Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacked Tornado Sirens Taken Offline In Two Texas Cities Ahead of Major Storm (zdnet.com)

Posted by BeauHD on from the commence-panic dept.

An anonymous reader quotes a report from ZDNet: A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area. The false alarm caused quite the panic in the two towns, as locals were already on the edge of their seats regarding incoming storms. The city had run tests of the tornado alarm sirens a week before, but the tests were set during the middle of the day and had long concluded. The two hacked systems were taken offline the next morning, and remained offline ever since.

Bad weather, including storms and potential tornadoes, was announced for all last week in the North Texas area. A severe thunderstorm hit the two cities the following night, on March 13. Thunderstorms are known to produce brief tornadoes, but luck had it that no tornado formed and hit the towns that day. Tornadoes are frequent in Texas, as the state is located in Tornado Alley, and tornado season, a period of the year between March and May when most tornadoes happen, had officially begun. Nevertheless, a tornado didn't form on March 13, and, luckily, the sirens weren't needed.

36 of 195 comments (clear)

  1. Garr by cascadingstylesheet · · Score: 2, Insightful

    It's times like that you kinda wish cracking/hacking carried the death penalty ...

    1. Re:Garr by GoTeam · · Score: 5, Informative

      The annoying part is that this happened in 2017 as well in the north Dallas area. It happened in the middle of the night and went on for over an hour. You'd think the other cities in the area would have learned from this vulnerability and fixed the problem. Although that would require local governments to be competent.

    2. Re:Garr by AmiMoJo · · Score: 5, Informative

      The problem is that these systems are old and crap, and can't be secured. The only option is to rip them out and replace them with something better.

      They are radio based. When a particular signal is sent on a particular frequency they sound. Kinda like a garage door opener, but much longer range so that only one high power transmitter can cover a wide area. Unfortunately, like most garage door openers, they are very easy to spoof and the main challenge is transmitting a relatively high power signal and getting away with it.

      Most of these radio based systems are similarly vulnerable. The RDS system, for example, can be spoofed with a few hundred bucks worth of gear bought on eBay.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Garr by DickBreath · · Score: 3, Insightful

      Don't blame the hacking / cracking. Blame the insecure implementation.

      The "kill the messenger" mentality is the underlying cause. Someone comes forward with a vulnerability, they are not taken seriously. Or if they are taken seriously, they are treated as a criminal who must be prosecuted. If not taken seriously, then they prove the vulnerability, which makes them a criminal.

      Maybe it should be a crime to not seriously react to a provable vulnerability and get it fixed.

      --

      I'll see your senator, and I'll raise you two judges.
    4. Re:Garr by pr0fessor · · Score: 3, Interesting

      Garage doors are far from secure, most new cars come with a built in universal garage door opener that can be programed to an older garage door opener in a just a couple minutes with out ever getting out of your car or even knowing the name brand of the garage door opener.

    5. Re:Garr by cascadingstylesheet · · Score: 5, Insightful

      Don't blame the hacking / cracking. Blame the insecure implementation. The "kill the messenger" mentality is the underlying cause. Someone comes forward with a vulnerability, they are not taken seriously. Or if they are taken seriously, they are treated as a criminal who must be prosecuted. If not taken seriously, then they prove the vulnerability, which makes them a criminal. Maybe it should be a crime to not seriously react to a provable vulnerability and get it fixed.

      It's a good thing we can do both - work towards having more secure systems, and also prosecute those who play dangerous games with public safety equipment.

      It doesn't matter how easy the firetruck is to hotwire (or even if the fireman left the keys in it), it's still illegal for me to jump in and take it for a joyride, or steal it. Doesn't matter if I say I was doing it to prove a point about how easy it is to do. I still can't do it.

    6. Re:Garr by tsqr · · Score: 2

      Garage doors are far from secure, most new cars come with a built in universal garage door opener that can be programed to an older garage door opener in a just a couple minutes with out ever getting out of your car or even knowing the name brand of the garage door opener.

      Our opener is at least 15 years old, and for both of our cars required the use of a working remote to program the cars' openers.

    7. Re:Garr by lactose99 · · Score: 2

      Discovering a vulnerability and reporting it to the implementor or manufacturer is one thing, setting-off a false alarm tornado siren is another.

