Last week we posted news about the "SirenJack" radio security vulnerability which was released by Balint Seeber of the Bastille security research agency. SirenJack describes how a cheap TX capable SDR or a $30 handheld radio could allow an attacker to take over wirelessly controlled emergency sirens that are found in many cities around the US. In particular, it was discussed how Acoustic Technology, Inc (ATI Systems) sirens' were the first to be found as vulnerable.

Today Dr. Ray Bassiounim, President & CEO of ATI Systems wrote to us (and presumably other news agencies that ran the SirenJack story) a rebuttal which we paste below.

ATI Siren Vulnerability Misrepresented by Bastille Networks

Balint Seeber of Bastille Networks, Inc. has released information that he has been able to hack Acoustic Technology, Inc.’s wireless protocol. ATI believes that Seeber misrepresents his claims that he did so using only a $35 radio and a laptop. ATI understands the great lengths, time, effort, and expertise that Seeber and Bastille went through.  However, their claim trivializes the fact that Seeber is a radio frequency expert with over a decade of training, knowledge, and access to advanced equipment. Bastille’s statement intended to maximize public fear and anxiety by purposefully omitting and simplifying information they released.

Seeber says he identified this vulnerability over 2 ½ years ago but decided not to notify ATI or the City of San Francisco until recently. If he truly believed this was a serious vulnerability, why did he wait so long to disclose it, effectively leaving the public at risk? Other discrepancies discovered include:

• Bastille’s SirenJack white paper states in part “...nor was there access to equipment...”  However, pictures in the white paper and videos on Bastille’s YouTube page clearly show Seeber utilizing ATI’s equipment in his Proof of Concept.

• Seeber also states multiple times that anyone “…with a $35 transmitter…” can perform this hack. The white paper, however, confirms he used “…a number of Ettus Research Universal Software Radio Peripheral (USRP) and Software Defined Radio (SDR)….”. This equipment costs upwards of thousands of dollars for each unit, not merely the $35 radio as claimed.

• In multiple YouTube videos, ATI’s equipment is blurred out during Seeber’s demonstration. For full disclosure, what was blurred out and why?

• In Seeber’s YouTube demonstration of the SirenJack hack, it shows him with an embedded CPU debug cable plugged into the ATI siren.  Since this cable is only used for programming and diagnostics of the ATI siren, why is this cable needed? There is no reason for it to be used while demonstrating siren activation through over-the-air hacking.

• None of Bastille’s videos show any Over-The-Air (OTA) transmissions of malicious packets because transmitting on a licensed frequency is illegal. Yet the Motorola CM200 radio in the ATI siren is very easy to re-program to a different frequency (or a license free radio could have been used), and it could have been easily changed in order to legally demonstrate sending malicious packets OTA.

When the San Francisco system was installed in 2004, over 14 years ago, it was state-of-the-art. Since then, ATI has upgraded protocols to incorporate a 128-bit AES variable key with an additional ATI proprietary security layer that is now being implemented.

“For the past 30 years ATI has had thousands of clients, both nationally and internationally.  Even though we have never experienced any fails or hacking incidents, ATI responded to Bastille’s false claims by raising security safeguards, and ATI encourages its clients to update their systems to ensure maximum security. We believe that Bastille’s representations are totally fabricated,” comments ATI’s CEO, Dr. Ray Bassiouni.

It's true that Balint and Bastille do have years of knowledge and the equipment to find vulnerabilities, however we believe that Bastille was only claiming that a $30 radio can be used to take over the system now that the vulnerability is already known. If a more malicious hacker found the vulnerability first, and then released the details to 'script kiddies' or other malicious people, it could have caused major issues.

The white paper on SirenJack is now available and can be found at sirenjack.com. From the white paper it appears that Bastille analyzed the RF spectrum to find the weekly siren test signal. Once found they were able to characterize the modulation scheme, and since no encryption was used, they were able to dissect the packet. They then determined that the packets could easily be reproduced and thus any transmit capable radio could be used to attack the system. Also although Bastille used USRP SDRs in the reverse engineering stage, it seems that the same reverse engineering work could be done with a simple RTL-SDR.

Balint Seeber from security research firm Bastille has recently disclosed a major security vulnerability found in wirelessly controlled emergency sirens called "SirenJack". These sirens are used in many states and cities within the USA to warn large populations of disasters or other dangers, although at the moment only sirens by ATI System in San Francisco have been identified as vulnerable. The vulnerability stems from the fact that the wireless protocol used to activate the sirens is not encrypted, so a bad actor could record the monthly test activation transmissions, analyze them and forge control signals of his own. This would allow a hacker to take control the sirens at will using a simple $30 handheld radio and a laptop, or a transmit capable software defined radio.

This security research release comes after the Dallas tornado siren hack, which occurred in early 2017. During that hack a hacker activated 156 tornado sirens placed around the city of Dallas, Texas. In contrast to SirenJack, the Dallas siren hack was most likely caused by a more standard replay or brute force attack, since simple DTMF tones are used to activate Dallas' siren system.

ATI Systems have indicated that they have already patched the vulnerability as Bastille responsibly disclosed the vulnerability to them 3 months prior. However, it is likely that sirens created by other contractors in other states may have the same or similar vulnerabilities.

In the video below Balint shows the SirenJack vulnerability in action on a test siren setup. During the test he is able to take control of the siren and transmit any arbitrary audio to it using a software defined radio. Several other SirenJack video are available on Bastille's YouTube channel.