Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
United States Communications Government Security

US Hacker Sets Off 156 Sirens At Midnight (dallasnews.com) 230

"I had the displeasure of being awoken at midnight to the sounds of civil-defense/air-raid sirens," writes very-long-time Slashdot reader SigIO, blaming "some schmuck with a twisted sense of humor." The Dallas News reports: Rocky Vaz, director of Dallas' Office of Emergency Management, said that all 156 of the city's sirens were activated more than a dozen times... Dallas officials blame computer hacking for setting off emergency sirens throughout the city early Saturday... It took until about 1:20 a.m. to silence them for good because the emergency system had to be deactivated. The system remained shut down Saturday while crews safeguarded it from another hack.

The city has figured out how the emergency system was compromised and is working to prevent it from happening again, he said... The city said the system should be restored Sunday or Monday.

City officials reported 4,400 calls to their 9-1-1 emergency phone number in the first four hours of Saturday morning, with over 800 occurring in that first 15 minutes when all 156 sirens started going off simultaneously.
This discussion has been archived. No new comments can be posted.

US Hacker Sets Off 156 Sirens At Midnight

Comments Filter:
  • by Anonymous Coward

    He's a dick who doesn't give a shit about endangering people who really need emergency services.

  • by shaitand ( 626655 ) on Sunday April 09, 2017 @12:54AM (#54200851) Journal
    There have been recent reports of problems with the Dallas 911 infrastructure causing hold times and delays which resulted in deaths. This may have been an attempt to further highlight the problems.
    • Re: (Score:3, Insightful)

      by Zemran ( 3101 )
      I like the way they blame the unknown entity "hackers" rather than accept responsibility for their own lax security. First and foremost it is their fault for running an open system. The hackers should be sought but first and foremost the problem is lax security.
      • I like the way they blame the unknown entity "hackers" rather than accept responsibility for their own lax security. First and foremost it is their fault for running an open system. The hackers should be sought but first and foremost the problem is lax security.

        I mostly agree, but not totally.

        The sirens should not be on the internetz period. Nothing life critical should be on the internet. But The people who made these decisions are using the same level of stupid as the businesses who are stuck on Internet Exploder 6 because they designed their business around it.

        But having lax security is not a a reason to exploit it. Just because I don't have armed guards with authorized lethal force around the perimeter of my yard, and razor wire to keep out the riffraff,

        • They probably aren't on the internet; most of these sirens are radio-activated. If you have a big enough transmitter and know what to send, you're good to go. Much like the Emergency Alert System, security is being retro-fitted as an afterthought in the form of signed control messages. But the rest of your point is on target, the designers unfortunately decided to rely on obscurity (the frequency, the message format and contents, etc.) to secure these things. Until they've all been upgraded, we'll have to p

  • by Anonymous Coward on Sunday April 09, 2017 @12:59AM (#54200867)

    City officials reported 4,400 calls to their 9-1-1 emergency phone number in the first four hours of Saturday morning, with over 800 occurring in that first 15 minutes when all 156 sirens started going off simultaneously.

    People, people, people, when the emergency sirens are sounding, the authorities already know about the emergency. You don't need to call 9-1-1 to tell them about it, really.

    People are so incredibly stupid.

    • Far worse... (Score:4, Insightful)

      by johannesg ( 664142 ) on Sunday April 09, 2017 @03:55AM (#54201217)

      So the sirens sound, and presumably the North Koreans have a nuclear strike on the way. And what do the good citizens do? _nothing_. Only 4400 actually tried to figure out what was wrong; the rest simply ignored it.

      You might as well get rid of the entire system, nobody cares about it anyway...

      • Re:Far worse... (Score:4, Insightful)

        by JaredOfEuropa ( 526365 ) on Sunday April 09, 2017 @04:19AM (#54201245) Journal
        You figure out what's wrong by turning on the TV or radio. In fact isn't that what they advise you to do when the siren goes off? What do you expect froma call to the emergency number? "Yes, a nuclear strike was launched and you have about 10 minutes. Would you mind warning your neighbours? Oh, and remember to duck and cover, have a nice day".

