InfoSec: Dallas Emergency Alert System Hack

Dallas Siren Hack Came Via Radio Replay attack

Summary:

Last weekend when outdoor emergency sirens in Dallas cried loudly for over 90 minutes, It turns out that the EAS (Emergency Alery System) used by the city of Dallas was compromised by outside radio equipment replicating the tonal code required to trigger the alarms — which, in other words, is known as a "radio replay" attack.

It was noted that the nrealy decade old system is controlled by tone combinations used by the EAS broadcast over the National Weather Service's weather radio, and by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a command center terminal sent over an emergency radio frequency. The EAS system made no use of Signal Authentication or Encryption.

Extra References:

  1. https://thehackernews.com/2017/04/emergency-tornado-siren-hack.html
  2. https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/
  3. https://www.extremetech.com/extreme/247544-dallas-siren-hack-carried-radio-signals
  4. https://www.fedsig.com/outdoor-sirens-and-speakers (manufacturer of EAS)

Fix

According to the city officials, the decade-old radio-based system was disabled hours after the breach and went live over the weekend with 'encryption' to protect the language of tones as a measure to prevent such attacks.
The Dallas City Council has also voted to pay $100,000 more to its emergency siren system contractor to increase the security of the city's current system.

Severity (Speculative worst case scenario)

The Dallas EAS system is comprised of 156 Sirens distributed across the city.

  1. Hijacking of the Sirens in combination with TV or radio channel signals by a well organized group in combination with a Social Media campaign to distribute false information could have lead to widespread confusion and possible evacuations.
  2. Abuse of the sirens could be used to mask crimes in progress or to desensitize citizens in the event of an attack planned following the announcement of a hack.
1 Like

Dallas needs to get this locked down and updated. But it sure is funny tho

gg m8

Once again letting people know that challenge response is a requirement

Someone didn't want to take a test. This reminds me of pulling the fire alarm but much much more mischievous.

This would have taken a lot of time and research to pull off for sure, this is definitely a group of people but the question is who gains the most from this event?

You could have pulled this off with a HackRF SDR and a recording of the previous emergency or siren test. Could even just spam random DTMF combinations at it till it triggered.

Due to the lack of authentication and encryption the level to knowledge needed to lead to exploitation here was set extremely low. The system essentially used DTMF tones transmitted on 700Mhz to set the system state. Essentially a radio telephone, except the numbers dialed only call one number and only if they are correct. :laughing:

Could even just spam random DTMF combinations at it till it triggered -catsay

Oh jeez I didn't know it was THAT vulnerable, so everyone from a lone punk to organized crime could have been the culprit?

Basically yes.
Unless someone in the city was monitoring and triangulating all radio signals in the city at all times, they will probably never be found.
Even then, someone could have just left a box of electronics somewhere to do it's thing and collected it later once they had their fun.

I live in Oklahoma, and we have siren systems that are very similar. I wonder if ours operate under the same principle.

2 Likes

In fact, a large portion of the midwest has these weather sirens (mostly just for tornados). Could be a bad breach of security if most of these systems operate under the same or similar conditions.