Hackers Set Off Dallas' 156 Warning Sirens Dozens Of Times

from the not-everything-should-be-connected-to-the-internet dept

So we've talked repeatedly how the shoddy security in most "internet of things" devices has resulted in increasingly-vulnerable home networks, as consumers rush to connect not-so-smart fridges, TVs and tea kettles to the home network. But this failure extends well beyond the home, since these devices have also resulted in historically-large DDoS attacks as this hardware is compromised and integrated into existing botnets (often in just a matter of minutes after being connected to the internet).

Whether it's the ease in which a decidedly-clumsy ransomware attacker was able to shut down San Francisco's mass transit system, or the fact that many city-connected devices like speed cameras often feature paper mache security, you can start to see why some security experts are worried that there's a dumpster fire brewing that will, sooner rather than later, result in core infrastructure being compromised and, potentially, mass fatalities. If you ask security experts like Bruce Schneier, this isn't a matter of if -- it's a matter of when.

In what should probably be seen as yet another warning shot across the bow: slightly before midnight in Dallas last Friday a hacker compromised the city's emergency warning systems and managed to set off the city's 156 warning sirens more than a dozen times. Needlessly to say, the scale of of the warning, and the number of sirens, led many people in Dallas to believe that the city had somehow been physically attacked in the middle of the night:

Dallas officials were forced to shut the system down around 1:20 am on Saturday, and despite informing the public to ignore the false alarms, a city that had already been having 911 issues the last few months found its 911 systems inundated with a massive influx of calls from concerned citizens:

"Even as the city asked residents not to dial 911 to ask about the sirens, more than 4,400 calls were received from 11:30 p.m. to 3 a.m. — twice the average number made between 11 p.m. and 7 a.m., Syed said. The largest surge came from midnight to 12:15 as about 800 incoming calls caused wait times to jump to six minutes, far above the city's goal to answer 90 percent of calls within 10 seconds.

The city is, frankly, fortunate that this didn't result in more problems than it did. City officials say they've identified how the attacker compromised the system, but won't be revealing technical details for obvious reasons (Update: it looks like the attacker used a radio signal attack on city gear to repeatedly set off the sirens). Over at his Facebook page, Dallas Mayor Mike Rawlings was quick to highlight how the attack made it clear the city needs to spend significantly more money on its technology infrastructure:

"This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure. It’s a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind. Making the necessary improvements is imperative for the safety of our citizens."

Of course while older, out-dated systems are certainly a problem, rushing to throw money at companies promising the "connected city of tomorrow in a box" isn't a panacea, either. While it likely had nothing to do with the recent hack, AT&T has been advertising Dallas as the centerpiece of its "IOT" ambitions for the last few years, just one of countless companies rushing into the space in pursuit of new revenue and quarterly growth. The problem, again, is that many of these smart city solutions are from many of the same vendors for which security and privacy were an afterthought in the residential market.

So yes, most cities are in desperate need of a technology and security upgrade, yet often lack the budgets to do so. You just hope that when these upgrades actually occur, they aren't sabotaged by the same superficial concern for privacy and security already plaguing the connected home market.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 10 Apr 2017 @ 12:02pm

    Once again with feeling: keep critical infrastructure disconnected from the internet. If something critical needs to be connected for some reason then make it ignore anything other than approved devices that are very well protected against external files (USB sticks, mail attachments and all).

    So you need to run an external file in that machine? Send us a copy to be tested for malicious behavior in an isolated system first.

    It doesn't fully prevent problems, no security system is 100% effective but at the very least you'll be protected against the average bozo and with luck only state sponsored hackers will manage to do anything more than a scratch.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Apr 2017 @ 12:28pm

      Re:

      I would like to know more about the whole issue before just assuming that they put it on the internet. I have dealt with state and city networks and it is always a pain. Usually it is because they have two physically separated networks. One with internet access and the other that is not. The one that is not is usually is for emergency or confidential data.

      reply to this | link to this | view in chronology ]

      • identicon
        Machin Shin, 10 Apr 2017 @ 12:36pm

        Re: Re:

        Well I'm not really sure what to think there. You saying don't be too quick to judge but I am left with...

        A) They majorly failed by actually hooking this system to the internet an hoping no one would play with it.

        B) They didn't hook it to the internet yet majorly failed at physical security.

        I'm not really sure what one of those two is worse. Either way you should make darn sure your big red panic button is well protected.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Apr 2017 @ 12:58pm

          Re: Re: Re:

          B) They didn't hook it to the internet yet majorly failed at physical security.