      Apples and oranges, the guy in the later case should be locked-up.

      --
      Fully licensed blockchain psychiatrist
    8. Re:Garr by Jaime2 · · Score: 2

      I don't know, security guys know that IoT vendors won't get off their asses unless a demonstration is made that makes the news. With the current "hush it up" climate, it's the only thing that works.

    9. Re:Garr by drinkypoo · · Score: 3, Insightful

      The problem is that these systems are old and crap, and can't be secured. The only option is to rip them out and replace them with something better.
      They are radio based. When a particular signal is sent on a particular frequency they sound.

      You don't have to throw away the whole system, just the communications part. That's a relatively small portion of the whole. Why don't they base it on some of that encrypted police radio they seem to love so much?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:Garr by gweihir · · Score: 2

      So, if you leave a sum of money on a park-bank, the blame is purely on the person that took it? Yeah, that makes sense. Running insecure critical infrastructure is an invitation to any potential attacker and no better than what the attacker does.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re:Garr by dcw3 · · Score: 2

      There are plenty of ways to demonstrate/publicize the problem w/o this kind of BS. Sorry, no excuse.

      --
      Just another day in Paradise
    12. Re:Garr by AmiMoJo · · Score: 4, Informative

      If you had read beyond the first sentence you would have realized that this likely has nothing to do with the internet or IT.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:Garr by trg83 · · Score: 2

      IoT?! It's literally Cold War era technology based on incredibly simple RF and tone technology. You could potentially fault a lot of people, but IoT vendors are off the hook here.

    14. Re:Garr by sjames · · Score: 2

      If the intent was purely demonstration, the best way is to set the sirens off a minute before the weekly test. That way, you let the people running the system know they have a problem without panicking the population.

      Setting them off in the wee hours suggests a really annoying and poorly thought out prank.There should be consequences for that, but not the hang-em-high OMG terrorists! sort of consequences some have suggested here.

    15. Re:Garr by sjames · · Score: 2

      Since the attack requires physical presence and the two places hit aren't that big, this really doesn't look much like an international coordinates cyber attack.

      And I said nothing about blaming the victim, though they might should look into an upgrade.

  2. Really? by Drethon · · Score: 2

    I know I'm not adding to the discussion but this just brought my reading to a jarring halt...

    "Thunderstorms are known to produce brief tornadoes"

    Pray tell some other method knowing of producing tornadoes strong enough to risk life and property?

  3. Why... by The+Grim+Reefer · · Score: 2

    Why would anyone think it was good idea to set this off in the middle of the night? I suppose if this was an ISIS hacker I can see why they might. It would obviously be a good idea to have better security on emergency systems. But I find it a shame that it's even necessary. I would like think people would have the decency to not bother systems like this. But I guess when we're in an age where swatting is a thing it's not surprising.

  4. Before we take the city to task ... by 140Mandak262Jamuna · · Score: 5, Interesting
    OK, the warning systems were not secured. It is like leaving the door opened. So one could argue the city should have designed a hacker proof system or it should have worked on double speed to restore it. But, is that a reasonable argument?

    For example, if some vandal spray painted the traffic light covers and make them useless, or drops a sackful of nails on a highway, he/she could cause huge damage. We don't immediately take DoT for not creating secure highways where vadals could not mess with traffic lights or strew nails on the road.

    Invariably in almost all these incidents we keep blaming "the officials", "the authorities". And they instinctively develop CMA tactics. They don't do anything unless they can have a paper trail that lets them shift the blame to someone else.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Before we take the city to task ... by peektwice · · Score: 4, Informative

      Balint Seeber has done some excellent analysis and DefCon presentations on this very topic. They had been warned ahead of time, but if a tree falls in the forest...? https://www.bastille.net/blogs...

      --
      Other than this text, there is no discernible information contained in this sig.
    2. Re:Before we take the city to task ... by cascadingstylesheet · · Score: 3, Insightful

      For example, if some vandal spray painted the traffic light covers and make them useless, or drops a sackful of nails on a highway, he/she could cause huge damage. We don't immediately take DoT for not creating secure highways where vadals could not mess with traffic lights or strew nails on the road.

      Precisely.

      Believe it or not, it's legal to leave your door unlocked, and if someone comes in and commits crimes they are still guilty.