        The emergency number is for people with an actual emergency
        • Yeah, but was there actually any information on radio or TV? Of course not: those weren't hacked.

          Missiles are inbound in five minutes. What do you do next?

      • Re:Far worse... (Score:5, Informative)

        by Mordaximus ( 566304 ) on Sunday April 09, 2017 @07:53AM (#54201547)

        So the sirens sound, and presumably the North Koreans have a nuclear strike on the way. And what do the good citizens do? _nothing_. Only 4400 actually tried to figure out what was wrong; the rest simply ignored it.

        You might as well get rid of the entire system, nobody cares about it anyway...

        Considering that the sirens are to get people indoors in the event of Severe Weather and that most people were probably indoors when they went off, it's not surprising they did _nothing_ apart from what they are supposed to do - monitor radio and television.

        Dallas outdoor warning sirens. [dallascityhall.com]

      • Around here (dallas area) no one gives two shits if the sirens go off and the weather is not bad. We aren't concerned about imminent nuclear strikes, we're concerned about being at the tail end of Tornado Alley. Perhaps you've heard of it? I got a nice day after christmas treat a year ago when a tornado went through my neighborhood and missed my house by a block. Lucky for us, when the power went out, and we couldn't watch the news, the sirens went off in enough time for use to shit ourselves in a closet
  • by JustAnotherOldGuy ( 4145623 ) on Sunday April 09, 2017 @12:59AM (#54200869)

    Let me guess, SQL injection strikes again?

  • by ITRambo ( 1467509 ) on Sunday April 09, 2017 @01:00AM (#54200875)
    I've seen municipal systems that were set up years ago without any hardware firewalls, just Windows XP. They ignored my advice to harden the systems. It's alarming that towns are not fully proactive about their municipal Internet-of-things. This alarm system in Dallas is simply mischief that points out the flaws in one system. Other systems, some critical to a town's functioning, are still vulnerable. Politicians are mostly dumbasses that run on ideas, but once in office are dumbfounded, dazed and confused., on all levels of government.
    • by Sarten-X ( 1102295 ) on Sunday April 09, 2017 @01:27AM (#54200939) Homepage

      On the one hand, you have a low-damage attack that has happened once in a few decades. On the other, you have the real cost of continually upgrading and hardening (and re-hardening) a system over those few decades, taking funding away from other public programs.

      As a taxpayer, I'm okay with risking an unscheduled wakeup, if it means my local high school gets an arts program. As a security expert, I'm still okay with the low risk of leaving such vulnerabilities open, as long as they aren't able to be used as staging for other attacks.

      • by ogdenk ( 712300 )

        If it only costs them $800 to properly secure the civil defense alarms.... that won't buy your HS an arts program and they should lock it down. And when these alarms go off, we don't want people desensitized to them. It means get in your bomb shelter.

        The last thing you want is to get nuked and have these alarms disabled beforehand. Few survivors beats no survivors.

        • I'm very curious about the basis for your analysis. The only price tag mentioned in TFAs is a half-million-dollar contract to "maintain and repair" the system over the next 6 years. Roughly speaking, that's two salaried ($47,000/year) employees working full-time.

          Per TFS, there are 156 alarm systems. At the low end, you're estimating a cost of $5 per system. That's not enough funding for a security consultant to sneeze at a system, let alone actually fix anything. Even if the $800 covers a centralized fix fo

          • by ogdenk ( 712300 )

            So have those 2 salaried employees learn how to lock down the system better? It doesn't take a specialized security consultant to learn typical IT best practices for locking down a public-facing system to reduce the likelihood of it getting pwned by a script kiddie.

            If it's radio-based and uses DTMF tones and we're partying like it's 1979 it may be a little more interesting but not impossible to tackle. You'd probably have to replace some control systems with ones that support some form of authentication.

