Hackers can spoof and hijack communications targeting sirens part of emergency alert systems to trigger false alerts and cause panic among a local population, information security training experts comment.
Attackers can achieve this by exploiting a newly discovered vulnerability in emergency alert systems manufactured by ATI Systems.
The emergency alert systems are deployed at the One World Trade Center, Indian Point Energy Center nuclear power stations, UMass Amherst, and the West Point Military Academy.
SirenJack flaw impacts sirens’ radio protocol. The vulnerability, discovered by information security training researcher Balint Seeber and labeled SirenJack, resides in the fact that the radio protocol used to control sirens in ATI Systems is not encrypted.
This unencrypted protocol allows a bad actor, which could be an individual, hacktivist, terrorist, or hostile nation-state, to find the radio frequency assigned to an emergency system, craft malicious activation messages, and set off the emergency system.
Seeber discovered this flaw while auditing the emergency alert system deployed across the city of San Francisco in 2016. He did not initially notify ATI Systems of the bug, but the recent incidents involving the Dallas tornado sirens warning system and the Hawaii nuclear missile alert system drove the researcher to contact ATI.
In a statement issued today, ATI says it developed a patch for the issue reported by the Bastille researcher.
“ATI has created a patch which adds additional security features to the command packets sent over the radio. This is currently being tested and will be rolled out shortly,” ATI says.
The company added that these emergency alert systems are customized for each client and that each customer will have to reach out to the company for his own custom fix.
According to information security training professionals, a patch for the San Francisco emergency alert system has already been applied last month.
“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” said Chris Risley, CEO, Bastille Networks. “Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We’re now disclosing SirenJack publicly to allow ATI Systems’ users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability.”