    3. Re:Before we take the city to task ... by sunking2 · · Score: 2

      Because we live in a society where there are enough people that do not respect the common good. They believe if you aren't actively stopping them then it is perfectly ok. People also seemingly believe that there is an endless government budget to continually update these systems. It wouldn't surprise me if many of these things were 20+ years old, even 40+ years old wouldn't really surprise me. While we don't use them around here, there are similar sirens in the northeast that are 50s cold war tuck and duck era that are still functioning.

    4. Re:Before we take the city to task ... by jeff4747 · · Score: 2

      There is a danger that such a system might fail in the event of an emergency

      This angle needs to be given far more thought when people talk about "securing" these systems.

      Assuming the current extremely-low false alarm rate, the risk of the sirens not going off due to "whops, the cert expired" or similar is greater than the risk of false alarms.

      If the false alarm-rate goes up enough that people start ignoring the warning, then the calculus changes.

    5. Re:Before we take the city to task ... by Gojira+Shipi-Taro · · Score: 2

      Here's the thing though. YOU don't get to set the priority for replacing a cold war era system that is a public safety system. You damned sure don't get to interfere with it or abuse it, EVEN IF IT IS POORLY SECURED BY TODAYS STANDARDS.

      Jesus fucking christ on a cracker. Did none of you fucking learn "NOT YOURS. DON'T TOUCH" when you were kids?

      --
      "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  5. and this is how restrictions get into place by onepoint · · Score: 2

    Sadly, a stupid stunt like this from some unknown party makes everyone's life harder.
    Why?

    A) blame games
    B) You should have know games ( Defcon had a topic about this )
    C) local government will raise taxes to cover the repair and security of the system.

    So people will get extremely tough and demand harsher punishments for criminals if ever caught.

    it's getting worse.

    --
    if you see me, smile and say hello.
  6. No mercy by jjshoe · · Score: 4, Insightful

    Somewhere someone doesn't know it yet, but they are going to get the book tossed at them. We have a whole host of natural disasters that can hit, and for all of them seconds count. Almost everyone gets a warning they can react to when it comes to tornados.

    Should anyone lose their lives as a result of these systems being turned off, the culprit should get a manslaughter count for each one.

    I'm all for ethical hacking, but this is no where near close.

    --
    -- botsex is {grep;touch;strip;unzip;head;mount} /dev/girl -t {wet;fsck;fsck;yes;yes;yes;umount} {/de
    1. Re:No mercy by drinkypoo · · Score: 4, Insightful

      Somewhere someone doesn't know it yet, but they are going to get the book tossed at them.
      [...]
      Should anyone lose their lives as a result of these systems being turned off, the culprit should get a manslaughter count for each one.

      Yes, the person who decided not to upgrade them, the person who decided to shut them off and the person who decided not to send someone to activate them manually in an emergency should all be held accountable for such deaths. The prankster, on the other hand, should be prosecuted as permitted by the law for tampering with emergency systems.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Not necessarily an easy fix by sjbe · · Score: 5, Insightful

    You'd think the other cities in the area would have learned from this vulnerability and fixed the problem.

    Believe it or not, it's not at all unlikely that word of the problem never got to the right people. And even if they were aware of it it's not axiomatic that they would be able to fix the problem. They might not have the budget or it might require coordination with (possibly uncooperative) other municipalities or it might be technologically impossible to "fix" the problem with existing equipment and budget. Stuff like this usually requires budgeting and possibly even taxpayer approval and doesn't tend to happen overnight.

    Although that would require local governments to be competent.

    Sigh... Just because not everything happens perfectly all the time does not imply local government is incompetent. Did it occur to you that the tech involved might be old and that the taxpayers haven't approved the money to replace the equipment? It's entirely plausible they don't have the resources to deal with the problem even if they are aware of it.

    The meme that government is incompetent is really tired. No institution does everything perfectly, public or private. Just because they have a failure in one task it does not follow that they are generally incompetent. There are lots of things you don't do well either. Should we declare you to be incompetent every time you overlook something or don't handle it perfectly?

    1. Re:Not necessarily an easy fix by Archangel+Michael · · Score: 2

      The more likely scenario is that the story went something like this.