          Short of hiring 156 armed guards, someone is going to get access to a siren. How old are these? Public key cryptography was unknown until 1976, and using a separate symmetric key for each might have been difficult in the days when you couldn't just program a PC to encrypt and transmit 156 messages.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 10 Apr 2017 @ 1:02pm

            Re: Re: Re: Re:

            using a separate symmetric key for each might have been difficult

            And could make it harder to use the system in an actual emergency, which is why US nukes used 00000000 as a launch code.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 10 Apr 2017 @ 1:12pm

              Re: Re: Re: Re: Re:

              The funny thing is, that's actually a hard launch code to get right the first time; 12345678 would have been much better, as you are less likely to lose track of how many digits you've entered.

              reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 10 Apr 2017 @ 1:11pm

            Re: Re: Re: Re:

            In this case, they didn't get access to a siren; they got access to the central command that triggers all the sirens, and were able to set them all off at once.

            Protecting sirens should be extremely low priority -- protecting the button that triggers all of them, city-wide, at once, should be higher priority.

            Of course, most traffic cams and intersection cams (not to mention a growing number of traffic light grids) are networked with no encryption whatsoever, such that you just need to find a local pole and plug in to the entire network, with no authentication.

            Some grids also have wireless receivers hooked up, and a few, for convenience, are also connected to the Internet.

            At least the Internet-connected grids usually have some sort of a firewall, and some level of software security at the C&C center -- but a lot of the stuff hanging off the network is ancient and not only doesn't know about encryption, also doesn't know about safe failure, cooperative networking, or anything else beyond "when this line goes high, I turn on until this other line goes high".

            So again, it's not really about securing the hardware, it's about placing minimal security on the network and a whole lot of logical and physical security at the operations center.

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 10 Apr 2017 @ 1:57pm

            Re: Re: Re: Re:

            This is one situation where the same key can be used for all sirens, as the requirement is to (try) and ensure the messages come from a valid source.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 10 Apr 2017 @ 4:42pm

              Re: Re: Re: Re: Re:

              This is one situation where the same key can be used for all sirens, as the requirement is to (try) and ensure the messages come from a valid source.

              Replay attacks would be a concern. A quick web search shows these sirens were legitimately activated several times this millenium, and someone could have saved a message. We'd probably want them transmitted every few minutes, so the sirens can't get stuck in the "on" state for long.

              The message could include a timestamp to prevent it. But clocks would drift a lot over the decades. They'd need some kind of regular time adjustment message, or maybe they could pull time from GPS or CDMA (did either exist when they were installed?). A counter might work if there were a way to store the largest-known value for a long period of time.

              The one key would be a single point of failure, and would need to be well protected.

              reply to this | link to this | view in chronology ]

          • identicon
            Machin Shin, 10 Apr 2017 @ 1:58pm

            Re: Re: Re: Re:

            That brings in the question of how these are setup. Access to one siren shouldn't give you free run of the entire system. These also should be in public areas where it isn't easy to mess with them.

            Kind of like traffic lights. The control box is right there, no guard needed because you kind of stand out breaking into the box on the street corner.

            We have built systems like this for a long time. Think about the phone system. Central office can ring your house phone, but you at home with your phone can't easily ring every phone on the network.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 10 Apr 2017 @ 4:55pm

              Re: Re: Re: Re: Re:

              Kind of like traffic lights. The control box is right there, no guard needed because you kind of stand out breaking into the box on the street corner.

              You could easily mess with streetlights. Do it overnight (like this attack), or just put on a reflective traffic vest and hardhat. Unless you're attacking it with a crowbar nobody's going to question someone in a traffic vest.

              Think about the phone system. Central office can ring your house phone, but you at home with your phone can't easily ring every phone on the network.

              A central-office type thing might work for sirens.--ie. run a separate wire from police HQ to each siren, and they can only activate from there. but the lack of redundancy could be a problem in bad weather, especially the kind that knocks out phone lines regularly.

              We don't yet know whether the siren attack was easy.

              reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Apr 2017 @ 12:36pm

      Re:

      Reports are that it was a local attack, not remote. You can't build a 100% secure system so there will always can be unauthorized access by motivated parties.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Apr 2017 @ 12:49pm

      Re:

      Once again with feeling: keep critical infrastructure disconnected from the internet.

      There's no indication these were on the internet, but this system would be pointless if not remotely operable in some way. It may have a telephone connection or something RF-based. Many systems like this predate strong encryption.

      If a hacker reported this problem through proper channels, it would probably be disregarded as "purely hypothetical", requiring a very determined attacker, etc. They didn't have to activate all the sirens multiple times, but this was never going to be fixed without activating one.

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 11 Apr 2017 @ 5:40am

        Re: Re:

        From the source:

        "Officials don't know who was responsible for the hacking, but Vaz said "with a good deal of confidence that this was someone outside our system" and in the Dallas area."

