Explaining the Dallas Siren Hack
If you’ve been paying attention to the news then you might have heard of the recent Dallas tornado siren hack. Earlier in the month a hacker took control of 156 tornado warning sirens placed all around the city of Dallas, Texas in the United States. The sirens are activated via an RF control signal, and the hacker transmitted the control signal, causing all the sirens to activate causing a city wide false alarm. The attack could have been performed with a transmit capable software defined radio like the HackRF, or any other transmit capable radio such as a handheld radio.
Bastille is a wireless security firm which specializes in RF, SDR and IoT. Over on their blog, employee Balint Seeber has uploaded a video and blog post that discusses some possibilities on how the hacker may have activated the sirens.
In the blog post and video first Balint discusses the difference between a single frequency network, and a repeated network. In a single frequency network, one powerful transmitter up on a hill would be used to activate all the sirens, whereas with a repeater network several dispersed transmitters might be used to repeat the signal over a wide area.
He then discusses the difference between an analog and digital command transmission system. In an analog command transmission a simple series of tones might be used to activate the sirens. In this case the hacker could simply listen for the tones when the siren is activated during the monthly test, and save them away for a future replay attack. In a digital system instead of tones an encrypted packet of data could be used instead. Depending on how the encryption is implemented this could prevent a replay attack.
Hm, I see nothing in the blog that we didn’t already know. The big question is “how does the ‘encryption’ block replay attacks?”, but no answer is forthcoming.
If you know what a replay attack is, then you already know what an ‘encryption’ block replay attack is. If there is any form of obfuscation in place, that does not also imply that there is authentication, authorization (or probably auditing either). If communications are one way only, then there is usually more surface area for replay attacks, but they can be, and should be, mitigated: