Thanks to a flaw in popular emergency alert systems, hackers with knowledge of radio frequencies could remotely hijack the system with as little as a laptop and a $35 two-way radio and activate the sirens, trigger false alarms, or even broadcast any audio of their choosing.

The vulnerability, dubbed SirenJack, is in emergency alert systems manufactured by Acoustic Technology Inc., aka ATI Systems. It was discovered by Balint Seeber, a researcher at security firm Bastille, after he determined that the RF signals used in San Francisco’s emergency alert system were not encrypted; the activation commands were sent “in the clear.”

Where ATI emergency alert systems are used

ATI emergency alert systems are used in cities such as San Francisco and Wichita, Kansas, as well as “other large urban and rural communities, military installations, universities, and industrial sites including oil and nuclear power generation plants, potentially affecting millions of people.”

Bastille added, “Featured customers on the company’s website include One World Trade Center, Indian Point Energy Center nuclear power station, UMass Amherst, and the West Point Military Academy. Bastille originally found the SirenJack vulnerability at the ATI installation in the City of San Francisco, and confirmed it at a second installation, and urges all ATI customers to contact ATI to investigate whether their system is affected.”

Ninety days after notifying ATI Systems and San Francisco of the vulnerability, Bastille told the public about the vulnerability. The firm even created a website and logo for SirenJack. According to the FAQs, “A bad actor can find the radio frequency assigned to a deployment, craft malicious activation messages, and transmit them from their own radio to set off the system. All that is required is a $30 handheld radio and a computer.”

In the video below, you can see the SirenJack proof-of-concept demonstration, which includes an explanation, an audio warning test of the vulnerability, as well as Rickrolling via an emergency alert system.

Seeber told Wired that “if he were to send those (RF) signals within a range of as much as two miles from a powerful repeater near the center of ATI's siren networks,” then “it would be broadcast out to all the sirens in the system.” ATI’s security for the system depended not upon encryption but on the idea that the radio signals were too obscure to decode. “This looks like it was security through obscurity, and in this day and age that approach is really not valid.”

Bastille pointed out that false warning siren alarms could cause widespread panic, like what happened near midnight in Dallas in 2017 when 156 emergency sirens wailed out warnings for 90 minutes. Dallas promptly blamed hackers for the attack on the city’s siren system. The firm also reminded us of the needless panic due to the false ballistic missile alert blasted out to Hawaii.

“During emergencies, cell tower-based public alert systems have been shown to fail,” Seeber said. “Many citizens have ‘cut the cord’ and cannot be contacted via a reverse 911-phone system. Consequently, warning sirens play a crucial role as they are the only truly reliable method to alert a population en-mass of a public safety event. The SirenJack vulnerability underscores the need to make emergency alert systems stronger than ever, as hackers are constantly probing critical infrastructure, especially those using insecure RF-based protocols, to infiltrate and carry out potential attacks.”

ATI downplays vulnerability in its emergency alert systems

Despite the coordinated disclosure, ATI is downplaying the flaw by calling it “largely theoretical.” ZDNet uploaded a copy of ATI’s response to the vulnerability, which included a claim that Bastille’s research was against the law due to violating FCC regulations about intercepting and divulging the existence of radio communications without authorization.

Wired added, “But in a statement it sent to Bastille after the researchers warned ATI about its security flaws, ATI wrote that Bastille's findings are ‘likely true’ and that it’s testing a software update it plans to roll out soon.

“Before customers panic too much, please understand that this is not a trivially easy thing that just anyone can do,” that earlier statement notes. “At the same time, a certain level of concern is justified. As technology evolves, the level of threat evolves.”

The advisory issued by US ICS-CERT reads, “ATI has created a patch which adds additional security features to the command packets sent over the radio. ATI is testing this patch, and it will be available upon request. Many systems are engineered to meet specific user needs and users need to make sure any upgrades are appropriate for their systems. ATI recommends that, where feasible, simple voice radios be replaced with digital P-25 (APCO) radios, which provide highly secure encrypted links.”