Vulnerability in San Francisco’s Public Safety Warning Sirens Fixed

A patched vulnerability in San Francisco’s public safety warning siren system suggests other radio-based platforms could also be hacked.

Public emergency alert sirens, designed to both warn the masses of a crisis and direct them to safety, can be compromised by attackers who can take control of the system to broadcast false alarms.

That is the conclusion of researchers at radio security firm Bastille, who released details of its proof-of-concept attack against the city of San Francisco’s emergency alert systems on Tuesday. Researchers there were able to find a vulnerability in the radio protocol used by the city to broadcast public warnings in the event of an emergency.

Bastille’s director of vulnerability research Balint Seeber is credited for identifying the vulnerability. In an interview with Threatpost he said that the implications of such a flaw could have far reaching impacts on not just the city of San Francisco, but other large urban and rural communities, military installations, universities, and industrial sites including oil and nuclear power generation plants.

Bastille coordinated its vulnerability disclosure with the city of San Francisco and ATI Systems, the third-party contractor which designed the emergency alert system. ATI is a leading provider of emergency systems for the public and private sector. Earlier this month the company announced it had patched the vulnerability identified by Bastille.

In a statement released by ATI on Tuesday, it said: “ATI has created a patch which adds additional security features to the command packets sent over the radio. This is currently being tested and will be rolled out shortly. However, ATI sirens are not mass market consumer items connected to the internet where you simply download a patch.”

Bastille is calling the vulnerability SirenJack and said it “can be exploited remotely via radio frequencies to activate all the sirens at will and trigger false alarms with the attendant chaos and panic.”

Bastille is also known for identifying radio frequency vulnerabilities relating to wireless keyboards, dubbed KeySniffer, which could let an attacker glean passwords, credit card numbers, security questions and answers – essentially anything typed on a keyboard, in clear text. In 2016, it also identified what it called a Mousejack vulnerability that exposed non-Bluetooth devices to attacks that could allow a hacker within 100 meters to install malware or use a targeted machine as a pivot point onto a network.

“Before customers panic too much, please understand that this is not a trivially easy thing that just anyone can do. Spoofing our current protocol is still several orders of magnitude harder than spoofing a DTMF based siren system,” ATI said in its statement.

Seeber said he spent two years trying to understand how the city of San Francisco’s emergency alert system worked. “Every Tuesday the city has a test of the system. That allowed me to eventually isolate and then monitor the radio signal. From there I converted the analog signal to a software defined radio file for further analysis,” he said.

That enabled him to find patterns in ATI’s radio broadcast and eventually create signals of his own that triggered the alarm system to go off. Seeber said ATI’s system was never compromised and testing was done in a remote location with a low-volume public address system.

“Upon further analysis of the radio protocol, Balint determined that the commands were not encrypted, and that the system was therefore vulnerable to forgery of system commands and malicious activation,” Bastille said in its release Tuesday.

Seeber said Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place.

The San Francisco Department of Technology told a reporter at the website StateScoop that “a firmware update provided by ATI Systems adds a higher level of encryption to the system’s messaging, adding that before the patch, the system had weak encryption.”

Seeber’s research into the ATI system in San Francisco began two years ago, but he said it was a 2017 incident in Dallas, Texas where a hacker set off over 150 emergency sirens citywide for more than 90 minutes and a 2018 false emergency alarm set off in Hawaii (due to human error) that illustrated the importance of his research.

“During emergencies, cell tower-based public alert systems have been shown to fail. Many citizens have ‘cut the cord’ and cannot be contacted via a reverse 911-phone system. Consequently, warning sirens play a crucial role as they are the only truly reliable method to alert a population en-mass of a public safety event,” Seeber said.

Seeber said that the city of San Francisco’s “security through obscurity” approach was unacceptable given the opportunity for damage. Unencrypted radio signals, he said, can be intercepted with a $30 radio and laptop. “Assuming that you know the frequency, all it would take is one radio and a program to convert the signal to a software defined radio file,” he said.

Suggested articles

Threatpost 2016 Year in Review

Threatpost writers recap 2016’s biggest news stories, including the proliferation of IoT botnets, ransomware, the FBI vs. Apple story, and more.

Threatpost News Wrap, July 29, 2016

Mike Mimoso and Chris Brook discuss the news of the week, including a wireless keyboard vulnerability – KeySniffer, NIST’s statement on 2FA, a LastPass remote compromise bug, and a new Tor paper.