logo

SirenJack: Cracking a 'Secure' Emergency Warning Siren System

Conference:  BlackHat USA 2018

2018-08-09

Summary

The presentation discusses the responsible disclosure process for a vulnerability found in an outdoor public warning system and the importance of securing critical infrastructure systems.
  • The speaker found a vulnerability in an outdoor public warning system that allowed for unauthorized access and control of the system.
  • The speaker followed a 90-day responsible disclosure policy, notifying the vendor and the Department of Emergency Management before publicly disclosing the vulnerability.
  • The vendor created a patch and provided it to at least one customer.
  • The speaker emphasizes the importance of securing critical infrastructure systems and adhering to a robust disclosure process.
  • The speaker faced challenges in trying to contact the appropriate parties to disclose the vulnerability.
  • The speaker recommends using highly secure encrypted links and upgrading to trunk radio to prevent similar vulnerabilities.
  • The speaker also recommends following a responsible disclosure process to ensure that vulnerabilities are addressed and the public is informed.
The speaker found a break in the pattern during a test of the outdoor public warning system, which led to the discovery of the vulnerability. The speaker was concerned about the potential for malicious payloads to exploit the vulnerability and worked to ensure that the vendor created a patch and provided it to customers. The speaker faced challenges in trying to contact the appropriate parties to disclose the vulnerability, but ultimately followed a responsible disclosure process to ensure that the public was informed.

Abstract

SirenJack is a vulnerability that was found to affect radio-controlled emergency warning siren systems from ATI Systems. It allows a bad actor, with a $30 handheld radio and a laptop, to set off all sirens in a deployment. Hackers can trigger false alarms at will because the custom digital radio protocol does not implement encryption in vulnerable deployments.Emergency warning siren systems are public safety tools used to alert the population of incidents, such as weather and man-made threats. They are widely deployed in cities, industrial sites, military installations, and educational institutions across the US and abroad.Sirens are often activated via a radio frequency (RF) communications system to provide coverage over a large area. Does the security of these RF-based systems match their status as critical infrastructure? The 2017 Dallas siren hack showed that many older siren systems are susceptible to replay attacks, but what about more modern ones?I studied San Francisco's Outdoor Public Warning System, an ATI deployment, for two years to learn how it was controlled. After piecing together clues on siren poles, and searching the entire radio spectrum for one unknown signal, I found the system's frequency and began passive analysis of the protocol. Monitoring the weekly siren tests, I made sense of patterns in the raw binary data and found the system was insecure and vulnerable to attack.This presentation will take you on the journey of the research, and detail the tools and techniques used, including leveraging Software Defined Radio and open source software to collect and analyse massive sets of RF data, and analyse a custom digital protocol. It will also cover the Responsible Disclosure process with the vendor, their response, and subsequent change to the protocol. A proof-of-concept will be shown for good measure.

Materials:

Tags: