In-brief: The weekend hack of civil defense sirens in Dallas, Texas is similar to two incidents in Illinois in 2012. The underlying problem? Woeful security for emergency alerting and other civil defense systems in the U.S., according to security experts.
The weekend hack of civil defense sirens in Dallas, Texas isn’t the first time that such emergency response systems have fallen to hackers and it likely won’t be the last, according to security experts who say that the security of emergency alerting systems, including 911, continues to be overlooked.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
Unidentified hackers set off all 156 of the City of Dallas’s civilian defense sirens late Friday evening and early Saturday morning, disrupting sleep for hundreds of thousands of residents. The sirens were activated more than a dozen times, according to a report by the Dallas Morning News. The stunt resulted in a flood of calls to 911 by confused residents and, according to published reports, was the product of a radio-frequency based attack on the sirens, triggering the devices using tones.
The Federal Communications Commission (FCC) has been in contact with the City of Dallas about the incident and “take(s) very seriously allegations regarding activities that may interfere with public safety,” according to a statement by Will Wiquist, a Deputy Press Secretary at FCC.
But the incident in Dallas is not the first such hack of a civil defense siren network. In 2012, for example, civil defense horns in two Illinois communities were hacked and set off. Sirens in Evanston and Lemont, Illinois, outside Chicago, were triggered on the evening of June 30, 2012. That incident, which was reported by The Chicago Tribune, required authorities to power off the devices, as was the case in Dallas.
Five years after that attack, and with other examples of emergency alert system compromises, however, civil defense and emergency systems are still easy prey for hackers who might hack the software of management systems or physically tamper with hardware deployed in the field, said Steve Jung, a security researcher and penetration tester who has helped assess the security of such systems.
Jung said that sirens may be managed via radio frequency, wireless networking or even wired, fiber optic cabling. The hack in Dallas could be the result of either a hack of a central command station used to manage the sirens or an radio frequency (RF) based attack – or some combination of the two.
Typically, a city will have just one, central computer workstation that is used to manage a city-wide deployment of civil defense horns. Hacking into that system either from the network its connected to, or by gaining physical or logical access to the actual terminal is all that’s needed to carry out the kind of attack seen in Dallas over the weekend he said.
It wouldn’t be the first time. In 2013, for example software and equipment by the firm Monroe that is used to managed emergency alert systems was the target of a hack during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the “dead are rising from their graves,” and advising residents not to attempt to apprehend them. Researcher Mike Davis of the firm IOActive discovered those flaws and, later, in the digital alerting systems – DASDEC – application servers, which receive and authenticate EAS messages. A scan of the public Internet at the time by IOActive found 412 systems running vulnerable Monroe Electronics software. A subsequent patch by Monroe to address some security issues in its products failed to address serious security issues.
The software that controls civil defense and alerting systems like the Dallas sirens is often vulnerable to both network and application-focused attacks, experts say. “I would venture to guess that this is a relatively new frontier for that kind of software – even to think about an application focused attack,” Jung said. “In 20 years in (information security) I’ve never seen static code analysis of one of those boxes,” he said, referring to the siren systems.
While software based attacks can give hackers control over an entire network of civil defense sirens, individual horns are even more susceptible to attack, Jung said. “There’s just not a lot of heavy-duty security. You have a screw holding the case closed and the ability to use a physical lock, but in my experience most are not locked down.” An attacker with a ladder and screw driver can easily open the box and set off the siren if she knows what she’s doing, he said.
Insecurity is driven by a number of factors, experts agree. One is budget: as municipalities trim discretionary spending, resources for addressing the security and integrity of legacy systems like civil defense horns disappears, Jung said.
Culture also plays a role. The culture of emergency response is often dominated by engineers more comfortable with radios and broadcast media than networking and computers. That can complicate the job of pushing security patches and other fixes down to customers.
“These are tube and wires guys,”Ed Czarnecki, the Head of Strategy and Regulatory Affairs at Monroe told Security Ledger back in 2013. “They’re deeply embedded with RF (radio frequency) technologies and they have a radio mentality.”
And there’s little evidence that either the federal government or municipalities have learned the lesson of earlier events. Asked what the city of Evanston, Illinois had learned from the 2012 hack of its tornado and civil defense sirens, Dwight Hohl, that city’s Division Chief of Emergency Preparedness and Special Operations said he couldn’t recall either the cause of the 2012 incident or what steps had been taken to address the problem. Hohl was busy fielding calls from alarmed residents following the city’s most recent, planned testing of the civil alert horns.