Researcher Identifies Emergency Alert Systems Vulnerable To Exploitation Due To SirenJack Flaw – Critical Military And State Infrastructure At Risk Of Attacks By Malicious Hackers.
Warning systems are of vital importance as governments heavily rely upon them for immediate identification of legit threats.
Warning sirens are globally used for detecting natural disasters like earthquakes, tornadoes, hurricanes, thunderstorms, volcanic eruptions and man-made disasters such as nuclear accidents, gas, and oil leaks and chemical spills, etc.
Furthermore, these systems are integral in countering public emergency situations such as during wars the systems inform about missile alerts, air strikes, and bombings while these are useful in countering everyday emergency situations like evacuation warnings, active shooter situations, and terrorist attacks.
If warning systems are exploited by malicious hacktivists or terrorists, these could result in unnecessary panic. This is exactly what Bastille’s latest threat alert is about.
Bastille is the leading enterprise threat detection service that performs threat detection via software defined radio.
The firm has reported about a vulnerability in emergency alert systems that are supplied by the well-known USA-based ATI systems.
The vulnerability can be remotely exploited through radio frequencies after which all sirens can be activated at will.
It can also be used to trigger false alarms to create panic.
Some of the major customers of ATI Systems include the City of San Francisco, One World Trade Center, UMass Amherst, the West Point Military Academy, Indian Point Energy Center nuclear power station.
A number of military installations, urban and rural communities, academic institutions and industrial sector enterprises including nuclear and oil generation plants are among the key clients of ATI Systems. This means the vulnerability has rendered millions of people and so many critical infrastructures at risk of exploitation.
Bastille Research Team identified that an unencrypted and insecure radio protocol had been controlling the ATI sirens that they monitored.
Using this unprotected protocol, a threat actor such as a hacktivist or a terrorist and even a nation-state with malicious objectives could identify the system’s assigned radio frequency.
Once this is done, they could easily develop ways to exploit the system such as they can upload malicious activation messages and spread them from their own radio to set the alarm off.
According to CEO Bastille Networks, Chris Risley, even if a single warning siren is triggered with a false alarm, it can create widespread panic and can even ‘endanger lives.’
The investigation on SirenJack was initiated back in 2016 in San Francisco by Bastille researcher Balint Seeber.
Seeber noticed that the Outdoor Public Warning System of the city utilized RF communications and the commands of the radio protocol weren’t encrypted.
Therefore, the system was identified to be vulnerable to fake system commands and at risk of exploitation.
It was also noted that hackers can play any sound they liked.
Seeber also identified that it only costs $35 to hijack emergency sirens in American cities because hackers only need a laptop and a radio, both of which are readily available in the markets.
In a proof-of-concept video, Seeber demonstrated how the hack takes place. The video shows that
Seeber caused the sirens to go off by playing “Never Gonna Give You Up” by Rick Astley over the speakers. Here is how he did it:
The researcher found the first affected system in the City of San Francisco’s ATI installation while the presence of SirenJack was confirmed at a second installation.
The company has urged all ATI customers to contact ATI to initiate an investigation into the company’s installation and detect if others are affected.
ATI and San Francisco were informed by Bastille about the vulnerability around 90 days back so that the company gets ample time to patch the flaw.
The company disclosed SirenJack vulnerability now to alert ATI Systems’ users and to compel other Siren vendors to investigate their own systems and fix the flaw if identified.
ATI Systems claim that the vulnerability is ‘largely theoretical’ and is not being exploited in the wild. But the company sent a statement to Bastille in which it admitted that the findings were ‘likely true’ and the company would soon be releasing a patch.