Dallas siren “hack” used radio signals to spoof alarm, says city manager
- Thread starter JournalBot
- Start date
There are reasons for having it go off for more than just tornados and nuclear weapons. In the recent storms, a few of the rural areas outside DFW had sirens going off for baseball-sized hail. If it's going off for mild rain, though, that's definitely going to make people ignore them.
Upvote
1
(1
/
0)
"Alternatively, they can also be controlled by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a dispatcher or command center terminal sent over UHF radio frequencies that were set aside for emergency agencies' use by the FCC in 2004 (these are typically in the 700 MHz range)."
Surely Mr Pai will address this by rescinding the emergency use of these frequencies "to ensure that the public is protected from hackers who have clearly shown that they can compromise the system and endanger the public by broadcasting false alerts."
Surely Mr Pai will address this by rescinding the emergency use of these frequencies "to ensure that the public is protected from hackers who have clearly shown that they can compromise the system and endanger the public by broadcasting false alerts."
Upvote
6
(6
/
0)
Yep, I'm sure you could avoid nuclear fallout by walking down the block. /s
Upvote
6
(7
/
-1)
I take it you haven't experienced a tornado. They can literally come out of nowhere when the weather is perfectly clear and fine, thus the reason for tornado sirens. Sometimes the sky may get a little green cast and the wind will kick up but other than that unless it is pouring down rain you may have no idea one is going to hit. They also tend to sound the sirens BEFORE the tornado gets where you can tell one is coming otherwise it defeats the whole purpose given their speed and destructiveness.
Upvote
9
(9
/
0)
Yeah, any kind of severe weather would be fine IMO. But I think their mindset here is to blow the sirens as a "hey maybe go turn on the weather" measure? Nothing is ever happening when the sirens blow and for the past 4 or 5 years its been false alarm after false alarm.
Upvote
2
(2
/
0)
"It was not a system software issue, it was a radio issue."
Sigh... This is exactly the kind of mindset that leads to security issues. The radio link is also a part of the same system. Playing "Somebody else's problem" is not going to help you design a safe system. Security design should be holistic and end to end.
It's like designing a super secure webserver and then putting it in a room without a door because physical security is not part of the system.
Sigh... This is exactly the kind of mindset that leads to security issues. The radio link is also a part of the same system. Playing "Somebody else's problem" is not going to help you design a safe system. Security design should be holistic and end to end.
It's like designing a super secure webserver and then putting it in a room without a door because physical security is not part of the system.
Upvote
5
(5
/
0)
I'd imagine most people have enough sense to look out the window, see the lack of severe weather, and figure the sirens must be going off for a darn good reason.
Upvote
1
(1
/
0)
Upvote
0
(0
/
0)
I used to work on Whelen systems many moons ago. If I recall correctly, the DTMF command has to be preceded by a PL (privacy code) or siren address to activate the siren stack and tell it that commands follow. Unless all of the sirens had the same access code...but that would be...inconceivable. No one would be that dumb...right?
Upvote
4
(4
/
0)
1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!
Upvote
8
(8
/
0)
While obviously not a good long term solution, it is a routinely employed short-term solution.
Take Google's Project Zero, for example. When they find an exploit in somebody's software, they give them 90 days to fix it before they make it public. I don't see how this is any different. Until you've fixed the vulnerability, you don't want people to know what it was. Even though in this case clearly somebody in the wild already knows, you don't want to help spread that information until you've closed the barn door.
Upvote
5
(5
/
0)
Yes! for only $25 USD you too can receive radio transmissions intended for safety and public security! Know what Big Bother talks about behind your back! Fool your friends! Fun at parties!
Upvote
1
(2
/
-1)
And what's your point, that software defined radio receivers should be "banned" ?
Upvote
-3
(1
/
-4)
All of this is just more proof that we need to take every single analog system of any sort, remaining and tear them down, plow them into the dirt, and replace them with secure digital, IP-based systems.
People here criticize me for being a 'kid' who doesn't like old technology. But what you are seeing here are the real costs of it. We've moved beyond analog technology just like we've moved on from unpasteurized milk and bloodletting as a cure for disease.
This system should be torn down and replaced with something SMS, wireless IP, or social media based, to have far reaching and high-information-density capabilities that can reach anyone anywhere at anytime through connected devices the great majority, or at least the families of the great majority, carry with them all the time.
People here criticize me for being a 'kid' who doesn't like old technology. But what you are seeing here are the real costs of it. We've moved beyond analog technology just like we've moved on from unpasteurized milk and bloodletting as a cure for disease.
This system should be torn down and replaced with something SMS, wireless IP, or social media based, to have far reaching and high-information-density capabilities that can reach anyone anywhere at anytime through connected devices the great majority, or at least the families of the great majority, carry with them all the time.
Upvote
-18
(1
/
-19)
This wasn't a hack. It was an issue waiting to happen. The siren system is most likely off the shelf parts used by many other cities and the documentation on how it all works is most likely public info thanks to the sales efforts.
