
Radio Hacker Can Hijack Emergency Sirens to Play Any Sound - rbanffy
https://www.wired.com/story/this-radio-hacker-could-hijack-emergency-sirens-to-play-any-sound/
======
ashleyn
Although this is an entirely different system, it brings to mind how badly
insecure the US Emergency Alert System is, which is used for television and
radio alerts.

EAS was designed in the late eighties, when infosec was not a well-
established, household-name field. It works by relaying an unencrypted signal;
that rather unsettling data burst you hear when there's an Amber Alert or a
thunderstorm warning. There's no authentication on this. There's no
encryption. Literally anyone with software to generate NOAA SAME tones,
together with a software-defined radio and amplifier, can walk near one of a
handful of "primary entry points" and belt out an alert that gets mindlessly
repeated across the country. It's already happened on a local level by simply
logging into network-connected endecs at TV stations; probably none of them
changed the default passwords.

Every day I see something like this, I'm reminded of why anyone still
considers security-by-obscurity to be a sound strategy. State actors are the
prime target of vulnerabilities you call obscure.

~~~
manjushri
>Literally anyone with software to generate NOAA SAME tones, together with a
software-defined radio and amplifier, can walk near one of a handful of
"primary entry points" and belt out an alert that gets mindlessly repeated
across the country.

So a fake alert can be sent out nationwide from broadcasting to just one
access point??

~~~
mschuster91
> So a fake alert can be sent out nationwide from broadcasting to just one
> access point??

I believe OP meant "country" as in "countryside", which is feasible when
you're up on a hill and your signal can reach a distribution source antenna
(which will then distribute your spoofed alert to its attached sirens).

~~~
ashleyn
No, I meant the country as in the United States. EAS on the national level
works by playing telephone: hopping the alert from station to station in a
mesh configuration. PEP stations are origins for national alerts.

~~~
mschuster91
Oh wow. Clearly, something like widespread availability of SDRs was not an
issue back then.

I wonder why it hasn't been abused/trolled on a large scale, though. Really,
if I were interested in trolling that's what I'd do: next to zero chance of
the cops catching you as you won't leave a trail, plus the entire country will
be wide awake once the sirens ring and it will likely need months or years
until the government secures the stuff.

------
hinkley
I don't know why but this reminds me of a story I read long long ago about
someone figuring out that the local Big Box store had their PA system attached
to a phone number. You could call in and say anything you want.

They kept up the ruse for quite a while by being subtle at first with their
mischief.

~~~
aylons
How do these system avoid robocalls and the like?

~~~
chris72205
I'm curious about this as well.

Though at a previous job, I got on the elevator one day to hear a
telemarketer's voice coming from the emergency speaker. I'm guessing it
happens, but just very rarely?

~~~
tzs
I had something similar, twice. Once I was in the elevator when the emergency
phone started ringing. I picked up, and it was the Seattle Times trying to
sell subscriptions.

The other time, same elevator, it was someone asking for a specific person
that I had never heard of.

------
apcragg
Side note: Balint Seeber, the lead on this paper, has given a number of
excellent talks on wireless communications and signal processing. I'd
recommend his series of "Hacking the wireless world" talks (available on
youtube) given at DefCon for anyone interested in digital signal processing
and RF security.

~~~
pronoiac
Balint is great! He's presented at Dorkbot-SF a couple of times:

* about the ISEE-3 space probe reboot: [https://www.youtube.com/watch?v=NTljlMH-0oM](https://www.youtube.com/watch?v=NTljlMH-0oM)

* visualizing flights in airspace: [http://youtu.be/a623A6JVuek](http://youtu.be/a623A6JVuek)

(I'm the Dorkbot A/V geek, but these aren't my recordings.)

