Cities' emergency sirens will play anything you send them over an unencrypted radio protocol

It's been a year since someone hacked all 156 of Dallas's emergency tornado sirens, setting them off in the middle of the night, and the security picture for cities' emergency PA systems keeps getting uglier.

Since 2015 Balint Seeber — a security researcher at Bastille — has been probing San Francisco's emergency PA system, which plays a test warning ("This is a test. This is a test of the outdoor warning system. This is only a test") every Tuesday at noon. Now, he's announced that he's cracked it.

Seeber used a software-defined radio to monitor possible transmissions to the PA speakers. He struggled to identify the control messages, and had given up, but then, after the Dallas hack, he renewed his interest. Close examination of a photo of one of the speakers revealed its yagi antenna, from which he was able to derive the control frequencies; with this information, he was able to reverse-engineer the protocol used to send messages to the PAs for broadcast.

The protocols contain no authentication or encryption, meaning that anyone can make any or all of the towers broadcast any audio-file at earsplitting, terrifying volume.

Seeber disclosed the vulnerability to ATI Systems, the Boston company that supplies the PA systems in many cities, including San Francisco, Wichita, and an undisclosed third city, all of which were verified to be vulnerable to Seeber's attack.

ATI claims that the research that revealed the defects in their products is illegal, and that discussing these defects is also illegal, but admits that its products are defective, though they downplayed the significance, claiming it would be very hard to replicate Seeber's attack. Seeber's attack used a $35 off-the-shelf radio device and free/open source software.

Seeber says that these defects can't be easily patched, as each speaker needs to be physically updated; however, he says that ATI's speakers in San Francisco are increasingly using encrypted messages to communicate, suggesting that ATI is slowly updating its products.

Seeber believes that ATI's products aren't the only defective offerings in the marketplace and suggests that cities procuring their own emergency PA systems should get assurances from vendors that the system uses cryptography and authentication to verify messages.

Seeber posits that ATI's system security depends on the notion that its radio signals are too obscure for anyone to decode rather than on any actual encryption to protect the signals or authentication that would prevent unauthorized commands from being accepted. But the rise of cheap and accessible software-defined radios that allow any hacker to pick up and or produce radio signals in a broad spectrum of frequencies has made it far easier to eavesdrop and mimic unencrypted communications than in the past. "This looks like it was security through obscurity, and in this day and age that approach is really not valid," Seeber says.

This Radio Hacker Could Hijack Citywide Emergency Sirens to Play Any Sound [Andy Greenberg/Wired]