Hacked Tornado Sirens Taken Offline In Two Texas Cities Ahead of Major Storm (zdnet.com) 195
An anonymous reader quotes a report from ZDNet: A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area. The false alarm caused quite the panic in the two towns, as locals were already on the edge of their seats regarding incoming storms. The city had run tests of the tornado alarm sirens a week before, but the tests were set during the middle of the day and had long concluded. The two hacked systems were taken offline the next morning, and remained offline ever since.
Bad weather, including storms and potential tornadoes, was announced for all last week in the North Texas area. A severe thunderstorm hit the two cities the following night, on March 13. Thunderstorms are known to produce brief tornadoes, but luck had it that no tornado formed and hit the towns that day. Tornadoes are frequent in Texas, as the state is located in Tornado Alley, and tornado season, a period of the year between March and May when most tornadoes happen, had officially begun. Nevertheless, a tornado didn't form on March 13, and, luckily, the sirens weren't needed.
Bad weather, including storms and potential tornadoes, was announced for all last week in the North Texas area. A severe thunderstorm hit the two cities the following night, on March 13. Thunderstorms are known to produce brief tornadoes, but luck had it that no tornado formed and hit the towns that day. Tornadoes are frequent in Texas, as the state is located in Tornado Alley, and tornado season, a period of the year between March and May when most tornadoes happen, had officially begun. Nevertheless, a tornado didn't form on March 13, and, luckily, the sirens weren't needed.
Garr (Score:3, Insightful)
Re:Garr (Score:5, Informative)
Re:Garr (Score:5, Informative)
The problem is that these systems are old and crap, and can't be secured. The only option is to rip them out and replace them with something better.
They are radio based. When a particular signal is sent on a particular frequency they sound. Kinda like a garage door opener, but much longer range so that only one high power transmitter can cover a wide area. Unfortunately, like most garage door openers, they are very easy to spoof and the main challenge is transmitting a relatively high power signal and getting away with it.
Most of these radio based systems are similarly vulnerable. The RDS system, for example, can be spoofed with a few hundred bucks worth of gear bought on eBay.
Re:Garr (Score:4, Interesting)
Garage doors are far from secure, most new cars come with a built in universal garage door opener that can be programed to an older garage door opener in a just a couple minutes with out ever getting out of your car or even knowing the name brand of the garage door opener.
Re: (Score:3)
Garage doors are far from secure, most new cars come with a built in universal garage door opener that can be programed to an older garage door opener in a just a couple minutes with out ever getting out of your car or even knowing the name brand of the garage door opener.
Our opener is at least 15 years old, and for both of our cars required the use of a working remote to program the cars' openers.
Re: (Score:2)
That's the easy way, easy so that someone with no particular skill can follow the directions and be successful.
The "hard way" just requires a radio receiver in range listening when you open your garage door.
On some really old door openers, you can use a universal remote that just brute forces it.
Re: (Score:2)
Can you explain what a radio receiver or universal remote have to do with programming a car's gatage door opener?
Re: (Score:2)
Door openers are RF. Universal as in in it's day it would open any garage door. These days it is restricted to older doors.
Your car's opener has a receiver that it uses to learn your door's code from your existing remote. Anyone else can put a receiver in range of your garage door and learn the code as well by listening when you open it..
Re: (Score:2)
Name calling, what a rebuttal. So tell us OH exaulted one, what is actually wrong about what I said?
Re:Garr (Score:4, Insightful)
The problem is that these systems are old and crap, and can't be secured. The only option is to rip them out and replace them with something better.
They are radio based. When a particular signal is sent on a particular frequency they sound.
You don't have to throw away the whole system, just the communications part. That's a relatively small portion of the whole. Why don't they base it on some of that encrypted police radio they seem to love so much?
I CAN'T HEAR YOU! (Score:2)
Re: (Score:2)
Wow, being old enough to remember "duck and cover", being a Cold War vet, and owning my own Hemi for seven years, one would think I'd have heard of these before.
Re: Garr (Score:2)
Re: (Score:2)
Re:Garr (Score:5, Informative)
If you had read beyond the first sentence you would have realized that this likely has nothing to do with the internet or IT.
Re: (Score:2)
Archangel doesn't base any of his opinions or understandings on information right in front of his nose. That's kind of his thing.
