Slashdot Mirror
Hacked Tornado Sirens Taken Offline In Two Texas Cities Ahead of Major Storm (zdnet.com)
An anonymous reader quotes a report from ZDNet: A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area. The false alarm caused quite the panic in the two towns, as locals were already on the edge of their seats regarding incoming storms. The city had run tests of the tornado alarm sirens a week before, but the tests were set during the middle of the day and had long concluded. The two hacked systems were taken offline the next morning, and remained offline ever since.
Bad weather, including storms and potential tornadoes, was announced for all last week in the North Texas area. A severe thunderstorm hit the two cities the following night, on March 13. Thunderstorms are known to produce brief tornadoes, but luck had it that no tornado formed and hit the towns that day. Tornadoes are frequent in Texas, as the state is located in Tornado Alley, and tornado season, a period of the year between March and May when most tornadoes happen, had officially begun. Nevertheless, a tornado didn't form on March 13, and, luckily, the sirens weren't needed.
Bad weather, including storms and potential tornadoes, was announced for all last week in the North Texas area. A severe thunderstorm hit the two cities the following night, on March 13. Thunderstorms are known to produce brief tornadoes, but luck had it that no tornado formed and hit the towns that day. Tornadoes are frequent in Texas, as the state is located in Tornado Alley, and tornado season, a period of the year between March and May when most tornadoes happen, had officially begun. Nevertheless, a tornado didn't form on March 13, and, luckily, the sirens weren't needed.
The annoying part is that this happened in 2017 as well in the north Dallas area. It happened in the middle of the night and went on for over an hour. You'd think the other cities in the area would have learned from this vulnerability and fixed the problem. Although that would require local governments to be competent.
For example, if some vandal spray painted the traffic light covers and make them useless, or drops a sackful of nails on a highway, he/she could cause huge damage. We don't immediately take DoT for not creating secure highways where vadals could not mess with traffic lights or strew nails on the road.
Invariably in almost all these incidents we keep blaming "the officials", "the authorities". And they instinctively develop CMA tactics. They don't do anything unless they can have a paper trail that lets them shift the blame to someone else.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The problem is that these systems are old and crap, and can't be secured. The only option is to rip them out and replace them with something better.
They are radio based. When a particular signal is sent on a particular frequency they sound. Kinda like a garage door opener, but much longer range so that only one high power transmitter can cover a wide area. Unfortunately, like most garage door openers, they are very easy to spoof and the main challenge is transmitting a relatively high power signal and getting away with it.
Most of these radio based systems are similarly vulnerable. The RDS system, for example, can be spoofed with a few hundred bucks worth of gear bought on eBay.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Don't blame the hacking / cracking. Blame the insecure implementation.
The "kill the messenger" mentality is the underlying cause. Someone comes forward with a vulnerability, they are not taken seriously. Or if they are taken seriously, they are treated as a criminal who must be prosecuted. If not taken seriously, then they prove the vulnerability, which makes them a criminal.
Maybe it should be a crime to not seriously react to a provable vulnerability and get it fixed.
I'll see your senator, and I'll raise you two judges.
Somewhere someone doesn't know it yet, but they are going to get the book tossed at them. We have a whole host of natural disasters that can hit, and for all of them seconds count. Almost everyone gets a warning they can react to when it comes to tornados.
Should anyone lose their lives as a result of these systems being turned off, the culprit should get a manslaughter count for each one.
I'm all for ethical hacking, but this is no where near close.
-- botsex is {grep;touch;strip;unzip;head;mount}
You'd think the other cities in the area would have learned from this vulnerability and fixed the problem.
Believe it or not, it's not at all unlikely that word of the problem never got to the right people. And even if they were aware of it it's not axiomatic that they would be able to fix the problem. They might not have the budget or it might require coordination with (possibly uncooperative) other municipalities or it might be technologically impossible to "fix" the problem with existing equipment and budget. Stuff like this usually requires budgeting and possibly even taxpayer approval and doesn't tend to happen overnight.
Although that would require local governments to be competent.
Sigh... Just because not everything happens perfectly all the time does not imply local government is incompetent. Did it occur to you that the tech involved might be old and that the taxpayers haven't approved the money to replace the equipment? It's entirely plausible they don't have the resources to deal with the problem even if they are aware of it.
The meme that government is incompetent is really tired. No institution does everything perfectly, public or private. Just because they have a failure in one task it does not follow that they are generally incompetent. There are lots of things you don't do well either. Should we declare you to be incompetent every time you overlook something or don't handle it perfectly?
Garage doors are far from secure, most new cars come with a built in universal garage door opener that can be programed to an older garage door opener in a just a couple minutes with out ever getting out of your car or even knowing the name brand of the garage door opener.
Don't blame the hacking / cracking. Blame the insecure implementation. The "kill the messenger" mentality is the underlying cause. Someone comes forward with a vulnerability, they are not taken seriously. Or if they are taken seriously, they are treated as a criminal who must be prosecuted. If not taken seriously, then they prove the vulnerability, which makes them a criminal. Maybe it should be a crime to not seriously react to a provable vulnerability and get it fixed.
It's a good thing we can do both - work towards having more secure systems, and also prosecute those who play dangerous games with public safety equipment.
It doesn't matter how easy the firetruck is to hotwire (or even if the fireman left the keys in it), it's still illegal for me to jump in and take it for a joyride, or steal it. Doesn't matter if I say I was doing it to prove a point about how easy it is to do. I still can't do it.
The problem is that these systems are old and crap, and can't be secured. The only option is to rip them out and replace them with something better.
They are radio based. When a particular signal is sent on a particular frequency they sound.
You don't have to throw away the whole system, just the communications part. That's a relatively small portion of the whole. Why don't they base it on some of that encrypted police radio they seem to love so much?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you had read beyond the first sentence you would have realized that this likely has nothing to do with the internet or IT.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Everyone complains about government incompetence, but nobody wants to pay to have a competent government.
The vast, vast majority of the public alert systems in the USA were installed in the 1950's/60's. It's a dumb-simple system that has been hackable since then, too, using the same tools that are available now. The vast majority of the systems are RF based: It's simple carrier frequency that carries a particular pair or frequencies or a particular DTMF pattern that triggers the siren system. For my town, for instance, it's a carrier on 48.90mhz, and a 4-digit DTMF on the carrier, each one about 0.25 second long that tells the siren box what pattern to signal and how long signal it for. There's also a two-tone pair (about 1.4khz and 1.9khz) that signals the siren to stay on until it's signaled to turn off again.
The beauty of the system is its simplicity: it just works. No IoT bullshit, no computers being cranky, no downed wires matter. So long as the police station can broadcast the signal and the sirens have power, the system works. We've even tested it using a hand-held radio and two tuning forks, so in the unlikely event the police station was out of power or otherwise unuseable, we can still set the whole system off. Having a IoT, 256-bit AES 2xROT system would be useless if we're standing in the middle of a shitstorm and need to get the public's attention.
Disclaimer: am a volunteer firefighter and help keep this system running in our town
Chris Knight is my hero.