It is trivial to figure out the radio frequencies needed to activate the system: that's all public info, and since every city tests their sirens at least monthly, all you have to do is listen for a signal (any scanner will do this) and then listen for the sirens to turn on. Followed by a signal to turn them off at the end of the test. There are scanner interfaces to dump these signals to PC where they can be analyzed and examined.
The monthly or weekly tests are great for this because the signal sent out is most likely going to be an "all sirens ON" signal without regard to neighborhoods so this is exactly what you want to replicate for most havok.
Now, to make it work, you need a radio to transmit the 700MHz signal. eBay. Or you can order the radios from China in some cases. I would not be surprised if these sirens used UHF or even VHF radio links which are even easier to replicate. The gear needed is on Amazon and it's cheap.
So all you have to do is play back the signal you recorded earlier and the sirens will fire right up.
It is trivial to figure out the radio frequencies needed to activate the system: that's all public info, and since every city tests their sirens at least monthly, all you have to do is listen for a signal (any scanner will do this) and then listen for the sirens to turn on. Followed by a signal to turn them off at the end of the test. There are scanner interfaces to dump these signals to PC where they can be analyzed and examined.
The monthly or weekly tests are great for this because the signal sent out is most likely going to be an "all sirens ON" signal without regard to neighborhoods so this is exactly what you want to replicate for most havok.
Now, to make it work, you need a radio to transmit the 700MHz signal. eBay. Or you can order the radios from China in some cases. I would not be surprised if these sirens used UHF or even VHF radio links which are even easier to replicate. The gear needed is on Amazon and it's cheap.
So all you have to do is play back the signal you recorded earlier and the sirens will fire right up.
Upvote
1
(1
/
0)
From somebody living in between Fort Worth and Dallas: Everybody cares about the sirens. The weather around here is chaotic, rapidly changing, and frequently dangerous. People frequently die when severe weather occurs even with precautions taken. Even tiny municipalities have some sort of system. The sirens are also used for non severe weather situations where there is a threat to the population. For example the city of Fort Worth, TX uses their sirens for a variety of purposes, such as state emergencies and chemical spills. The city of Arlington, TX will use sirens to alert of Chemical Spills, Terrorism, and Nuclear incidents (A nuclear plant is within 50 miles for most of the DFW). There are precautions and specific actions to survive these types of scenarios, that are locally broadcasted. All three cities reserve the right to use the systems for unspecified emergency situations, thus even during a sunny day, the sirens going off is a grave cause of concern. People are encouraged to turn on the radio/tv/websites to get further information, but as noted, there are many that don't follow best practices.
Upvote
4
(4
/
0)
A curious question would be how did Dallas secure the system in such a short order? If it happened to be repeater based I could see changing the input tone squelch (CTCSS , DCS). Otherwise, would every siren site require a visit? I'm sure many radio hobbiest will be tuned in for the next scheduled test. Possibly the scheduled test will be triggered at the transmitter site manually instead of remotely? I'm sure many RF jockeys will be listening for input or output frequencies ready to decode tone squelch and record AFSK or DTMF the nex time severe weather threatens.
Upvote
1
(1
/
0)
So, can we assume you have yanked all the light switches in your apartment, and replaced them with a home automation solution that requires you to fumble in the dark to unlock your phone before you can turn on the light in order to navigate through the piles of "obsolete" (yet functional) analog gear on the way to the bathroom?
Even us tekkies sometimes prioritize buying a new gaming machine/paying a kid's tuition over replacing functional, if imperfect or out of date systems; anyone here still carrying a pocket full of those jagged-edged metal things that were hacked in Houdini's era (if not long before)?
Upvote
8
(8
/
0)
No, the security is military grade, same as used for nuclear weapons.
The code is: 000000
Now, I have to kill you...
Upvote
4
(4
/
0)
Hardly surprising, since this type of attack has been around for over a century:
https://www.theatlantic.com/technology/ ... 03/250665/
https://www.theatlantic.com/technology/ ... 03/250665/
Upvote
0
(0
/
0)
It suddenly occurs to me that a one-time pad is essentially just that, albeit with "perfect obscurity".
Upvote
3
(3
/
0)
A bit offtopic.. But you have no idea how much that kind of passwords are used on important systems in the corporate world.
I'm surprised not more stuff gets hacked really.
Upvote
2
(2
/
0)
Upvote
1
(1
/
0)
This sounds like yet another system that could be secured by an asymmetric key challenge-response system. The operator of the alert network has a private key, and all the alarms have the corresponding public key. The operator sends out a message that the alarms should turn on. Each alarm sends back a block of random bits, and the operator responds by signing and rebroadcasting each random block. The alarms verify the signatures with the public key and then turn on.
Now that I think of it, there might be a way to skip the challenge and response if the operator sends out the random bits first.
Now that I think of it, there might be a way to skip the challenge and response if the operator sends out the random bits first.