      IT People: "Hey, we have vulnerable systems, we need $$ and $$$ to secure them properly"
      Mayor's People: "Sorry, I have this program here that is pure ego boosting and is quite flashy, you don't get anything for your budget. In fact, I need some of what you used to have back"
      IT People: "Okay, but when this shit goes south, and you try to blame me, I have this Email showing you said "no" to fixing this problem.
      Mayor's People: "Ummmm you gonna vote for me again, right?"

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Not necessarily an easy fix by dcw3 · · Score: 2

      The meme that government is incompetent is really tired

      So what? You can't handle the truth? Clearly, you also can't tell the difference between a job that the government should do well, and a civilian who, knowing that they can't do the job, would have hired someone who is competent.

      I've been dealing with federal government contracts for forty years, and can talk to you all day about incompetence in their contracting system. Why do you think it's nearly impossible to fire an incompetent government worker?

      --
      Just another day in Paradise
  8. Re:Six Months at Least by jjshoe · · Score: 2

    The system isn't connected to the internet.

    --
    -- botsex is {grep;touch;strip;unzip;head;mount} /dev/girl -t {wet;fsck;fsck;yes;yes;yes;umount} {/de
  9. Re: well if some died then they can get manslaught by Type44Q · · Score: 2

    "Do the Death Penalty" - .you make it sound like a dance move.

  10. Re: Government competency by diaz · · Score: 4, Insightful

    Everyone complains about government incompetence, but nobody wants to pay to have a competent government.

  11. How most of these systems work.... by RedShoeRider · · Score: 5, Informative
    Because I haven't seen a complete explanation yet.....

    The vast, vast majority of the public alert systems in the USA were installed in the 1950's/60's. It's a dumb-simple system that has been hackable since then, too, using the same tools that are available now. The vast majority of the systems are RF based: It's simple carrier frequency that carries a particular pair or frequencies or a particular DTMF pattern that triggers the siren system. For my town, for instance, it's a carrier on 48.90mhz, and a 4-digit DTMF on the carrier, each one about 0.25 second long that tells the siren box what pattern to signal and how long signal it for. There's also a two-tone pair (about 1.4khz and 1.9khz) that signals the siren to stay on until it's signaled to turn off again.

    The beauty of the system is its simplicity: it just works. No IoT bullshit, no computers being cranky, no downed wires matter. So long as the police station can broadcast the signal and the sirens have power, the system works. We've even tested it using a hand-held radio and two tuning forks, so in the unlikely event the police station was out of power or otherwise unuseable, we can still set the whole system off. Having a IoT, 256-bit AES 2xROT system would be useless if we're standing in the middle of a shitstorm and need to get the public's attention.

    Disclaimer: am a volunteer firefighter and help keep this system running in our town

    --

    Chris Knight is my hero.

  12. Idiot posters here without a clue, read and learn by pgmrdlm · · Score: 2

    The majority of siren systems intentionally use wireless radio technology instead of internet connectivity to communicate as a security precaution, says Aaron Wolking, the national sales manager of Sentry Siren. To interfere with that set-up, a hacker would need the radio frequencies, code formats, and specific five to eight-digit codes to be able to access a particular siren system. The industry also offers widely used additional security protections, like the "continuous tone-coded squelch system," that keeps radios from from receiving and executing commands sent without additional access codes.
    .
    .
    .
    To pull off this weekend's siren episode, hackers would have needed extensive knowledge of the frequencies and codes used in the Dallas siren system to make them all go off at once. This could be particularly challenging, depending on the setup, because each siren might communicate with the control center independently, so officials have the choice of turning only one or a few of them on, or activating all of them depending on the situation. Dallas officials confirmed over the weekend that the breach came from within Dallas, because hackers would have needed to be physically close to the radio signals sent to each siren. They added that the commands to the sirens didn't come from their central control systems, something officials would naturally check first to see if the sirens had been activated by accident.

    https://www.wired.com/2017/04/dallas-siren-hack-wasnt-novel-just-really-loud/

    --
    Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
  13. Re:How ? by jeff4747 · · Score: 2

    Most of these are very old systems that have zero security, triggered by a particular RF signal that pretty much anyone could transmit with some gear.

    And it's not particularly clear that locking them down is all that good a plan. That ancient, simple system will go off when needed whereas a more "secure" system has many, many more failure modes.