A vulnerability affecting emergency alert systems supplied by ATI Systems, one of the leading suppliers of warning sirens in the USA, could be exploited remotely via radio frequencies to activate all the sirens and trigger false alarms.
“We first found the vulnerability in San Francisco, and confirmed it in two other US locations including Sedgwick County, Wichita, Kansas,” Balint Seeber, Director of Threat Research at Bastille, told Help Net Security.
“Although we have not visited other locations to confirm the presence of the vulnerability, ATI Systems has customers in the US and overseas from the military, local government, educational and energy sectors. ATI features customers on its website around the US including One World Trade Center, WestPoint Military Academy and Entergy Nuclear Indian Point which are all in New York State, UMASS Amherst in Massachusetts, Eastern Arizona College, University of South Carolina and Eglin Air Force Base in Florida, amongst others.”
The vulnerability and how it can be exploited
The vulnerability stems from the fact that the radio protocol used to control the sirens is not secure: activation commands are sent “in the clear,” i.e. no encryption is used.
“A bad actor can find the radio frequency assigned to a deployment, craft malicious activation messages, and transmit them from their own radio to set off the system. All that is required is a $30 handheld radio and a computer,” Seeber noted.
“An attacker needs to be in radio range. Commonly a repeater is used to amplify weaker signals and rebroadcast them over a wider area, which helps improve coverage. For example, in San Francisco, there is a repeater on a hill in the center of the city, which serves as the central radio signal broadcast point to cover the entire city, all the way out to Treasure Island. With a directional Yagi antenna pointed at a repeater, and even a handheld radio with a moderate amount of power, an attacker could be successful from at least tens of miles away.”
The public relies on emergency warning systems for notification of legitimate threats: natural disasters, man-made disasters and public emergencies. False alarms can result in needless panic and chaos, as witnessed last year in Dallas and more recently in Hawaii.
“During emergencies, cell tower-based public alert systems have been shown to fail. Many citizens have ‘cut the cord’ and cannot be contacted via a reverse 911-phone system. Consequently, warning sirens play a crucial role as they are the only truly reliable method to alert a population en-mass of a public safety event,” Seeber pointed out.
“The SirenJack vulnerability [as the researchers dubbed it] underscores the need to make emergency alert systems stronger than ever, as hackers are constantly probing critical infrastructure, especially those using insecure RF-based protocols, to infiltrate and carry out potential attacks.”
Fixing the issue
“Customers should contact ATI Systems to determine if they have a vulnerable configuration and/or version of the system, and then take the appropriate remediation steps that are suggested. We have been led to believe that ATI has worked on a patch, and that the City of San Francisco has been rolling out that patch. Therefore, we are optimistic that the patch will be made available to other customers,” he shared.
“Although we have not been made privy to the details of the patch, we are under the impression that software and firmware needs to be upgraded so that the system can understand the new encrypted protocol. Through passive observation over the past few weeks, I have heard radio technicians on San Francisco’s siren system frequency performing radio link tests at each siren pole (I can hear them on the radio saying ‘Siren test one two three four…’), which makes me guess that they might be upgrading the firmware on the controller board at each pole and performing general maintenance.”
Another option available to users is to procure the digital radio network upgrade from ATI, meaning that the siren system’s communications will ride upon a separate, fully digital and standardized transmission scheme (“APCO Project 25” or just “P25”).
“This P25 protocol can then have strong encryption applied on top of it (so the siren system gets encrypted ‘by proxy’),” Seeber explained.
“Encrypted P25 networks are used all over the globe, for example, in cities for public safety radio networks used by first responders (police, ambulance, etc). It does require, though, that the customer also install or upgrade their existing radio infrastructure (separate from the siren system) to be P25-compliant, and then upgrade it further to support encryption. That is, P25-enabled sirens will likely still need a separate P25 digital radio network for any sizable deployment, such as a city.”
Bastille researchers did not test the patch provided by ATI Systems and has not been able to verify its efficacy. Nevertheless, it’s good news that the company has acted upon the vulnerability information they’ve been given.
The researchers hope that other siren vendors will investigate their own systems to patch and fix this type of vulnerability (if they find it, of course).
UPDATE (APRIL 11, 2018):
“ATI has created a patch which adds additional security features to the command packets sent over the radio. ATI is testing this patch, and it will be available upon request. Many systems are engineered to meet specific user needs and users need to make sure any upgrades are appropriate for their systems,” US CERT noted in an advisory published on Tuesday.
“ATI recommends that, where feasible, simple voice radios be replaced with digital P-25 (APCO) radios, which provide highly secure encrypted links.”