Re: (Score:2)
It's a well tested tactic on Slashdot. Rush in with a generic rant about how stupid having anything important being connected to the internet is and hope that moderators give you a +5 insightful without noticing that it's not really relevant.
Re: (Score:2)
Only one of the suggestions (first one, admittedly) has to do with networking.
But yeah, I didn't read anything. ;)
Re: (Score:2)
These systems don't use TCP/IP over the cell network. They have a radio receiver and listen for an activation signal. That signal is transmitted periodically to test the system. They don't even do two way, the siren is rx only.
To secure them, the controller has to be replaced.
Re: (Score:2)
That would do it.
Not necessarily an easy fix (Score:5, Insightful)
You'd think the other cities in the area would have learned from this vulnerability and fixed the problem.
Believe it or not, it's not at all unlikely that word of the problem never got to the right people. And even if they were aware of it it's not axiomatic that they would be able to fix the problem. They might not have the budget or it might require coordination with (possibly uncooperative) other municipalities or it might be technologically impossible to "fix" the problem with existing equipment and budget. Stuff like this usually requires budgeting and possibly even taxpayer approval and doesn't tend to happen overnight.
Although that would require local governments to be competent.
Sigh... Just because not everything happens perfectly all the time does not imply local government is incompetent. Did it occur to you that the tech involved might be old and that the taxpayers haven't approved the money to replace the equipment? It's entirely plausible they don't have the resources to deal with the problem even if they are aware of it.
The meme that government is incompetent is really tired. No institution does everything perfectly, public or private. Just because they have a failure in one task it does not follow that they are generally incompetent. There are lots of things you don't do well either. Should we declare you to be incompetent every time you overlook something or don't handle it perfectly?
Re: (Score:3)
The more likely scenario is that the story went something like this.
IT People: "Hey, we have vulnerable systems, we need $$ and $$$ to secure them properly"
Mayor's People: "Sorry, I have this program here that is pure ego boosting and is quite flashy, you don't get anything for your budget. In fact, I need some of what you used to have back"
IT People: "Okay, but when this shit goes south, and you try to blame me, I have this Email showing you said "no" to fixing this problem.
Mayor's People: "Ummmm you gonna
Re: (Score:3)
The meme that government is incompetent is really tired
So what? You can't handle the truth? Clearly, you also can't tell the difference between a job that the government should do well, and a civilian who, knowing that they can't do the job, would have hired someone who is competent.
I've been dealing with federal government contracts for forty years, and can talk to you all day about incompetence in their contracting system. Why do you think it's nearly impossible to fire an incompetent government worker?
Re: (Score:2)
Clearly, you also can't tell the difference between a job that the government should do well, and a civilian who, knowing that they can't do the job, would have hired someone who is competent.
It appears that in your world "civilians" have infinite money.
The vast majority of "look at how incompetent the government was here!!" stories are actually financial problems caused by our many decades of attempting to defund all government.
Why do you think it's nearly impossible to fire an incompetent government worker?
Because 99% of the time, they're doing all that can be done within current policy and current funding levels. Your attempts do demonize the workers doesn't alter current policy or raise current funding levels.
Re: (Score:2)
The vast majority of ...
Citation required.
Because 99% of the time...
You're lying.
Re: (Score:2)
So odd you did not provide citations for your claims, yet demand them from others. Almost like you've got a belief without any actual backing....
Re: (Score:2)
Re: (Score:2)
Just a couple weeks ago the former mayor....
I'm not seeing any incompetence by the mayor...stupidity, yes, but there's no incompetence there.
What the hell was the city manager doing?
Could you point out where "surveil the mayor's personal life" is in the city manager's job description?
They have no problem getting certificates of obligation without voter approval
So, did you forget that different cities have different laws?
Re: (Score:2)
The annoying part is that this happened in 2017 as well in the north Dallas area. It happened in the middle of the night and went on for over an hour. You'd think the other cities in the area would have learned from this vulnerability and fixed the problem. Although that would require local governments to be competent.
Go ahead, blame the victims. You would have thought we would have learned that criminals and terrorists that pull this shit need to be hunted down, jailed and made an example of.
Re: (Score:2)
You would have thought we would have learned that criminals and terrorists ...