            • by swb ( 14022 )

              I would suspect that the civil defense system if its computerized is weak on the computer side. I've worked with engineers recently on plant process control and they do a great job on the controls side, but their IT infrastructure and security is poor and they really resent being told what to do by non-"engineers".

              So if its computerized, its setup screwy and not easy to fix unless you have a good working idea of the control setup, which nobody with an IT background will know how to control. I've dealt wit

      • by sootman ( 158191 )

        As a security expert, I'm still okay with the low risk of leaving such vulnerabilities open, as long as they aren't able to be used as staging for other attacks.

        Well, yeah... it's not a problem, until it is, and then it's too late to solve. One prank per decade, and then they start running continually while a dozen other attacks are happening.

        Most of the times when someone is telling me about a dog bite, the story contains the line "... and the owner said the dog had never bitten anyone before." Right. A dog never bites anyone, until the first time they do. I'm all for arts programs, but important infrastructure needs to be maintained at least somewhat.

      • As a taxpayer, I'm okay with risking an unscheduled wakeup, if it means my local high school gets an arts program.

        Problem is probably that your tax money does not go to either the arts programme, nor improving security, but is spent on security theatre, with police being 'tough on crime' and picking up people for jay-walking, walking through a park after 10PM or person use of cannabis instead.

    • by sootman ( 158191 )

      "It's alarming that towns are not fully proactive..."

      Literally. :-)

  • John would call Bob on the POTS and they would talk. At the end of the chat Bob would activate the local siren.
    Over the years the siren staff would get to know the other staff and no false calls and fake orders could occur.
    • ...Until John gets fired, and he calls Bob from the parking lot saying there's an unscheduled federal readiness inspection, including a response test.

      Every system is vulnerable. The only difference is the attack vector.

  • Easily compromised (Score:5, Informative)

    by Torin Darkflight ( 851576 ) on Sunday April 09, 2017 @01:27AM (#54200937)
    Having in the past been "one of those weird people interested in warning sirens as a hobby", I have a fair bit of knowledge to how insecure their control systems actually are, and thus how trivially easy it is to compromise them. Although security is slowly improving, a lot of older siren systems are controlled using unencrypted analog radio signals transmitting standard DTMF (telephone-type) tones. For a malicious person, it is shockingly easy for them to turn on an off-the-shelf police scanner, find the frequency used to control the system, record the activation signal (such as during a regular monthly test), then at a later time use an illegal transmitter of some sort to rebroadcast that recorded activation signal on the same frequency over and over. I do not know what control method Dallas uses for their siren system, but the fact that one of the news articles (CBS News) I read about this said the FCC has been asked to help investigate leads me to believe more than likely such an attack was utilized...and this isn't the first time such has happened.
    • by LesFerg ( 452838 )

      I was amazed to find youtube vids by people who restore old air raid sirens, then drag them out into unpopulated regions to start them up.
      Made my hobbies seem so insignificant... and quiet.

  • The only air raid siren I hear is the alarm on my iPad 2 going off at 4:30AM so I can start my government IT job at 7:00AM during the week. On the weekends I sleep in late and get up at 6:30AM.
  • From the article:

    "We had people asking if we were being attacked because of what's going on overseas."

    So they called 911. When terrorism strikes, call 911 for all your news info! (Not really, that's a bad idea).

  • Then, when the real air attack happens, two hours later, the alarm system is disconnected, I think that was with a museum or something, but the idea is the same. RIP Dallas.

    • by johnnys ( 592333 )
      "How to Steal a Million". 1966 movie with Peter O'Toole and Audrey Hepburn. Lots of fun. :)
  • I lived literally across the street from one of those fucking things and was working second shift. Every single fucking "test" Wednesday, I would wake up at 10 am in sheer fucking terror and try to hide under a desk thanks to the duck and cover indoctrination I was given as a child.

    Awww, it went off when you were awake? My tiny violin laughs in your general direction.

