Researchers at Bastille, a company that specializes in detecting threats through software-defined radio, have uncovered a new method that can be used to remotely hack emergency warning systems.
Sirens are used worldwide to alert the public of natural disasters, man-made disasters, and emergency situations, including tornadoes, hurricanes, floods, volcanic eruptions, nuclear accidents, chemical spills, and terrorist attacks. False alarms can cause widespread panic and annoyance.
Researchers say they have discovered a new attack method that allows hackers to remotely trigger sirens. This type of attack, dubbed SirenJack, is possible due to a vulnerability found in emergency alert systems made by ATI Systems, a company whose products are used by major cities, universities, military facilities, and industrial sites.
According to Bastille, the vulnerability, related to the use of insecure radio protocol controls, was initially found in the system used by the city of San Francisco and later confirmed at a second installation.
Bastille researcher Balint Seeber started analyzing the city’s outdoor public warning system in 2016 after noticing that it had been using RF communications. An analysis of the system showed that commands were sent without being encrypted, allowing a malicious actor to forge commands.
Attackers need to identify the radio frequency used by the targeted siren and send the system a specially crafted message that triggers an alarm.
“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” said Chris Risley, CEO of Bastille Networks. “Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We’re now disclosing SirenJack publicly to allow ATI Systems’ users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability.”
ATI Systems has been made aware of the vulnerability and it has created a patch that adds an additional layer of security to the packets sent over the radio. The company says the patch is being tested and will be made available shortly, but noted that installing it is not an easy task considering that many of its products are designed for each customer’s specific needs.
While Bastille has made it sound like an attack is easy to launch due to the unencrypted protocol, ATI Systems told customers not to panic, pointing out that the cybersecurity firm monitored its product for months before figuring out how to launch an attack.
ATI noted that its current products no longer use the old control protocols that often allowed malicious actors and pranksters to trigger false alarms. However, the company admitted that the system used in San Francisco was installed 14 years ago and acquiring a highly secure system, such as the ones used on military bases, can be too expensive for a city.
This is not the only interesting wireless attack method discovered by researchers at Bastille. The company has also targeted home networks (CableTap), wireless keyboards (KeySniffer), and mouse/keyboard dongles (MouseJack).