43 comments

[ 397 ms ] story [ 1644 ms ] thread
I remember as a kid, my dad had a police scanner and eventually I realized that the nearby tornado siren had it's Saturday noon test directly preceded by a 4 digit DTMF on the radio. It's probably a good thing I never had a ham radio
(comment deleted)
I was 16 when I discovered this (except instead of DTMF it was a special two-tone dispatch alert), but I somehow had enough discipline to not attempt a replay attack. My (now ex) girlfriend's sister was a dispatcher who I mentioned it to, and about three months later they changed the system.

In my college town, there was a tornado siren placed very close to the biggest multistory residence hall. I learned (through the ham radio club) that it had a long history of mischief before my time.

Side note: Balint Seeber, the lead on this paper, has given a number of excellent talks on wireless communications and signal processing. I'd recommend his series of "Hacking the wireless world" talks (available on youtube) given at DefCon for anyone interested in digital signal processing and RF security.
I don't know why but this reminds me of a story I read long long ago about someone figuring out that the local Big Box store had their PA system attached to a phone number. You could call in and say anything you want.

They kept up the ruse for quite a while by being subtle at first with their mischief.

Heh. This brings back a lot of memories. I got into a whole world of trouble as a teenager in the summer of 1998 when a friend and I, a couple of bag boys learned how this worked.

Hilariously enough? I work for a telecom startup now.

Thanks for the trip down memory lane :)

I'm giggling like a teenager over this. Easily the second best part about being a teen were the pranks.
(comment deleted)
How do these system avoid robocalls and the like?
I'm curious about this as well.

Though at a previous job, I got on the elevator one day to hear a telemarketer's voice coming from the emergency speaker. I'm guessing it happens, but just very rarely?

In the case of the Target breech one had to be transferred to the unlisted extension first. So it's not as though it's a phone number exposed to the outside world.
I had something similar, twice. Once I was in the elevator when the emergency phone started ringing. I picked up, and it was the Seattle Times trying to sell subscriptions.

The other time, same elevator, it was someone asking for a specific person that I had never heard of.

Maybe you have to press a DTMF digit first, something the robocalls wouldn't know how to do? (and have no incentive doing, as so far nobody is using this to block robocalls; I'd expect them to catch on if this kind of "firewall" starts being in widespread use)
During the last presidential election I received a robocall in an elevator of then-candidate Trump screaming about immigrants. I heard a ring tone and then the elevator picked up automatically. Our emergency phones ring regularly. I have answered them several times and it always sounds like a scammer on the other end.

I think the answer to your question is "they don't".

Telephone-based door intercom systems unlock the door in response to a DTMF tone from the "inside" line. This means that control over call forwarding for any of the relevant extensions is as good as a key to the building.

Good thing no one ever leaves their PBX connected to the internet with a default admin password. Or puts edit access to their voicemail greeting behind a PIN like 1234# or 0000#.

Nice bit of deflection by the vendor.

"However, we wish to point out these are technically sophisticated people who have devoted significant time and effort to this task. Before customers panic too much, please understand that this is not a trivially easy thing that just anyone can do."

https://static1.squarespace.com/static/5ab64621aa49a10ba0d06...

I don't think the vendor is deflecting too much. The extended quote from the article is a lot less one-sided:

> ATI wrote that Bastille's findings are "likely true" and that it's testing a software update it plans to roll out soon. "Before customers panic too much, please understand that this is not a trivially easy thing that just anyone can do," that earlier statement notes. "At the same time, a certain level of concern is justified. As technology evolves, the level of threat evolves."

> In fact, anyone can generate those commands, Seeber says, with a radio as simple as this $35 one sold by the Chinese company Baofeng

If you can do it via a Baofeng there's a 99% chance this is just obscured DTMF tones + possibly PL tone which is freaking trivial to do on any FM radio.

(comment deleted)
"Bastille's researchers note that ATI's website references siren systems installed in many other sensitive locations, including 1 World Trade Center in New York, the Indian Point nuclear power plant along the Hudson River, and campuses including UMass Amherst, Long Island University, and West Point. Bastille's researchers caution that they couldn't confirm whether those customers had installed the same vulnerable setups."

New York City can get crowded around 1 World Trade Center. A false alarm could kill, not to mention cause tremendous economic damage.