That is all fine well and good, but it is clear that finding, capturing, and successfully prosecuting said terrorists is largely fruitless ventures. You can't even guarantee that they are in any jurisdiction that even if you knew who they were could even get your hands on them to prosecute. For all you know, they are in Russia, NK, China or Pakistan, and good luck getting those criminals to trial.
It is much easier to properly secure your shit in the first place. You can think government is here to help you,
Re: (Score:3)
So, if you leave a sum of money on a park-bank, the blame is purely on the person that took it? Yeah, that makes sense. Running insecure critical infrastructure is an invitation to any potential attacker and no better than what the attacker does.
Re: (Score:2)
Terrorist or prankster? Let's see, manifesto? nope. Political demand? nope. People intentionally hurt? Nope.
Is the prank harmless? No, not really, there is potential for harm here, but it's exactly the sort of harm that often doesn't occur to pranksters.
By all means, find them, and give them community service.
Re: (Score:2)
Terrorist or prankster? Let's see, manifesto? nope. Political demand? nope. People intentionally hurt? Nope.
Is the prank harmless? No, not really, there is potential for harm here, but it's exactly the sort of harm that often doesn't occur to pranksters.
By all means, find them, and give them community service.
If it is pranksters, a night in jail might be sobering rather than merely a slap on the wrist. This is the equivalent of calling in a bomb threat to a school which is generally considered fairly serious.
I wouldn't discount the idea of a more systematic and nefarious cyber attack if that's what this was. Like when overseas attackers robocalled in multiple bomb threats to schools. Most attackers aren't discriminating their targets but just casting the net wide and seeing where the vulnerabilities are. If
Re: (Score:3)
Since the attack requires physical presence and the two places hit aren't that big, this really doesn't look much like an international coordinates cyber attack.
And I said nothing about blaming the victim, though they might should look into an upgrade.
Re: Government competency (Score:4, Insightful)
Re: Garr (Score:2, Insightful)
Perhaps we could shoot all three at each other, out of cannons...
Re: (Score:2)
I say put them all in the same cell for a few years. That would fit the crime. They may get along splendidly though, because they are cut from the same cloth.
Re:Garr (Score:4, Insightful)
The "kill the messenger" mentality is the underlying cause. Someone comes forward with a vulnerability, they are not taken seriously. Or if they are taken seriously, they are treated as a criminal who must be prosecuted. If not taken seriously, then they prove the vulnerability, which makes them a criminal.
Maybe it should be a crime to not seriously react to a provable vulnerability and get it fixed.
Re:Garr (Score:5, Insightful)
Don't blame the hacking / cracking. Blame the insecure implementation. The "kill the messenger" mentality is the underlying cause. Someone comes forward with a vulnerability, they are not taken seriously. Or if they are taken seriously, they are treated as a criminal who must be prosecuted. If not taken seriously, then they prove the vulnerability, which makes them a criminal. Maybe it should be a crime to not seriously react to a provable vulnerability and get it fixed.
It's a good thing we can do both - work towards having more secure systems, and also prosecute those who play dangerous games with public safety equipment.
It doesn't matter how easy the firetruck is to hotwire (or even if the fireman left the keys in it), it's still illegal for me to jump in and take it for a joyride, or steal it. Doesn't matter if I say I was doing it to prove a point about how easy it is to do. I still can't do it.
Re: (Score:3)
Discovering a vulnerability and reporting it to the implementor or manufacturer is one thing, setting-off a false alarm tornado siren is another.
Apples and oranges, the guy in the later case should be locked-up.
Re: (Score:3)
Re: (Score:3)
There are plenty of ways to demonstrate/publicize the problem w/o this kind of BS. Sorry, no excuse.
Re: (Score:3)
Re: (Score:3)
If the intent was purely demonstration, the best way is to set the sirens off a minute before the weekly test. That way, you let the people running the system know they have a problem without panicking the population.
Setting them off in the wee hours suggests a really annoying and poorly thought out prank.There should be consequences for that, but not the hang-em-high OMG terrorists! sort of consequences some have suggested here.
Re: (Score:2)
Gotta pick your priorities. Either pranksters get off lightly or vendors fix their security problems. I'd happily vote for immunity for playful morons before protection for incompetent hardware vendors. NetFlix hardens their infrastructure by writing software that essentially vandalizes their own systems.