Upvote
0
(0
/
0)
Anyone can buy gear off the shelf to decode the PL or DPL and use that info to program a suitable radio to transmit. Child's play.
Anyone want to bet they put PL or DPL on the receiver?
Upvote
0
(0
/
0)
They could easily equip each tower site with a P25 receiver (I am assuming they ARE at least on P25 at this point), since it would be very difficult if not impossible for someone to associate an outside radio on their P25 system. Same for trunk systems.
Then they would be able to limit the system traffic for the siren group to the siren sites and the base stations authorized to use them. Nobody else even needs to have these programmed.
Encrypt the talkgroup. Done.
I am SURE the local radio supplier would love to offer up a bid on re-equipping all the siren sites with new P25 receivers. Couple hundred radios sold.
Then they would be able to limit the system traffic for the siren group to the siren sites and the base stations authorized to use them. Nobody else even needs to have these programmed.
Encrypt the talkgroup. Done.
I am SURE the local radio supplier would love to offer up a bid on re-equipping all the siren sites with new P25 receivers. Couple hundred radios sold.
Upvote
0
(0
/
0)
[url=https://arstechnica.co.uk/civis/viewtopic.php?p=33148193#p33148193:3oytv6pw said:
Thanks for that link. I had no idea it was so cheap and accessible. Quality random number source here I come
Upvote
0
(0
/
0)
[url=https://arstechnica.co.uk/civis/viewtopic.php?p=33149369#p33149369:28ejme0c said:
Maybe the code was 1.... 2.... 3.... 4.... 5.....
I have it on good authority that's the same code Dallas City Manager T.C. Broadnax uses on his luggage
(Edit: oops, ninja'd by Skyfire77 - and not even very recently! Oh the shame...)
Upvote
1
(1
/
0)
As a teen I worked for my local police in my small town - they also controlled the Emergency Management functions in our city and county (just fyi, small area in Missouri). We "activated" the sirens via a dial-phone code which sent an OTA tone via a certain frequency.
Watching the ridiculous news coverage the past few days, I kept telling friends/family that there was no "computer hack." It was, instead, an analog/digital radio hack. People with FCC Amateur Radio Licenses have easy access to these frequencies and tones, and agree, as part of his/her FCC license, not to ever do anything to cause a panic. That means whatever info we learn, we don't share and won't take advantage of, period.
This isn't a common HAM. S/he is instead interested in creating panic. Generically some call that a "hacker." I define a hacker as someone who infiltrates a computer-directed system in an effort to hurt people.
This person found out the frequency and tone to turn on the sirens. Not hacking. Just using info to set them off. An asshole, a guy who should be prosecuted, yes. But not hacking.
Watching the ridiculous news coverage the past few days, I kept telling friends/family that there was no "computer hack." It was, instead, an analog/digital radio hack. People with FCC Amateur Radio Licenses have easy access to these frequencies and tones, and agree, as part of his/her FCC license, not to ever do anything to cause a panic. That means whatever info we learn, we don't share and won't take advantage of, period.
This isn't a common HAM. S/he is instead interested in creating panic. Generically some call that a "hacker." I define a hacker as someone who infiltrates a computer-directed system in an effort to hurt people.
This person found out the frequency and tone to turn on the sirens. Not hacking. Just using info to set them off. An asshole, a guy who should be prosecuted, yes. But not hacking.
Upvote
-2
(0
/
-2)
[url=https://arstechnica.co.uk/civis/viewtopic.php?p=33151829#p33151829:2yhpgrf2 said:
What if he sniffed radio waves with SDR and analysed it to figure out how to send those codes? That would fall under definition of hacking. Your assumption is that someone told him how to do it while all available data points to it being somewhat trivial to figure out on your own if so inclined.
Upvote
-1
(0
/
-1)
Upvote
1
(1
/
0)
So question for anyone who actually works with these systems.
I realize that many of these are decades old systems which were designed in a 'simpler' era by non-paranoid engineers who weren't thinking (despite you know, the Cold War, paranoia over Communist spies, and etc.) about malicious actors.
But why aren't these systems retrofitted to be hardened more often?
I realize that many of these are decades old systems which were designed in a 'simpler' era by non-paranoid engineers who weren't thinking (despite you know, the Cold War, paranoia over Communist spies, and etc.) about malicious actors.
But why aren't these systems retrofitted to be hardened more often?
Upvote
0
(0
/
0)
By now I suspect that people in Texas are aware that industrial incidents at chemical plants/refineries are a potential disaster. Depending on the nature of the event you may either need to shelter in place or run like hell*.
*I actually know people in the reactive chemical industry who routinely call it the "RLH protocol."
Upvote
3
(3
/
0)
Or as the EOD guys say: "Time to de-ass the area with the quickness."
Upvote
2
(2
/
0)
As I've recently become acquainted with the The Seventy Maxims of Maximally Effective Mercenaries, this reminds me of rule #3. (Rule #2 included for context).
Edit: Dammit Faanchou! Ninja'd!
Upvote
2
(2
/
0)
- Status