------
paulie_a
I remember as a kid, my dad had a police scanner and eventually I realized
that the nearby tornado siren had it's Saturday noon test directly preceded by
a 4 digit DTMF on the radio. It's probably a good thing I never had a ham
radio

~~~
kawfey
I was 16 when I discovered this (except instead of DTMF it was a special two-
tone dispatch alert), but I somehow had enough discipline to not attempt a
replay attack. My (now ex) girlfriend's sister was a dispatcher who I
mentioned it to, and about three months later they changed the system.

In my college town, there was a tornado siren placed very close to the biggest
multistory residence hall. I learned (through the ham radio club) that it had
a long history of mischief before my time.

------
JumpCrisscross
"Bastille's researchers note that ATI's website references siren systems
installed in many other sensitive locations, including 1 World Trade Center in
New York, the Indian Point nuclear power plant along the Hudson River, and
campuses including UMass Amherst, Long Island University, and West Point.
Bastille's researchers caution that they couldn't confirm whether those
customers had installed the same vulnerable setups."

New York City can get crowded around 1 World Trade Center. A false alarm could
kill, not to mention cause tremendous economic damage.

------
cialowicz
Looking at the site for the vulnerability (sirenjack.com)[0], what's the
motivation behind the snazzy animations, video, and custom domain? Is this a
form of advertising for the security researchers?

[0] [https://www.sirenjack.com/](https://www.sirenjack.com/)

~~~
Rjevski
Not sure what the motivations are, but I think it's nice that vulnerabilities
get their own bit of marketing and everything, as it can appeal to the non-
tech crowd. Most people wouldn't give a shit about a paper or some technical
info, but a nice-looking website and a video demonstrating it could interest
them and at the very least make them aware that such mischief is actually
possible.

------
exabrial
> [https://www.fcc.gov/consumers/guides/interception-and-
> divulg...](https://www.fcc.gov/consumers/guides/interception-and-divulgence-
> radio-communications)

They should check with the FCC before making threats like that.

~~~
vvanders
I'm not aware of any exclusion for emergency/public service transmissions.
Lots of police departments have been switching to encrypted P25 to prevent
scanners and the like.

Basically anything other than the cell bands is trivial to receive and decode
w/ $15 SDR dongle.

------
campuscodi
Source: [https://www.sirenjack.com/](https://www.sirenjack.com/)

------
jlgaddis
~20 years or so ago, the warning sirens in the small town I grew up in could
be easily turned on/off by simply dialing a phone number and issuing the
correct DTMF tones. I'd like to think they have a more secure mechanism
nowadays but I would be quite surprised if they actually did.

------
GW150914
Vulnerable, yes, but how about secret/secure on the part of the hacker? It’s
no good to abuse one of these systems if the only result is the government
showing up with a warrant and a lot of anger. Maybe they don’t need to be
secure, because it’s so easy to trace interference?

~~~
Rjevski
The source of the interference doesn't give you any information as to where
the attacker is. The source could be a Raspberry Pi connected to a cheap SDR
and controlled over Tor. By the time the feds find it, the damage has already
been done and the attacker could've planted another one of those somewhere
else.

------
antsar
Nice bit of deflection by the vendor.

"However, we wish to point out these are technically sophisticated people who
have devoted significant time and effort to this task. Before customers panic
too much, please understand that this is not a trivially easy thing that just
anyone can do."

[https://static1.squarespace.com/static/5ab64621aa49a10ba0d06...](https://static1.squarespace.com/static/5ab64621aa49a10ba0d06151/t/5acc378c8a922dc77307c7e8/1523333006993/UPDATED_ATI_SYSTEMS_OFFICIAL_STATEMENT_4-3-18.pdf)

~~~
wolfgang42
I don't think the vendor is deflecting too much. The extended quote from the
article is a lot less one-sided:

> ATI wrote that Bastille's findings are "likely true" and that it's testing a
> software update it plans to roll out soon. "Before customers panic too much,
> please understand that this is not a trivially easy thing that just anyone
> can do," that earlier statement notes. "At the same time, a certain level of
> concern is justified. As technology evolves, the level of threat evolves."

~~~
vvanders
> In fact, anyone can generate those commands, Seeber says, with a radio as
> simple as this $35 one sold by the Chinese company Baofeng

If you can do it via a Baofeng there's a 99% chance this is just obscured DTMF
tones + possibly PL tone which is freaking trivial to do on any FM radio.

------
tempodox
They should make them say, “We are the Borg. Resistance is futile”. That would
be so cool.

------
tezza
Mass suicide caused by playing Kanye West ?