We recently had a redundant system fail at work because redundancy wasn't considered as the system was added to. I seriously considered fixing the problem and instituting a "reboot a node on Tuesday at 2:00
Re: (Score:2)
Not to mention it would have been trivial to bring it to the cities' attention by exploiting it without causing problems.
Where I live, they test these things every Wed at exactly noon, IF the weather's clear. So just run your exploit 5 minutes before a normal test in clear weather. Most people wouldn't notice, but the city certainly would.
Re: (Score:2)
Don't blame 9/11 on those terrorists piloting the plane. Blame the airlines for insecure cockpits.
well if some died then they can get manslaughter (Score:2)
well if some died then they can get manslaughter change or more and in TX they like to do the death penalty
Re: well if some died then they can get manslaught (Score:3)
Re: (Score:2)
If you add the same penalty for the city officials that operate insecure critical infrastructure and thereby endanger lives, I may even be willing to get on board with that. (Well, not really. I am not a cave-man. But significant prison times for all that fucked up here, that I could agree on.) There is more than one fuckup in this story. For things to get wrong this bad, there usually is.
Re: (Score:2)
So now you want pacemakers on non-secure networks? They are already better than that.
Which two? (Score:1)
From the second paragraph: "The incident impacted DeSoto and Lancaster, two cities in Dallas County, Texas --both suburbs located south of the main Dallas metropolitan area."
Really? (Score:3)
I know I'm not adding to the discussion but this just brought my reading to a jarring halt...
"Thunderstorms are known to produce brief tornadoes"
Pray tell some other method knowing of producing tornadoes strong enough to risk life and property?
Re: Really? (Score:1)
Re: (Score:2)
"Thunderstorms are known to produce brief tornadoes"
Doesn't that only happen when the storm tears through an underwear factory?
Re: (Score:2)
Well, kinda...https://en.wikipedia.org/wiki/Dust_devil
They are comparable to tornadoes in that both are a weather phenomenon involving a vertically oriented rotating column of wind. Most tornadoes are associated with a larger parent circulation, the mesocyclone on the back of a supercell thunderstorm. Dust devils form as a swirling updraft under sunny conditions during fair weather, rarely coming close to the intensity of a tornado.
Why... (Score:2)
Re: (Score:2)
Hod my Redbull and Watch this!
Re: (Score:2)
Before we take the city to task ... (Score:5, Interesting)
For example, if some vandal spray painted the traffic light covers and make them useless, or drops a sackful of nails on a highway, he/she could cause huge damage. We don't immediately take DoT for not creating secure highways where vadals could not mess with traffic lights or strew nails on the road.
Invariably in almost all these incidents we keep blaming "the officials", "the authorities". And they instinctively develop CMA tactics. They don't do anything unless they can have a paper trail that lets them shift the blame to someone else.
Comment removed (Score:5, Informative)
Re:Before we take the city to task ... (Score:4, Insightful)
For example, if some vandal spray painted the traffic light covers and make them useless, or drops a sackful of nails on a highway, he/she could cause huge damage. We don't immediately take DoT for not creating secure highways where vadals could not mess with traffic lights or strew nails on the road.
Precisely.
Believe it or not, it's legal to leave your door unlocked, and if someone comes in and commits crimes they are still guilty.
Re: (Score:2)
Believe it or not, it's legal to leave your door unlocked, and if someone comes in and commits crimes they are still guilty.
Sure, but good luck getting your insurance to pay out.
Re: (Score:3)
Because we live in a society where there are enough people that do not respect the common good. They believe if you aren't actively stopping them then it is perfectly ok. People also seemingly believe that there is an endless government budget to continually update these systems. It wouldn't surprise me if many of these things were 20+ years old, even 40+ years old wouldn't really surprise me. While we don't use them around here, there are similar sirens in the northeast that are 50s cold war tuck and duck
Re: (Score:2)
A better question is what is a reasonable level of security for a given situation.
These sirens could have been better secured relatively easily by using a more complex radio system or a wired system. The cost would have been higher. There is a danger that such a system might fail in the event of an emergency, e.g. the security codes are lost or repairs are harder to effect than with a less secure system that uses more commonly available equipment.