  • Apologies for my ignorance, but are sirens like this common in the USA and if so, what for?

    So far as I am aware we don't have any such things her in the UK (I haven't seen one, heard one being tested, received a leaflet about them or seen a news report about them). We certainly used to have them when I was a child back in the 1970s and I remember occasionally hearing the one in our village being tested when I was at school. But we got rid of them all when the cold war ended.

    I can see how such a thin
    • by DamonHD ( 794830 )

      I hear them from time to time here in the UK. Could be for individual buildings or at larger scale, I don't know.

      Rgds

      Damon

    • They aren't air raid sirens.

      Dallas outdoor warning sirens. [dallascityhall.com]

      • The page advises:

        If you are outdoors when the sirens go off

        Seek shelter immediatelyâ. If shelter is not available and severe weather is in the area lie in a ditch, ravine, culvert or low-lying area. Make sure the low-lying area you choose is not prone to flooding. Use your arms or a piece of clothing to protect your head and neck.

        If this is an approaching electrical storm (and tornadoes are often VERY lightning-generating), lying in a ditch or other cut in the ground can be suicidal.

        When lightning str

    • by EvilSS ( 557649 )

      Apologies for my ignorance, but are sirens like this common in the USA and if so, what for? So far as I am aware we don't have any such things her in the UK (I haven't seen one, heard one being tested, received a leaflet about them or seen a news report about them). We certainly used to have them when I was a child back in the 1970s and I remember occasionally hearing the one in our village being tested when I was at school. But we got rid of them all when the cold war ended. I can see how such a thing might be useful in areas where tornados could be expected, but (and again sorry for my ignorance) I thought that tornados couldn't strike built up areas like Dallas as big buildings broke up the air flow.

      They are part of the emergency alert systems here. Their main use these days is to warn of severe weather such as tornadoes or dangerous thunderstorms. If you are outside (or even indoors if close enough to a siren) they can alert you to incoming dangerous weather and to seek shelter. The system also sends out automated signals to local TV and radio stations, as well as cell phones.

      As for tornadoes striking cities, it's rare but not impossible. In 2000, for example, a tornado hit downtown Fort Worth, T [wikipedia.org]

      • So, I think the key conclusion here is that if we in the UK had weather as "exciting" as yours then we might have kept our cold war sirens!
        • As someone who moved to the US (from Australia) hearing these sirens is one of the (many) surreal things about living here. Australia relies on radio, TV and SMS/phone alerts - no sirens.

          The sirens here in the US sound like something out of an old cold war movie. Duck and cover! They test them at noon every Wednesday in the area I live in...

  • I guess they should turn on their TV to see if the emergency broadcast system had kicked in. If it had, do what that says. But is that how people reacted.

    The sirens appear to offer little purpose if they aren't achieving that; more thought required?

  • But never even think for a moment the people who left the doors wide open, keys in the ignition, built homes without doors....
    • "This is yet another serious example of the need for us to upgrade and better safeguard our city's technology infrastructure," Rawlings said

      This is an even better example of the need to downgrade. The sirens weren't always connected to the Internet. What compelling reason requires them to be connected to the Internet now?

      Internet security lesson #1: if it doesn't need to be connected to the Internet, don't connect it to the Internet.

  • Calling it a 'US hacker' is completely wrong at this point since they have not identified the hacker. News titles should stick to facts.
  • I live in Dallas. Worked overnight Friday, saw people posting things on facebook about the sirens going off at somewhat random locations across the city. Co-workers saw similar posts from their friends.

    "Well that's fucked up. Who tests the sirens in the middle of the damn night?"
    "No one. That's done at like 1pm on a Wed... Odds are some jackass managed to hack the control systems."

    Now, if he were a super dick there'd be a hidden job to make it happen again in a week or two.

  • Today I learned that the emergency weather warning service can double as an air raid service as well!

If you didn't have to work so hard, you'd have more time to be depressed.

Working...