Hackers can spoof and hijack communications targeting sirens part of emergency alert systems to trigger false alerts and cause panic among a local population.
Attackers can achieve this by exploiting a newly discovered vulnerability in emergency alert systems manufactured by ATI Systems.
Such emergency alert systems are deployed at the One World Trade Center, Indian Point Energy Center nuclear power stations, UMass Amherst, and the West Point Military Academy.
The vulnerability, discovered by Bastille security researcher Balint Seeber and nicknamed SirenJack, resides in the fact that the radio protocol used to control sirens in ATI Systems is not encrypted.
This unencrypted protocol allows a bad actor, which could be an individual, hacktivist, terrorist, or hostile nation-state, to find the radio frequency assigned to an emergency system, craft malicious activation messages, and set off the emergency system.
Seeber discovered this flaw while auditing the emergency alert system deployed across the city of San Francisco in 2016. He did not initially notify ATI Systems of the bug, but the recent incidents involving the Dallas tornado sirens warning system and the Hawaii nuclear missile alert system drove the researcher to contact ATI.
In a statement issued today, ATI says it developed a patch for the issue reported by the Bastille researcher.
"ATI has created a patch which adds additional security features to the command packets sent over the radio. This is currently being tested and will be rolled out shortly," ATI says.
The company added that these emergency alert systems are customized for each client and that each customer will have to reach out to the company for his own custom fix. A patch for the San Francisco emergency alert system has already been applied last month.
"A single warning siren false alarm has the potential to cause widespread panic and endanger lives," said Chris Risley, CEO, Bastille Networks. "Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We’re now disclosing SirenJack publicly to allow ATI Systems’ users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability."
In-depth technical details about the SirenJack attack and ATI's full statement will be made available online later today on a dedicated website, accessible here.
Article updated to include mention that the City of San Francisco applied the ATI Systems patch last month.