Slashdot Mirror

← Back to Stories (view on slashdot.org)

Emergency Alert Systems Used Across the US Can Be Easily Hijacked (helpnetsecurity.com)

Posted by msmash on from the things-falling-apart dept.

A vulnerability affecting emergency alert systems supplied by ATI Systems, one of the leading suppliers of warning sirens in the USA, could be exploited remotely via radio frequencies to activate all the sirens and trigger false alarms. From a report: "We first found the vulnerability in San Francisco, and confirmed it in two other US locations including Sedgwick County, Wichita, Kansas," Balint Seeber, Director of Threat Research at Bastille, told Help Net Security. "Although we have not visited other locations to confirm the presence of the vulnerability, ATI Systems has customers in the US and overseas from the military, local government, educational and energy sectors.

"ATI features customers on its website around the US including One World Trade Center, WestPoint Military Academy and Entergy Nuclear Indian Point which are all in New York State, UMASS Amherst in Massachusetts, Eastern Arizona College, University of South Carolina and Eglin Air Force Base in Florida, amongst others." The vulnerability stems from the fact that the radio protocol used to control the sirens is not secure: activation commands are sent "in the clear," i.e. no encryption is used.

23 of 44 comments (clear)

  1. Not news. They were meant to be easy to activate. by Narcocide · · Score: 3, Informative

    Nobody expected a proliferation of asshats would cause to be called into question the priorities of making emergency alert systems easily accessible.

  2. Re:Not news. They were meant to be easy to activat by Anonymous Coward · · Score: 1

    "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. "

  3. Re:Not news. They were meant to be easy to activat by The-Ixian · · Score: 1

    I suppose you could use the same argument for the computer networks or your front door. Security is almost always bolted on later, after the asshats start moving in.

    It will be fixed... at great public expense.... when the asshats start exploiting it.

    --
    My eyes reflect the stars and a smile lights up my face.
  4. Re:Not news. They were meant to be easy to activat by Narcocide · · Score: 1

    You paid extra for that feature. Sucker.

  5. Maybe they will be fixed, maybe not by davidwr · · Score: 1

    Security is almost always bolted on later, after the asshats start moving in.

    It will be fixed... at great public expense.... when the asshats start exploiting it.

    Maybe they will.

    Maybe enough asshats will be caught to deter those doing it for the lulz.

    Maybe they will become obsolete and just be turned off, like analog cell services.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  6. old news by Joe_Dragon · · Score: 1

    https://www.youtube.com/watch?...

  7. Re:Not news. They were meant to be easy to activat by ArchieBunker · · Score: 1

    I had no problem turning off that "feature".

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  8. Cant be any worse by nimbius · · Score: 2

    than the 4:15 AM informal alarm clock I get from every random kid that goes missing for more than 10 minutes in a wal-mart parking lot. Seriously. I'm a sysadmin, not Harvey Dent. The only time I see the Batman is when I summon him with the Netflix logo.

    --
    Good people go to bed earlier.
    1. Re:Cant be any worse by SeaFox · · Score: 4, Informative

      Double-check the settings on your phone's alert app. I actually found a place to customize (and disable) those Amber alerts.

    2. Re:Cant be any worse by apoc.famine · · Score: 3, Insightful

      Why on earth do you have amber alerts enabled on your phone then? Turn them off!

      I don't understand why anyone volunteers to be interrupted at random times for something that doesn't impact them and which they can't do anything about. Other than text and email notifications, all notifications on my phone are off. Audio and visual. If I want to check something, I check it. If I don't want to check it, it is not allowed to badger me and try to steal my attention from what I'm doing. And that especially applies to sleeping.

      --
      Velociraptor = Distiraptor / Timeraptor
    3. Re:Cant be any worse by The-Ixian · · Score: 1

      I nearly disabled mine when, for 2 months in a row, I got TEST alerts at 3am. I keep my phone in the other room and I still heard that thing... not cool man...

      Then they fixed it and now I only get the test alerts in the afternoon. So I have left it enabled.

      I have never received a real alert on my phone. I guess they are careful about using it in my area (Minneapolis, MN).

      --
      My eyes reflect the stars and a smile lights up my face.
    4. Re:Cant be any worse by sjames · · Score: 1

      Only presidential alerts cannot be turned off on a phone. The rest are configurable.

      I haven't turned them off on mine because they're potentially a good thing, but if they keep sending alerts that can't possibly be relevant for someone in my area, I'll have to turn them off.

    5. Re:Cant be any worse by antdude · · Score: 1

      What about on road signs, cable TVs, news, etc.? We can't control those. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    6. Re:Cant be any worse by sjames · · Score: 1

      Except my observation is free of assumptions that it's some sort of government oppression.

