Emergency Alert Systems Used Across the US Can Be Easily Hijacked

A vulnerability affecting emergency alert systems supplied by ATI Systems, one of the leading suppliers of warning sirens in the USA, could be exploited remotely via radio frequencies to activate all the sirens and trigger false alarms. From a report: "We first found the vulnerability in San Francisco, and confirmed it in two other US locations including Sedgwick County, Wichita, Kansas," Balint Seeber, Director of Threat Research at Bastille, told Help Net Security. "Although we have not visited other locations to confirm the presence of the vulnerability, ATI Systems has customers in the US and overseas from the military, local government, educational and energy sectors.

"ATI features customers on its website around the US including One World Trade Center, WestPoint Military Academy and Entergy Nuclear Indian Point which are all in New York State, UMASS Amherst in Massachusetts, Eastern Arizona College, University of South Carolina and Eglin Air Force Base in Florida, amongst others." The vulnerability stems from the fact that the radio protocol used to control the sirens is not secure: activation commands are sent "in the clear," i.e. no encryption is used.

Not news. They were meant to be easy to activate.

[Narcocide]

Nobody expected a proliferation of asshats would cause to be called into question the priorities of making emergency alert systems easily accessible.

Re:

[Anonymous Coward]

"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. "

Re:

[Anonymous Coward]

The complaint here is that the programmers weren't trying to idiot-proof the system, they were trying to make something that works when required to. A bit like how police and fire department advice can easily be at odds.

On another note, this doesn't require encryption per se, but authentication. That is often based on encryption, but even so. All in all the usual panicky "computer security" fare. Not really that interesting or impressive, but sufficiently breathlessly worded it'll get some attention from th

Re:

[The-Ixian]

I suppose you could use the same argument for the computer networks or your front door. Security is almost always bolted on later, after the asshats start moving in.

It will be fixed... at great public expense.... when the asshats start exploiting it.

Maybe they will be fixed, maybe not

[davidwr]

Security is almost always bolted on later, after the asshats start moving in.

It will be fixed... at great public expense.... when the asshats start exploiting it.

Maybe they will.

Maybe enough asshats will be caught to deter those doing it for the lulz.

Maybe they will become obsolete and just be turned off, like analog cell services.

Re:

[Narcocide]

You paid extra for that feature. Sucker.

Re:

[ArchieBunker]

I had no problem turning off that "feature".

Re:

[sjames]

I wouldn't mind so much if I didn't get alerts for places that are hours away at times when I'm not that likely to be going anywhere further than the corner store. Meanwhile, tornado warning in my area = silence from the phone.

Re:

[adolf]

I've worked with these types of systems.

Authentication isn't really a thing for them, generally: They follow the same KISS ideas as things like SMTP.

The simplest of these systems (outdoor warning sirens) work with simple tone sequences or, if really fancy, DTMF... all in the clear with normal frequency modulation on a published radio frequency.

Re:

[mysidia]

Only Lawbreaking technically-advanced asshats ought to be capable of causing trouble. They may be using cleartext control, but the radio frequencies almost certainly require a license to legally transmit on.

Re:

[Anonymous Coward]

Also, you can probably hijack these US right-wing talking shows on AM radio. Build a 300-meter high mast and do some 100 kW broadcast.

More down to the Earth and with no sarcasm, things were more interesting in the days of analog TV. Straight pirate TV was possible, but what I once heard about in a documentary was cheaper and funnier. Some cheap home computers were able to display blocky graphics or characters over a video signal - perhaps almost out of the box, with some cheap glue hardware. Think about how

old news

[Joe_Dragon]

https://www.youtube.com/watch?... [youtube.com]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Cant be any worse

[SeaFox]

Double-check the settings on your phone's alert app. I actually found a place to customize (and disable) those Amber alerts.

Re:

[The-Ixian]

I nearly disabled mine when, for 2 months in a row, I got TEST alerts at 3am. I keep my phone in the other room and I still heard that thing... not cool man...

Then they fixed it and now I only get the test alerts in the afternoon. So I have left it enabled.

I have never received a real alert on my phone. I guess they are careful about using it in my area (Minneapolis, MN).

Re:Cant be any worse

[apoc.famine]

Why on earth do you have amber alerts enabled on your phone then? Turn them off!

I don't understand why anyone volunteers to be interrupted at random times for something that doesn't impact them and which they can't do anything about. Other than text and email notifications, all notifications on my phone are off. Audio and visual. If I want to check something, I check it. If I don't want to check it, it is not allowed to badger me and try to steal my attention from what I'm doing. And that especially applies to sleeping.

Re:

[sjames]

Only presidential alerts cannot be turned off on a phone. The rest are configurable.

I haven't turned them off on mine because they're potentially a good thing, but if they keep sending alerts that can't possibly be relevant for someone in my area, I'll have to turn them off.

Re:

[sjames]

Except my observation is free of assumptions that it's some sort of government oppression.

Re:

[antdude]

What about on road signs, cable TVs, news, etc.? We can't control those. :(

Re:

[apoc.famine]

None of those wake me up in the middle of the night or interrupt meetings, so I'm much more ok with those.

Re:

[LinuxIsGarbage]

Why on earth do you have amber alerts enabled on your phone then? Turn them off!

I don't understand why anyone volunteers to be interrupted at random times for something that doesn't impact them and which they can't do anything about. Other than text and email notifications, all notifications on my phone are off. Audio and visual. If I want to check something, I check it. If I don't want to check it, it is not allowed to badger me and try to steal my attention from what I'm doing. And that especially applies to sleeping.

I live in Canada. Only now are the carriers enabling emergency text alerts. I disabled Amber alerts in my settings. It's not that I don't care, it's just significantly more likely to irritate me with absolutely no gain. If it showed up in my drop down menu with no sound, or even a brief "Bing" I would be ok and more apt to pay attention to them. I have heard of Americans complain about useless weather warnings coming across by emergency texts in some locals.

I have "Do Not Disturb" settings at night set to

Happens all the time

[WillAffleckUW]

They keep setting it off for Seattle when something happens at the border with Idaho, more than 3 hours drive away.

Oh.

You meant it was supposed to be a stupid system like that?

Licensing

[infernalC]

Many state universities not in tornado alley installed warning sirens after the VA Tech shooting. I absolutely think RF was the right way to do this, because it allows for a much more resilient system.

You can query the FCC ULS for a lot of these places and just look at the license that was issued around the time the system was installed to determine the frequency. The mode is almost always analog FM voice, and the activation codes are probably DTMF.

I think this is a case where the simplicity of the system a