SirenJack bug puts emergency alert sirens at risk for hacks

Researchers have found a vulnerability in emergency-alert systems provided by ATI Systems that could put millions at risk by allowing hackers to sound false alarms or otherwise mislead the public in regards to warning of natural and man-made disasters in the United States.

Bastille, which specializes in software-defined radio enterprise threat detection, on Tuesday revealed the bug, dubbed SirenJack, noting their researchers initially discovered it at the ATI installation in the City of San Francisco 90 days ago. They later also confirmed the vulnerability at a second installation in Sedgwick County, Kansas.

SirenJack has the potential to wreak havoc because hackers can remotely exploit it via radio frequencies to activate all emergency-alert sirens at will–triggering false alarms for events such as tsunamis, earthquakes, hurricanes, tornadoes, chemical spills, terrorist attacks, active shooters and other potentially disastrous events that could cause widespread panic, according to the firm.

Sirens supporting the emergency-alert system in the City of San Francisco. Security firm Bastille found a vulnerability dubbed “SirenJack” on the city’s system, which is provided by ATI Systems. The bug would allow remote access by hackers via radio signals. (Source: Bastille)

The key aspect of the vulnerability lies in an unencrypted, insecure radio protocol that controls the ATI sirens that Bastille monitored, the company said. A bad actor could exploit the protocol to find the radio frequency assigned to a system and transmit malicious activation messages from his or her own radio to set off the system.

The exploit is such that attackers could launch a coordinated attack to activate sirens across multiple deployments–for example at a power plant and nearby military installation–to optimize disruption, according to Bastille.

ATI is working on a patch for the City of San Francisco, but Bastille has not been asked to verify the fix, the company said. Meanwhile, Bastille is urging users of ATI’s siren-based systems to investigate whether their systems also are vulnerable.

ATI, meanwhile, has expressed its full cooperation to fix the problem. “ATI is fully supportive of all of our clients and will be on standby if anyone is concerned about hacking or vulnerabilities in their system,” said Ray Bassiouni, President and CEO of ATI Systems, in a press statement.

Remediation measures in effect

Balint Seebers (@spenchdotnet), director of threat research at Bastille, said that while his company hasn’t been made privy to the details of the ATI patch, it seems to require the upgrade of both software and firmware so that the system can understand the new encrypted protocol.

“Through passive observation over the past few weeks, I have heard radio technicians on San Francisco’s siren system frequency performing radio link tests at each siren pole,” he told Security Ledger. “I can hear them on the radio saying, ‘Siren test one, two, three, four,’ which makes me guess that they were upgrading the firmware on the controller board at each pole and performing general maintenance.”

The team in Sedgwick County also has been working with ATI to remedy their situation and has reported to Bastille that they were satisfied with the company’s approach, Seeber added.

ATI’s customers include a number of urban and rural communities, military installations, universities and industrial sites–including oil and nuclear power generation plants. In addition to the City of San Francisco, other named customers include One World Trade Center, Indian Point Energy Center nuclear power station, the University of Massachusetts at Amherst and the West Point Military Academy.

Seeber began Bastille’s investigation into the potential for vulnerabilities in the City of San Francisco’s system in 2016 after noticing that the city’s Outdoor Public Warning System used RF communications. He analyzed the radio protocol and determined that the commands were not encrypted, making the system vulnerable to forgery of system commands and malicious activation, he said.

Emergency warning systems are the primary means for the federal, local and state governments to notify people of legitimate threats to public health and well-being. When the systems raise false alarms, it can cause needless panic and concern, as well as cause the public to distrust the systems and potentially not pay appropriate attention if alerted to a real and present danger.

In addition to the possibility of sending false alerts by exploiting SirenJack, there is another specific feature of ATI Systems’ sirens that hackers can exploit that could also cause serious public disruption: a live public address mode, Seeber said.

“An attacker could activate this mode, and then send any alert tones or a false spoken message across the radio channel,” he told us. “This would then be rebroadcast as audio from all sirens in a deployment.”

Widespread panic and disaster averted–for now

Attacks on critical infrastructure in the United States and globally are on the rise. While most think of utilities such as electricity and oil and gas providers as key targets, emergency-alert systems also seem now to be in the crosshairs of hackers or state actors that want to cause mass disruption or destruction, or use public confusion as a distraction to perform other nefarious actions.

About a year ago, someone hacked into the emergency-alert system in Dallas, blaring its 156 emergency sirens in unison about 15 times for about 90 seconds each time.  In that incident, sirens by the firm Federal Signal were hacked and set off in Dallas.

A close-up look at sirens used in emergency-alert systems.

And, in January, a mobile alert was sent to Hawaiian residents erroneously warning them that a missile was on its way to the islands—the result of an employee literally pushing a wrong button. The message caused panic and confusion, as people sought shelter or to find loved ones in the 38 minutes before the state sent a message telling people the alert was a mistake.

[Read “Hack of Dallas sirens not the first or last of emergency systems.“]

But if social media posts from the latter incident are to be believed, even in their panic people remained relatively orderly or—in total Hawaiian fashion–went surfing for what they thought might be one last time more than they created widespread chaos in the streets.

Indeed, so far mishaps in emergency-alert systems—whether bad actor-driven or not—have been more annoyances than incidents causing the mass disruption such as violence or even accidental injuries or death that’s feared, even if the potential is certainly there.

Still, even if dire consequences don’t necessarily ensue from a siren hack, manipulating emergency-alert systems to send false threat warnings or otherwise misinform the public undermines people’s confidence in the systems integral to help keeping them safe, Seeber said.

“Siren systems remain the primary mode of alerting the public en masse outdoors,” he said. “People will naturally react in different ways to an alert, but as this is public safety infrastructure, we must all operate under the assumption that an alert will always be legitimate, and therefore give people the best information so they can make the appropriate choices. False alarms reduce system confidence, and reduce the likelihood that the public will take the necessary action in the event of a real emergency.”