    7. Re:Cant be any worse by apoc.famine · · Score: 1

      None of those wake me up in the middle of the night or interrupt meetings, so I'm much more ok with those.

      --
      Velociraptor = Distiraptor / Timeraptor
    8. Re:Cant be any worse by LinuxIsGarbage · · Score: 1

      Why on earth do you have amber alerts enabled on your phone then? Turn them off!

      I don't understand why anyone volunteers to be interrupted at random times for something that doesn't impact them and which they can't do anything about. Other than text and email notifications, all notifications on my phone are off. Audio and visual. If I want to check something, I check it. If I don't want to check it, it is not allowed to badger me and try to steal my attention from what I'm doing. And that especially applies to sleeping.

      I live in Canada. Only now are the carriers enabling emergency text alerts. I disabled Amber alerts in my settings. It's not that I don't care, it's just significantly more likely to irritate me with absolutely no gain. If it showed up in my drop down menu with no sound, or even a brief "Bing" I would be ok and more apt to pay attention to them. I have heard of Americans complain about useless weather warnings coming across by emergency texts in some locals.

      I have "Do Not Disturb" settings at night set to only notify on phone calls. Since upgrading phones, and thus installing the latest version of all apps, I'm very annoyed at the number of useless notifications I'm having to disable. During the day I only want notifications for calls, texts, and IM's. Emails generally are low priority.

  9. Re:Not news. They were meant to be easy to activat by Anonymous Coward · · Score: 1

    The complaint here is that the programmers weren't trying to idiot-proof the system, they were trying to make something that works when required to. A bit like how police and fire department advice can easily be at odds.

    On another note, this doesn't require encryption per se, but authentication. That is often based on encryption, but even so. All in all the usual panicky "computer security" fare. Not really that interesting or impressive, but sufficiently breathlessly worded it'll get some attention from the idiot tech press anyway. The computer security industry s'kiddies are pretty much all attention whores, seeking attention is what they do.

  10. Re:Not news. They were meant to be easy to activat by adolf · · Score: 2

    I've worked with these types of systems.

    Authentication isn't really a thing for them, generally: They follow the same KISS ideas as things like SMTP.

    The simplest of these systems (outdoor warning sirens) work with simple tone sequences or, if really fancy, DTMF... all in the clear with normal frequency modulation on a published radio frequency.

    --
    Kid-proof tablet..
  11. Happens all the time by WillAffleckUW · · Score: 1

    They keep setting it off for Seattle when something happens at the border with Idaho, more than 3 hours drive away.

    Oh.

    You meant it was supposed to be a stupid system like that?

    --
    -- Tigger warning: This post may contain tiggers! --
  12. Re:Not news. They were meant to be easy to activat by sjames · · Score: 1

    I wouldn't mind so much if I didn't get alerts for places that are hours away at times when I'm not that likely to be going anywhere further than the corner store. Meanwhile, tornado warning in my area = silence from the phone.

  13. Re:Not news. They were meant to be easy to activat by mysidia · · Score: 1

    Only Lawbreaking technically-advanced asshats ought to be capable of causing trouble. They may be using cleartext control, but the radio frequencies almost certainly require a license to legally transmit on.

  14. Re:Not news. They were meant to be easy to activat by Anonymous Coward · · Score: 1

    Also, you can probably hijack these US right-wing talking shows on AM radio. Build a 300-meter high mast and do some 100 kW broadcast.

    More down to the Earth and with no sarcasm, things were more interesting in the days of analog TV. Straight pirate TV was possible, but what I once heard about in a documentary was cheaper and funnier. Some cheap home computers were able to display blocky graphics or characters over a video signal - perhaps almost out of the box, with some cheap glue hardware. Think about how the On-Screen Display works on a TV from 1992. These computers used a TVs as their primary output anyway and had a main CPU with a frequency related to the PAL (or SECAM or NTSC) signal. I'm not breaking any ground there : 1.79MHz NES, 3.58MHz SNES, 7.16MHz Amiga, NTSC versions, run hardware at some fractional multiple of some NTSC clock.

    So, in some Eastern block countries, there were pirate broadcasts that added text characters (either all white or all black, whichever works better) on top of the boring official broadcast!

  15. Licensing by infernalC · · Score: 1

    Many state universities not in tornado alley installed warning sirens after the VA Tech shooting. I absolutely think RF was the right way to do this, because it allows for a much more resilient system.

    You can query the FCC ULS for a lot of these places and just look at the license that was issued around the time the system was installed to determine the frequency. The mode is almost always analog FM voice, and the activation codes are probably DTMF.

    I think this is a case where the simplicity of the system and the need for it always to work trumps keeping the script kiddies out. If you are caught transmitting on a licensed band without a license, the civil fine just for that is $16K.

    I think the real danger is an terrorist jamming the frequency during his attack.