These types of systems are typically radio controlled, and their reference to working with the FCC (regulator of radio transmissions) makes it pretty clear that the vector here was via radio.
The control system is usually very simple - newer systems might use FSK digital signalling or even 900MHz spread spectrum, but a lot of siren systems out in the field right now are controlled by DTMF over business band radio, usually using the same frequency as the mobile radios of whatever department installed the system, just to avoid the overhead of getting a new license.
So it's likely that someone here just worked out what frequency the siren controllers listen on and what protocol they use, both of which could be done pretty easily just by going through frequencies the municipal government has licenses for and trying common manufacturer's commands, using a typical commercial radio (or anything they could get to transmit in those bands - e.g. firmware hacked amateur equipment, SDRs, etc). There are lots of ways to take informed guesses at these parameters too, e.g. manufacturer labels on the control cabinets might reveal what protocol is in use.
Just taking a wild guess from licenses in the area, Dallas's sirens might be controlled off of the city's POCSAG paging system. It looks like it has solid coverage and Federal Signal (major siren manufacturer) makes a POCSAG-capable controllers. POCSAG is an FSK digital protocol, there's open source software to implement it. Since Dallas conducts regular tests it would be a simple thing to monitor their POCSAG frequency during the test and see if you receive any pages to special numbers.
As far as catching the crooks... well, the FCC has an enforcement division, but it is well known to be small and largely powerless these days when it comes to local radio issues. Just because of the physical difficulty of radio direction finding and monitoring a large country, the FCC probably won't be able to do a thing unless the offenders make a habit of it, allowing someone to bring in radio direction finding equipment and catch them in the act.
The complete lack of security in many radio-controlled systems is a real concern. Other areas you find highly exploitable radio control schemes include various kinds of industrial automation and infrastructure systems. A trivial example people might be inclined to casually hack on, besides municipal sirens, would be irrigation. A lot of golf courses have a DTMF-over-handheld-radio control facility for their irrigation to aid groundskeepers in maintenance. Particularly easy to get a hold of since there's only a couple of manufacturers of these systems and most golf courses will only have a license for one business band frequency.
Fascinating, thanks for your comment! How would an attack like this look? Would every siren need to receive this broadcast then, and if so wouldn't that put the broadcast power required to pull this off above most consumer gear?
If that's the requirement, isn't that a poor design? I knock out one or two points in the city and the sirens are unusable?
If my guess that they use their POCSAG system is right, they have four transmitter sites licensed to 350 watts each. This is beyond inexpensive equipment, but not beyond what you can buy from a ham radio shop and then 'unlock', for example. But of course it's a paging system, so the goal is strong one-way coverage to small devices in buildings and such. The sirens are all outdoors and probably all have generous fixed antennas installed, so you wouldn't need nearly as much power to get a message to them.
I assumed that the hackers injected their command via radio, which I still think is likely based on getting the FCC involved, but with POCSAG involved there's definitely another possibility. A lot of pager systems might have a fairly exposed way to send in messages - a phone number you can call, an email address, perhaps a poorly secured web interface. The hackers might have figured out what pager numbers the sirens respond to by listening in and then sent their message via "legitimate" means like an email-to-pager gateway.
There were mentions of the repeater system last night, so my guess is they transmitted weakly somewhere and the repeater happily repeated it out to activate all the sirens.
You can do this pretty trivially with HAM gear, although some may require small modifications to allow transmitting on the necessary frequencies. You can also often buy the equipment on ebay ready to go.
I sort of felt (in my ignorance of such systems) that this would have been somehow relayed / repeated instead of being a broadcast across an entire city but I didn't want to speculate as I'm clueless on this kind of tech.
I know it's a nuisance, but this is the sort of thing I daydreamed about doing when I was 13 so I can't help but be kind of entertained by it (at least while the only fallout appears to be knocking people out of bed).
The city has licenses for repeater-equipped public service frequencies, so it's definitely a possibility. That said all of those licenses seem to be either trunking systems or attached directly to various departments that are not OEM who operates the sirens - so possible, I'm just thinking the pager system is most likely.
When I was a teenager (20+ years ago), the sirens where I grew up could be triggered by calling a phone number from a pay phone and entering a four-digit code. Another four-digit code would turn them off.
All my dallas friends (used to live there) were posting about waking up to this. Those things are frikkin loud if you are close to them. Let alone the annoyance I'm sure this was a distraction to first responders , hope nobody got hurt.
I would love to hear the technical details on this one... Systems like these tend to be so old and unmaintained, I can't understand why it would need to be hooked up to the network instead of being a big red button in an office somewhere and learning how it was owned might let me work that bit out :)
The control system is usually very simple - newer systems might use FSK digital signalling or even 900MHz spread spectrum, but a lot of siren systems out in the field right now are controlled by DTMF over business band radio, usually using the same frequency as the mobile radios of whatever department installed the system, just to avoid the overhead of getting a new license.
So it's likely that someone here just worked out what frequency the siren controllers listen on and what protocol they use, both of which could be done pretty easily just by going through frequencies the municipal government has licenses for and trying common manufacturer's commands, using a typical commercial radio (or anything they could get to transmit in those bands - e.g. firmware hacked amateur equipment, SDRs, etc). There are lots of ways to take informed guesses at these parameters too, e.g. manufacturer labels on the control cabinets might reveal what protocol is in use.
Just taking a wild guess from licenses in the area, Dallas's sirens might be controlled off of the city's POCSAG paging system. It looks like it has solid coverage and Federal Signal (major siren manufacturer) makes a POCSAG-capable controllers. POCSAG is an FSK digital protocol, there's open source software to implement it. Since Dallas conducts regular tests it would be a simple thing to monitor their POCSAG frequency during the test and see if you receive any pages to special numbers.
As far as catching the crooks... well, the FCC has an enforcement division, but it is well known to be small and largely powerless these days when it comes to local radio issues. Just because of the physical difficulty of radio direction finding and monitoring a large country, the FCC probably won't be able to do a thing unless the offenders make a habit of it, allowing someone to bring in radio direction finding equipment and catch them in the act.
The complete lack of security in many radio-controlled systems is a real concern. Other areas you find highly exploitable radio control schemes include various kinds of industrial automation and infrastructure systems. A trivial example people might be inclined to casually hack on, besides municipal sirens, would be irrigation. A lot of golf courses have a DTMF-over-handheld-radio control facility for their irrigation to aid groundskeepers in maintenance. Particularly easy to get a hold of since there's only a couple of manufacturers of these systems and most golf courses will only have a license for one business band frequency.