SirenJack: Rebuttal by ATI Systems

Last week we posted news about the "SirenJack" radio security vulnerability which was released by Balint Seeber of the Bastille security research agency. SirenJack describes how a cheap TX capable SDR or a $30 handheld radio could allow an attacker to take over wirelessly controlled emergency sirens that are found in many cities around the US. In particular, it was discussed how Acoustic Technology, Inc (ATI Systems) sirens' were the first to be found as vulnerable.

Today Dr. Ray Bassiounim, President & CEO of ATI Systems wrote to us (and presumably other news agencies that ran the SirenJack story) a rebuttal which we paste below.

ATI Siren Vulnerability Misrepresented by Bastille Networks

Balint Seeber of Bastille Networks, Inc. has released information that he has been able to hack Acoustic Technology, Inc.’s wireless protocol. ATI believes that Seeber misrepresents his claims that he did so using only a $35 radio and a laptop. ATI understands the great lengths, time, effort, and expertise that Seeber and Bastille went through.  However, their claim trivializes the fact that Seeber is a radio frequency expert with over a decade of training, knowledge, and access to advanced equipment. Bastille’s statement intended to maximize public fear and anxiety by purposefully omitting and simplifying information they released.

Seeber says he identified this vulnerability over 2 ½ years ago but decided not to notify ATI or the City of San Francisco until recently. If he truly believed this was a serious vulnerability, why did he wait so long to disclose it, effectively leaving the public at risk? Other discrepancies discovered include:

  • Bastille’s SirenJack white paper states in part “...nor was there access to equipment...”  However, pictures in the white paper and videos on Bastille’s YouTube page clearly show Seeber utilizing ATI’s equipment in his Proof of Concept.
  • Seeber also states multiple times that anyone “…with a $35 transmitter…” can perform this hack. The white paper, however, confirms he used “…a number of Ettus Research Universal Software Radio Peripheral (USRP) and Software Defined Radio (SDR)….”. This equipment costs upwards of thousands of dollars for each unit, not merely the $35 radio as claimed.
  • In multiple YouTube videos, ATI’s equipment is blurred out during Seeber’s demonstration. For full disclosure, what was blurred out and why?
  • In Seeber’s YouTube demonstration of the SirenJack hack, it shows him with an embedded CPU debug cable plugged into the ATI siren.  Since this cable is only used for programming and diagnostics of the ATI siren, why is this cable needed? There is no reason for it to be used while demonstrating siren activation through over-the-air hacking.
  • None of Bastille’s videos show any Over-The-Air (OTA) transmissions of malicious packets because transmitting on a licensed frequency is illegal. Yet the Motorola CM200 radio in the ATI siren is very easy to re-program to a different frequency (or a license free radio could have been used), and it could have been easily changed in order to legally demonstrate sending malicious packets OTA.

When the San Francisco system was installed in 2004, over 14 years ago, it was state-of-the-art. Since then, ATI has upgraded protocols to incorporate a 128-bit AES variable key with an additional ATI proprietary security layer that is now being implemented.

“For the past 30 years ATI has had thousands of clients, both nationally and internationally.  Even though we have never experienced any fails or hacking incidents, ATI responded to Bastille’s false claims by raising security safeguards, and ATI encourages its clients to update their systems to ensure maximum security. We believe that Bastille’s representations are totally fabricated,” comments ATI’s CEO, Dr. Ray Bassiouni.

It's true that Balint and Bastille do have years of knowledge and the equipment to find vulnerabilities, however we believe that Bastille was only claiming that a $30 radio can be used to take over the system now that the vulnerability is already known. If a more malicious hacker found the vulnerability first, and then released the details to 'script kiddies' or other malicious people, it could have caused major issues.

The white paper on SirenJack is now available and can be found at sirenjack.com. From the white paper it appears that Bastille analyzed the RF spectrum to find the weekly siren test signal. Once found they were able to characterize the modulation scheme, and since no encryption was used, they were able to dissect the packet. They then determined that the packets could easily be reproduced and thus any transmit capable radio could be used to attack the system. Also although Bastille used USRP SDRs in the reverse engineering stage, it seems that the same reverse engineering work could be done with a simple RTL-SDR.

SirenJack: Could sirens be taken over with a $30 radio?
SirenJack: Could sirens be taken over with a $30 radio?