These days most of those problems can are mitigated by using
Re: Before we take the city to task ... (Score:2)
Re: Before we take the city to task ... (Score:2)
Re: (Score:2)
The odds that these were "backed" locally over RF seem long
Based on......? Your preference for telling the story you'd like?
Re: (Score:3)
There is a danger that such a system might fail in the event of an emergency
This angle needs to be given far more thought when people talk about "securing" these systems.
Assuming the current extremely-low false alarm rate, the risk of the sirens not going off due to "whops, the cert expired" or similar is greater than the risk of false alarms.
If the false alarm-rate goes up enough that people start ignoring the warning, then the calculus changes.
Re: (Score:2)
I don't think it is actually reasonable or possible to secure all of these systems and at some point we need to go after the people that abuse them. We don't require that all windows are brick proof. No matter what security is added to these systems in time it will be outdated and keep needing more upgrades to just keep up with newer security standards and the money needed to do all of that has to come from somewhere. Something will have to be cut or taxes will have to go up to cover it.
We don't live in har
Re: (Score:2)
Re: (Score:2)
Here's the thing though. YOU don't get to set the priority for replacing a cold war era system that is a public safety system. You damned sure don't get to interfere with it or abuse it, EVEN IF IT IS POORLY SECURED BY TODAYS STANDARDS.
Jesus fucking christ on a cracker. Did none of you fucking learn "NOT YOURS. DON'T TOUCH" when you were kids?
Re: (Score:2)
Re: (Score:2)
Does this also apply to throwing bricks through windows to demonstrate that they should all use tougher windows? We have the tech to make brick resistant windows but it would cost a lot for every business to upgrade their windows. Once they do that do you then show that their windows are still able to be broken with a rifle?
Going around breaking things just to show they can be broken is not civil disobedience. The systems are already known to be vulnerable and we count on people not to be jackasses and brea
Re: (Score:2)
I understand that we make NO effort to stop people from putting nails in the street, throwing bricks through windows etc. The VAST majority of our society has no or very minimal security. Expecting that every system that can be hardened should be hardened is not reasonable. The costs to society to harden everything is extremely high and it makes more sense to go after people that abuse these systems.
Re: (Score:2)
For example, if some vandal spray painted the traffic light covers and make them useless, or drops a sackful of nails on a highway, he/she could cause huge damage. We don't immediately take DoT for not creating secure highways where vadals could not mess with traffic lights or strew nails on the road.
That's an utterly disingenuous comparison, and you know it. The two situations are not even remotely congruent.
Invariably in almost all these incidents we keep blaming "the officials", "the authorities". And they instinctively develop CMA tactics.
They don't develop CMA tactics, they were born into it. (Insert Bane parody here.) You can't blame that on us, just because we're blaming them for not doing their jobs.
Re: (Score:2)
They don't develop CMA tactics, they were born into it. (Insert Bane parody here.) You can't blame that on us, just because we're blaming them for not doing their jobs.
Tell us, who was responsible for electing qualified officials? Yes, I'm blaming you.
Re: (Score:2)
There are some differences. For example, there is no reasonable way to secure a road against bags of nails without making it useless. The same is not true of computer systems. Second, you have to actually be at the road to sabotage it. Anyone can attack an internet-connected computer from anywhere in the world.
and this is how restrictions get into place (Score:3)
Sadly, a stupid stunt like this from some unknown party makes everyone's life harder.
Why?
A) blame games
B) You should have know games ( Defcon had a topic about this )
C) local government will raise taxes to cover the repair and security of the system.
So people will get extremely tough and demand harsher punishments for criminals if ever caught.
it's getting worse.
How ? (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: How ? (Score:2)
Re: (Score:2)
Can you point to one that's not hackable, and actually functions?
Re: (Score:3)
Most of these are very old systems that have zero security, triggered by a particular RF signal that pretty much anyone could transmit with some gear.
And it's not particularly clear that locking them down is all that good a plan. That ancient, simple system will go off when needed whereas a more "secure" system has many, many more failure modes.
No mercy (Score:5, Insightful)
Somewhere someone doesn't know it yet, but they are going to get the book tossed at them. We have a whole host of natural disasters that can hit, and for all of them seconds count. Almost everyone gets a warning they can react to when it comes to tornados.
