
Dallas tornado sirens hacked last night turning on all of them - techman9
https://twitter.com/JasonWhitely/status/850795455084716033
======
jcrawfordor
These types of systems are typically radio controlled, and their reference to
working with the FCC (regulator of radio transmissions) makes it pretty clear
that the vector here was via radio.

The control system is usually very simple - newer systems might use FSK
digital signalling or even 900MHz spread spectrum, but a lot of siren systems
out in the field right now are controlled by DTMF over business band radio,
usually using the same frequency as the mobile radios of whatever department
installed the system, just to avoid the overhead of getting a new license.

So it's likely that someone here just worked out what frequency the siren
controllers listen on and what protocol they use, both of which could be done
pretty easily just by going through frequencies the municipal government has
licenses for and trying common manufacturer's commands, using a typical
commercial radio (or anything they could get to transmit in those bands - e.g.
firmware hacked amateur equipment, SDRs, etc). There are lots of ways to take
informed guesses at these parameters too, e.g. manufacturer labels on the
control cabinets might reveal what protocol is in use.

Just taking a wild guess from licenses in the area, Dallas's sirens might be
controlled off of the city's POCSAG paging system. It looks like it has solid
coverage and Federal Signal (major siren manufacturer) makes a POCSAG-capable
controllers. POCSAG is an FSK digital protocol, there's open source software
to implement it. Since Dallas conducts regular tests it would be a simple
thing to monitor their POCSAG frequency during the test and see if you receive
any pages to special numbers.

As far as catching the crooks... well, the FCC has an enforcement division,
but it is well known to be small and largely powerless these days when it
comes to local radio issues. Just because of the physical difficulty of radio
direction finding and monitoring a large country, the FCC probably won't be
able to do a thing unless the offenders make a habit of it, allowing someone
to bring in radio direction finding equipment and catch them in the act.

The complete lack of security in many radio-controlled systems is a real
concern. Other areas you find highly exploitable radio control schemes include
various kinds of industrial automation and infrastructure systems. A trivial
example people might be inclined to casually hack on, besides municipal
sirens, would be irrigation. A lot of golf courses have a DTMF-over-handheld-
radio control facility for their irrigation to aid groundskeepers in
maintenance. Particularly easy to get a hold of since there's only a couple of
manufacturers of these systems and most golf courses will only have a license
for one business band frequency.

~~~
cyberpunk
Fascinating, thanks for your comment! How would an attack like this look?
Would every siren need to receive this broadcast then, and if so wouldn't that
put the broadcast power required to pull this off above most consumer gear?

If that's the requirement, isn't that a poor design? I knock out one or two
points in the city and the sirens are unusable?

~~~
zorm
There were mentions of the repeater system last night, so my guess is they
transmitted weakly somewhere and the repeater happily repeated it out to
activate all the sirens.

You can do this pretty trivially with HAM gear, although some may require
small modifications to allow transmitting on the necessary frequencies. You
can also often buy the equipment on ebay ready to go.

~~~
cyberpunk
I didn't see that got a link?

I sort of felt (in my ignorance of such systems) that this would have been
somehow relayed / repeated instead of being a broadcast across an entire city
but I didn't want to speculate as I'm clueless on this kind of tech.

I know it's a nuisance, but this is the sort of thing I daydreamed about doing
when I was 13 so I can't help but be kind of entertained by it (at least while
the only fallout appears to be knocking people out of bed).

------
capty99
All my dallas friends (used to live there) were posting about waking up to
this. Those things are frikkin loud if you are close to them. Let alone the
annoyance I'm sure this was a distraction to first responders , hope nobody
got hurt.

------
cyberpunk
I would love to hear the technical details on this one... Systems like these
tend to be so old and unmaintained, I can't understand why it would need to be
hooked up to the network instead of being a big red button in an office
somewhere and learning how it was owned might let me work that bit out :)

------
marklyon
Let's connect everything to the internet, they said. It will be great, they
said.

~~~
reustle
Having them connected to the internet would have probably prevented this,
actually.

