license that was issued around the time the system was installed to determine the frequency. The mode is almost always analog FM voice, and the activation codes are probably DTMF.
I think this is a case where the simplicity of the system and the need for it always to work trumps keeping the script kiddies out. If you are caught transmitting on a licensed band without a license, the civil fine just for that is $16K.
I think the real danger is an terrorist jamming the frequency during his attack.
This is old news. For example it happened in Dallas, Texas about a year ago and got a lot of news coverage. See https://www.wired.com/2017/04/dallas-siren-hack-wasnt-novel-just-really-loud/
Pretty sure that wasn't a HAM, as they stand to lose quite a lot if found out. Access to all your friends world-wide, for one; losing your licence for cause is no joke.
But there are plenty people with probably just enough knowledge and access to radio equipment. The CB crowd sees a lot of them, but it could just as well be a kid who got a radio from a yard sale. Or it could be something else entirely.