Computer hackers have uncovered a way to abuse the emergency alert services in an attack called SirenJack. This was made possible due to a newly discovered vulnerability in one of the vendors.
An Ongoing SirenJack Attack Can Cause Widespread Panic
A security audit revealed a dangerous vulnerability in emergency alert systems that can be abused to cause false alarms and widespread panic. The problem lies within the controller software made by ATI Systems that is used in many locations around the United States of America and abroad. Some of the confirmed sites are the following:
- One World Trade Center
- Indian Point Energy Center nuclear power stations
- UMass Amherst
- West Point Military Academy
The problem lies within the protocols that use radio signals in order to control the sirens. A security analysis reveals that they are not encrypted and this practically allows anyone (including terrorists) to uncover the specific radio frequency assigned to the emergency system and craft malicious command messages. When the relevant receiver is placed in listening mode any intercepted such messages can automatically set off the alarms. According to the published information a SirenJack attack can be accomplished with a laptop computer and a cheap $30 handheld radio device.
It is interesting to note that the security flaw was identified for the first time back in 2016 in another system installed in San Francisco. The vulnerability was not reported however after the onset of several incidents the vendor was contacted with information about the issue. The emergency alerts deployed by this particular vendor are deployed both in North America and around the globe. The locations range from civic installations to military complexes, industrial sites (the report mentions also oil and nuclear ones) and universities.
The vendor has released a statement stating that they have developed a patch that is currently being tested and will be rolled out to their systems. One of the important things to consider in this upcoming security update is the fact that the emergency alert systems are customized for each customer location. This means that customers will be required to reach out to the company and request their own personalized fix. A fix for the San Francisco has already been deployed in order to evade any potential abuse. The security researchers have followed the standard security practice of notifying the vendor 90 days prior to the public disclosure.