Should anyone lose their lives as a result of these systems being turned off, the culprit should get a manslaughter count for each one.
I'm all for ethical hacking, but this is no where near close.
Re:No mercy (Score:5, Insightful)
Somewhere someone doesn't know it yet, but they are going to get the book tossed at them.
[...]
Should anyone lose their lives as a result of these systems being turned off, the culprit should get a manslaughter count for each one.
Yes, the person who decided not to upgrade them, the person who decided to shut them off and the person who decided not to send someone to activate them manually in an emergency should all be held accountable for such deaths. The prankster, on the other hand, should be prosecuted as permitted by the law for tampering with emergency systems.
Re: (Score:2)
If someone lost their life because of your "prankster", that criminal should serve serious time in the "fuck me up the ass" Federal Pen. There is no comparison between willful maliciousness and simple incompetence/stupidity.
Natural selection applied to computer security (Score:2)
Re: (Score:2)
You can legally get away with waltzing right in. You'll do time for the dump in the corner.
How most of these systems work.... (Score:5, Informative)
The vast, vast majority of the public alert systems in the USA were installed in the 1950's/60's. It's a dumb-simple system that has been hackable since then, too, using the same tools that are available now. The vast majority of the systems are RF based: It's simple carrier frequency that carries a particular pair or frequencies or a particular DTMF pattern that triggers the siren system. For my town, for instance, it's a carrier on 48.90mhz, and a 4-digit DTMF on the carrier, each one about 0.25 second long that tells the siren box what pattern to signal and how long signal it for. There's also a two-tone pair (about 1.4khz and 1.9khz) that signals the siren to stay on until it's signaled to turn off again.
The beauty of the system is its simplicity: it just works. No IoT bullshit, no computers being cranky, no downed wires matter. So long as the police station can broadcast the signal and the sirens have power, the system works. We've even tested it using a hand-held radio and two tuning forks, so in the unlikely event the police station was out of power or otherwise unuseable, we can still set the whole system off. Having a IoT, 256-bit AES 2xROT system would be useless if we're standing in the middle of a shitstorm and need to get the public's attention.
Disclaimer: am a volunteer firefighter and help keep this system running in our town
Idiot posters here without a clue, read and learn (Score:3)
To pull off this weekend's siren episode, hackers would have needed extensive knowledge of the frequencies and codes used in the Dallas siren system to make them all go off at once. This could be particularly challenging, depending on the setup, because each siren might communicate with the control center independently, so officials have the choice of turning only one or a few of them on, or activating all of them depending on the situation. Dallas officials confirmed over the weekend that the breach came from within Dallas, because hackers would have needed to be physically close to the radio signals sent to each siren. They added that the commands to the sirens didn't come from their central control systems, something officials would naturally check first to see if the sirens had been activated by accident.
https://www.wired.com/2017/04/dallas-siren-hack-wasnt-novel-just-really-loud/ [wired.com]
pass the hash (Score:2)
A replay attack would not require extensive knowledge of the frequencies and codes of the control systems.
The attacker even had advanced notice [twitter.com] of when the control signals would be broadcasted. Nothing in that article suggests that an exact replay of the test signals weren't used, or couldn't be used.
I suspect that the same 90 second pattern that occurred during the hack was the same used for the announced test.
Ya, connect everything to the damn internet (Score:2)
Who ever thought that it's a great idea to connect our Dams, Power grids, Nuclear reactors, ballot machines, weather warning systems, water supply system and shit like that to the internet, must be a god damn genius.
Not hard to do (Score:2)
Re: (Score:2)
Everybody now knows that the IT dept has no budget.
I'm not saying a gray admin who works there proved the point, but one could imagine that scenario.
Re: (Score:2)
More like a lot of weekends of community service. Perhaps helping to upgrade the system.
Said service while wearing a sign reading "I'm the dipshit that thought it was funny to wake you up with the tornado sirens".
Re: (Score:3)
The system isn't connected to the internet.
Re: (Score:2)
Again with the, "if you leave your door unlocked, I'm entitled to take your shit".
Re: (Score:2)
Advance warning systems can give you up to 15 minutes to seek shelter. If you can clearly hear a freight train, it's probably too late.