A vulnerability in a popular emergency alert system, widely used across towns and cities, exposes sirens to hijack, allowing hackers to trigger false alarms.
Security researchers at Bastille, a security firm with a focus on finding radio frequency vulnerabilities, found that the vulnerability in emergency alert systems supplied by Boston-based ATI Systems can be exploited by sending a malicious activation message over the radio airwaves.
Because the radio protocol that ATI uses isn't encrypted, activation messages can be forged.
This put cities like San Francisco and other major landmarks and installations at risk of cyberattack, including West Point Military Academy, and the Indian Point nuclear power station -- all of which are ATI customers.
But the impact of the flaw could be serious if exploited
These emergency systems are found across the US, primarily used to warn against natural disasters and terrorist attacks, but also inbound threats from hostile nation states. The systems are far from perfect. Almost exactly a year ago, an unknown hacker replayed a radio signal used during regular scheduled tests of the system to maliciously trigger Dallas' emergency alert system in the middle of the night.
Although the hack was more of an annoyance to Dallas residents, Bastille researchers say that this kind of attack could cause widespread panic.
Earlier this year, Hawaii officials mistakenly sent an emergency alert to mobile users in the state to warn of an incoming ballistic missile. The alert sent panic and confusion across the islands during the height of North Korea's escalating nuclear missile testing.
Balint Seeber, director of threat research at Bastille, told ZDNet how the vulnerability works.
"ATI's systems employ a custom digital radio protocol, using a well-known physical layer, designed to work over standard analog radio equipment (even $30 handheld radios)," he said.
He said that a replay attack -- like what was used in Dallas -- would not work because the protocol employs elements that change from week to week, but "do so in an easily discernible manner." Regardless, the core payload used to activate the sirens remains the same each week.
"I collected recordings of each week's test, decoded the transmissions, and built up a corpus of packets in which I was able to recognize the relevant patterns, thereby becoming certain that malicious activation payloads could be constructed by using the known activation payload and adding the correct additional bits adhering to the observed pattern," he explained.
An attacker would have to be within radio range of the targeted city, he said.
But, in many emergency alert system setups, repeaters are used to amplify weaker signals and rebroadcast them over a wider area. With the right equipment, Seeber said, an attacker could be successful from "at least tens of miles away."
Since their private disclosure in January, the researchers have confirmed that San Francisco, where Bastille first discovered the vulnerability, patched its systems in March. News of the firmware upgrade was first reported by StateScoop last week.
Bastille was asked not to test the since-patched systems, and was unable to verify the efficacy of the patch.
Seeber said that from passive observation that new transmissions in San Francisco appear to now be encrypted.
Though not all ATI systems have been patched, Bastille realeased some details of the vulnerability in line with its industry-standard, 90-day responsible disclosure policy.
But despite the coordinated disclosure schedule and press releases, A spokesperson for ATI sent a statement (which we have uploaded) just an hour before publication, claiming that Bastille's work was "against the law."
"Their recent activity was done by recording the communication protocol, which appears to be in violation of the FCC rules," the statement said.
The statement appeared to backtrack an earlier statement that the company issued alongside Bastille's statement.
In an earlier statement, ATI said it has "created a patch which adds additional security features to the command packets sent over the radio," adding that the patches are undergoing testing and will be rolled out "shortly."
But ATI's new statement downplayed Bastille's findings.
"The vulnerability is largely theoretical and has not yet been seen in the field," the new statement read.
ATI also said it can "add additional encryption to make the commands as secure as possible if the client is concerned and can generate funding to finance the changes."
ATI chief executive Ray Bassiouni said ATI, despite its claims, has not launched legal action against Bastille.
Bastille also confirmed that systems in Sedgwick County, Kan., were vulnerable, along with several major university campuses and other military facilities in Arizona, Massachusetts, and South Carolina.
It's not known if county officials will pay to secure their systems. Local officials did not respond to a request for comment.
Bastille researchers were not immediately available for comment at the time of publication.
Later, Bastille hit back at ATI's claim.
"We're satisfied that we are standing on solid legal grounds," said a spokesperson.
"Bastille did not break the law in researching the SirenJack vulnerability. There is a law against intercepting certain radio signals, but that law specifically does not apply to intercepting public safety radio communications if they are 'readily accessible to the general public'. The courts have interpreted 'readily accessible to the general public' to mean 'unencrypted'."
When asked about ATI's second statement,, Bastille added: "We're not sure why they included and highlighted this exclusion in their document since it undermines their entire allegation."
Correction: An earlier version of this story cited One World Trade Center in New York as a customer. While it was during the building's construction, ATI systems are no longer used.