        Sure it may be old and stuff but the fact it hasn't been updated with more robust security is a problem in itself.

        reply to this | link to this | view in chronology ]

  • icon
    discordian_eris (profile), 10 Apr 2017 @ 12:36pm

    I will admit that I laughed my ass off about this while it was happening. I just kept picturing Captain Crunch blowing a whistle into an old rotary AT&T phone in my head. Which reminds me, I need to dig out my old C-64 and do some phreaking and war-dialing.

    reply to this | link to this | view in chronology ]

  • identicon
    Baron von Robber, 10 Apr 2017 @ 12:41pm

    Well at least they didn't get into the Emergency Broadcast System with "Purge now in effect till daylight, 6AM".

    reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 10 Apr 2017 @ 12:58pm

    Are they sure it was hacked?

    The state of Texas is inching closer to making unlicensed masturbation illegal, and this may have been part of a test to enforce the new regulations. Given the time and large geographic area it is plausible that the authorities were making sure they were prepared for the eventual implementation of the new law.

    reply to this | link to this | view in chronology ]

    • icon
      discordian_eris (profile), 10 Apr 2017 @ 1:05pm

      Re: Are they sure it was hacked?

      It won't pass. The legislature fears it would outlaw mental masturbation, and that would put them out of business. Not to mention the cerebral blue balls that would result.

      reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 10 Apr 2017 @ 1:01pm

    Always remember that...

    The S in IOT stands for security.

    reply to this | link to this | view in chronology ]

  • identicon
    FrontalLobeConfabulator, 10 Apr 2017 @ 1:46pm

    Who's fault you say?

    Hackers gonna hack. The fault lies squarely with the IT security administrators (if there actually are any) who failed to do their job by failing to lock down this system properly.

    reply to this | link to this | view in chronology ]

    • identicon
      Baron von Robber, 10 Apr 2017 @ 2:06pm

      Re: Who's fault you say?

      aaaaaaand what if IT Sec put in requests for silly things like better firewalls, IPS, DLP, etc?

      reply to this | link to this | view in chronology ]

  • icon
    aldestrawk (profile), 10 Apr 2017 @ 3:16pm

    This system could be very secure from hacking. It doesn't require a newly invented solution. The general problem of one-way authentication has been solved already. However, it is unclear if the Federal Signal Corporation (the supplier for Dallas) has provided such security in its controllers for the siren systems. It is also unclear if either Dallas, or the contractor hired to maintain and repair the system have configured the controllers to have their highest security. It seems all this is likely to remain unclear because city authorities buy into "security through obscurity". Another issue is that officials want multiple, maybe non-technical folk, to be able to activate the sirens.
    Security may be compromised in the interest of simplicity.

    Here is what we know. The hacker used a radio signal from within signal reach of a base controller. The hacker knew the codes to trigger every siren in the system which is achieved through radio relays. Each siren can be triggered individually or as part of a group. In this case the code for "all sirens" was used. The hacker continually sent signals to activate the sirens, thus overiding the officials who sent signals to turn the sirens off. The officials eventually changed something in authentication so the hacker could no longer activate the sirens.
    I am guessing how authentication works here. It may be possible that it was turned off entirely in Dallas. The simplest, and maybe only method, is to use a programmed fixed sequence of digits that represents an authentication code. I do know that Federal Signal controllers have that capability at least. However, the hacker in this case can use a replay attack. Herein, the hacker listens and records the signals used during a periodic system test. He, or she, simply plays back the same signal.
    The solution is to change the authentication code for every activation. Such a rolling-code system is used in many areas such as for unlocking cars and opening garage doors. Unfortunately, the companies that design such systems try to maintain secrecy and the cryptography doesn't get well vetted. I think all these systems had to be corrected once the system was already in the field. There are algorithms for rolling-code systems that don't suffer from known vulnerabilities. The user may have to configure that level of security to make sure they are protected.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Apr 2017 @ 4:57pm

      Re:

      It is also unclear if either Dallas, or the contractor hired to maintain and repair the system have configured the controllers to have their highest security. It seems all this is likely to remain unclear because city authorities buy into "security through obscurity".

      Unclear? If they're buying into this, you have your answer.

      reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 10 Apr 2017 @ 6:08pm

    Leaving stuff unsecured is nothing new. Back in the 80s it got around (I forget how I heard about it) that one of the programmable signs on the highway was connected to a phone line and could be accessed via modem. There was no security on it and anyone who knew the proper commands to use could change the message. I didn't go by the sign often enough to ever see any strange messages, but apparently it was changed a couple times. For myself, I called it once, but was too afraid to try doing anything with it. Plus, I had no idea what to do at the command prompt, since it didn't provide any kind of a menu.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.