They should make them say, “We are the Borg. Resistance is futile”. That would be so cool.
~20 years or so ago, the warning sirens in the small town I grew up in could be easily turned on/off by simply dialing a phone number and issuing the correct DTMF tones. I'd like to think they have a more secure mechanism nowadays but I would be quite surprised if they actually did.
Looking at the site for the vulnerability (sirenjack.com)[0], what's the motivation behind the snazzy animations, video, and custom domain? Is this a form of advertising for the security researchers?

[0] https://www.sirenjack.com/

Not sure what the motivations are, but I think it's nice that vulnerabilities get their own bit of marketing and everything, as it can appeal to the non-tech crowd. Most people wouldn't give a shit about a paper or some technical info, but a nice-looking website and a video demonstrating it could interest them and at the very least make them aware that such mischief is actually possible.
Is this a form of advertising for the security researchers?

Of course it is. Publishing this - at all - is advertising. Giving it a name and branding is an even more ostentatious form of it.

Although this is an entirely different system, it brings to mind how badly insecure the US Emergency Alert System is, which is used for television and radio alerts.

EAS was designed in the late eighties, when infosec was not a well-established, household-name field. It works by relaying an unencrypted signal; that rather unsettling data burst you hear when there's an Amber Alert or a thunderstorm warning. There's no authentication on this. There's no encryption. Literally anyone with software to generate NOAA SAME tones, together with a software-defined radio and amplifier, can walk near one of a handful of "primary entry points" and belt out an alert that gets mindlessly repeated across the country. It's already happened on a local level by simply logging into network-connected endecs at TV stations; probably none of them changed the default passwords.

Every day I see something like this, I'm reminded of why anyone still considers security-by-obscurity to be a sound strategy. State actors are the prime target of vulnerabilities you call obscure.

>Literally anyone with software to generate NOAA SAME tones, together with a software-defined radio and amplifier, can walk near one of a handful of "primary entry points" and belt out an alert that gets mindlessly repeated across the country.

So a fake alert can be sent out nationwide from broadcasting to just one access point??

> So a fake alert can be sent out nationwide from broadcasting to just one access point??

I believe OP meant "country" as in "countryside", which is feasible when you're up on a hill and your signal can reach a distribution source antenna (which will then distribute your spoofed alert to its attached sirens).

No, I meant the country as in the United States. EAS on the national level works by playing telephone: hopping the alert from station to station in a mesh configuration. PEP stations are origins for national alerts.
Oh wow. Clearly, something like widespread availability of SDRs was not an issue back then.

I wonder why it hasn't been abused/trolled on a large scale, though. Really, if I were interested in trolling that's what I'd do: next to zero chance of the cops catching you as you won't leave a trail, plus the entire country will be wide awake once the sirens ring and it will likely need months or years until the government secures the stuff.

I don't really know the precise technical details, but owing to how these stations serve as entry points for other stations, I would surmise all one would have to do is impersonate the original station and hundreds of other broadcasters would immediately begin relaying an alert in a mesh configuration. There is no authentication on this process (or at least there wasn't in the initial days of EAS before CAP/IPAWS), and any rogue ham or Russian spy could do it.
No. EAS doesn't cascade like that. Broadcasters are only mandated to monitor 2 stations, and the monitored stations are upstream in a distribution hierarchy. I can't speak to every broadcaster's configuration, but it'd probably propagate 2 or 3 hops.
This reminds me of an annoying incident where I am at. All the tornado sirens near dallas were hacked one evening a while back. [1] It was more of an annoyance than anything, considering the weather was very clear. The worst part is that it was the middle of the night and everyone was trying to sleep. The alarms closest to me weren't going off, but you can hear those alarms quite a ways away.

[1] https://www.washingtonpost.com/news/the-intersect/wp/2017/04...

> https://www.fcc.gov/consumers/guides/interception-and-divulg...

They should check with the FCC before making threats like that.

I'm not aware of any exclusion for emergency/public service transmissions. Lots of police departments have been switching to encrypted P25 to prevent scanners and the like.

Basically anything other than the cell bands is trivial to receive and decode w/ $15 SDR dongle.

Vulnerable, yes, but how about secret/secure on the part of the hacker? It’s no good to abuse one of these systems if the only result is the government showing up with a warrant and a lot of anger. Maybe they don’t need to be secure, because it’s so easy to trace interference?
The source of the interference doesn't give you any information as to where the attacker is. The source could be a Raspberry Pi connected to a cheap SDR and controlled over Tor. By the time the feds find it, the damage has already been done and the attacker could've planted another one of those somewhere else.
Mass suicide caused by playing Kanye West ?