Last weekend when outdoor emergency sirens in Dallas cried loudly for over 90 minutes, It turns out that the EAS (Emergency Alery System) used by the city of Dallas was compromised by outside radio equipment replicating the tonal code required to trigger the alarms — which, in other words, is known as a "radio replay" attack.
It was noted that the nrealy decade old system is controlled by tone combinations used by the EAS broadcast over the National Weather Service's weather radio, and by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a command center terminal sent over an emergency radio frequency. The EAS system made no use of Signal Authentication or Encryption.
According to the city officials, the decade-old radio-based system was disabled hours after the breach and went live over the weekend with 'encryption' to protect the language of tones as a measure to prevent such attacks. The Dallas City Council has also voted to pay $100,000 more to its emergency siren system contractor to increase the security of the city's current system.
Severity (Speculative worst case scenario)
The Dallas EAS system is comprised of 156 Sirens distributed across the city.
Hijacking of the Sirens in combination with TV or radio channel signals by a well organized group in combination with a Social Media campaign to distribute false information could have lead to widespread confusion and possible evacuations.
Abuse of the sirens could be used to mask crimes in progress or to desensitize citizens in the event of an attack planned following the announcement of a hack.
This would have taken a lot of time and research to pull off for sure, this is definitely a group of people but the question is who gains the most from this event?
You could have pulled this off with a HackRF SDR and a recording of the previous emergency or siren test. Could even just spam random DTMF combinations at it till it triggered.
Due to the lack of authentication and encryption the level to knowledge needed to lead to exploitation here was set extremely low. The system essentially used DTMF tones transmitted on 700Mhz to set the system state. Essentially a radio telephone, except the numbers dialed only call one number and only if they are correct.
Basically yes. Unless someone in the city was monitoring and triangulating all radio signals in the city at all times, they will probably never be found. Even then, someone could have just left a box of electronics somewhere to do it's thing and collected it later once they had their fun.
In fact, a large portion of the midwest has these weather sirens (mostly just for tornados). Could be a bad breach of security if most of these systems operate under the same or similar conditions.
