At exactly noon on the first Tuesday after Balint Seeber moved from Silicon Valley to San Francisco in late 2015, the Australian radio hacker and security researcher was surprised to discover a phenomenon already known to practically every other resident of the city: a brief, piercing wail that rose and then fell, followed by a man's voice: "This is a test. This is a test of the outdoor warning system. This is only a test."

The next week, at exactly the same time, Seeber heard it again. A few weeks after that, Seeber found himself staring up from his bicycle at a utility pole in the city's SoMa neighborhood, examining one of the more than 100 sirens that produced that inescapable emergency test message around the city. At the top, he noticed a vertical antenna; it seemed to be receiving signals via radio, not wires. The thought came to him: Could a hacker like him hijack that command system to trigger all the sirens around the whole city at will, or to use them to broadcast even more alarming sounds?

Balint Seeber holding the radios he used to reverse-engineer and spoof the communications of San Francisco's emergency sirens, like the one on the pole behind him. Bastille

Now, after two-and-a-half years of patiently recording and reverse-engineering those weekly radio communications, Seeber has indeed found that he or anyone with a laptop and a $35 radio could not only trigger those sirens, as unknown hackers did in Dallas last year. They could also make them play any audio they choose: false warnings of incoming tsunamis or missile strikes, dangerous or mass-panic-inducing instructions, 3 am serenades of death metal or Tony Bennett. And he has found the same hackable siren systems not only in San Francisco but in two other cities, as well as hints they may be installed in many more. "If you wanted to send out your own music or your own alert, you could broadcast it across entire cities," Seeber says. "You could do it with something as cheap and easy as a handheld radio you can buy from Amazon."

Spoofable Sirens

On Tuesday, security firm Bastille, where Seeber works as director of vulnerability research, went public with his discovery that the emergency siren equipment sold by Boston-based ATI Systems in all three cities Bastille tested lacked the basic encryption necessary to prevent any prankster or saboteur from commandeering the system. In San Francisco, Wichita, Kansas, and another city that Bastille declined to name, Seeber was able to read and fully reproduce the transmissions to those siren systems. By bouncing that signal through a repeater near the center of each city's network, Seeber believes he could have gained control over the citywide collection of sirens, each one capable of pumping out as much as 135 decibels, according to Bastille's estimates, more than the noise of four jackhammers combined.

[#video: https://www.youtube.com/embed/YdnTBOBGjiA

Although Bastille hasn't gone so far as to actually hijack any of those installed systems by radio—and couldn't easily try Seeber's technique via radio in a test setting without risking a violation of FCC regulations—the firm has performed a proof of concept in which it wired one of ATI's radios directly to Seeber's radio and sent the same commands. In the video above, he demonstrates the results by playing a test message and then a certain well-worn Rick Astley hit song through the siren at reduced volume.

'If you wanted to send out your own music or your own alert, you could broadcast it across entire cities.' Hacker Balint Seeber

When WIRED reached out to ATI Systems, the company responded that "the vulnerability is largely theoretical and has not yet been seen in the field." It also argued that Bastille had broken the law with its research by violating FCC regulations against intercepting and even merely divulging the existence of government radio signals without authorization. But in a statement it sent to Bastille after the researchers warned ATI about its security flaws, ATI wrote that Bastille's findings are "likely true" and that it's testing a software update it plans to roll out soon. "Before customers panic too much, please understand that this is not a trivially easy thing that just anyone can do," that earlier statement notes. "At the same time, a certain level of concern is justified. As technology evolves, the level of threat evolves."