7 comments

  1. phraxoid

    Bit of a laughable retort to be honest. All of those bullet points leave me thinking ‘yeah, well, so what?’.. it still appears to be pwned. This is just knee-jerk face-saving smoke and mirrors.

  2. Mike Dozier

    Just another company trying to shift public (and client) focus away from their lack of security development to a witch hunt upon an ethical hacker! This company is more concerned losing money, than making their product more secure. Hey Dr. Ray, here’s a tip for you; Hire a good public relations person…Your attack on a well-respected ethical hacker does not show well for your company. Besides, you are going to need a good PR person when your air-raid sirens cause mass chaos because you failed to develop good security practices in your protocols!

  3. SlicerDicer

    However, their claim trivializes the fact that Seeber is a radio frequency expert with over a decade of training, knowledge, and access to advanced equipment. Bastille’s statement intended to maximize public fear and anxiety by purposefully omitting and simplifying information they released.

    [The above is NOT a rebuttal]

    Seeber says he identified this vulnerability over 2 ½ years ago but decided not to notify ATI or the City of San Francisco until recently. If he truly believed this was a serious vulnerability, why did he wait so long to disclose it, effectively leaving the public at risk?

    [The above is NOT a rebuttal]

    Bastille’s SirenJack white paper states in part “…nor was there access to equipment…” However, pictures in the white paper and videos on Bastille’s YouTube page clearly show Seeber utilizing ATI’s equipment in his Proof of Concept.

    [The above is NOT a rebuttal]

    Seeber also states multiple times that anyone “…with a $35 transmitter…” can perform this hack. The white paper, however, confirms he used “…a number of Ettus Research Universal Software Radio Peripheral (USRP) and Software Defined Radio (SDR)….”. This equipment costs upwards of thousands of dollars for each unit, not merely the $35 radio as claimed.

    [Equipment used != equipment required]

    In multiple YouTube videos, ATI’s equipment is blurred out during Seeber’s demonstration. For full disclosure, what was blurred out and why?

    [The above is NOT a rebuttal]

    In Seeber’s YouTube demonstration of the SirenJack hack, it shows him with an embedded CPU debug cable plugged into the ATI siren. Since this cable is only used for programming and diagnostics of the ATI siren, why is this cable needed? There is no reason for it to be used while demonstrating siren activation through over-the-air hacking.

    [Probably to determine what data the device is receiving]

    None of Bastille’s videos show any Over-The-Air (OTA) transmissions of malicious packets because transmitting on a licensed frequency is illegal. Yet the Motorola CM200 radio in the ATI siren is very easy to re-program to a different frequency (or a license free radio could have been used), and it could have been easily changed in order to legally demonstrate sending malicious packets OTA.

    [The above is NOT a rebuttal]

    When the San Francisco system was installed in 2004, over 14 years ago, it was state-of-the-art. Since then, ATI has upgraded protocols to incorporate a 128-bit AES variable key with an additional ATI proprietary security layer that is now being implemented.

    [Sure – after an ethical hacker forced you to]

    For the past 30 years ATI has had thousands of clients, both nationally and internationally. Even though we have never experienced any fails or hacking incidents, ATI responded to Bastille’s false claims by raising security safeguards, and ATI encourages its clients to update their systems to ensure maximum security. We believe that Bastille’s representations are totally fabricated,” comments ATI’s CEO, Dr. Ray Bassiouni.

    [Yeah, we left the barn door wide open and we have no proof to the contrary, so we’ll toss out a safe “we believe…” – can’t get sued for that, can we?]

  4. Ion

    “When it was installed in 2004 it would have been state of the art for 1984.”would be a more accurate statement. Companies that support our critical national infrastructure need to get their game faces on whilst it’s still a friendly shot over the bow that forces them to make there products fit for purpose, and not a real attack with deadly intent.

  5. John

    If they’d reprogrammed or altered the radio for an OTA attack, ATI would say they’d tampered with it. Damned if you do, damned if you don’t.

  6. It's not a bug, it is a design feature.

    If that is the response from the company, I think they need to hire some smarter people.
    If someone connects a SDR TX device through an attenuator and a cable into an antenna port, yes indeed it is not OTA, and it is not 100% the same as OTA, but it is close enough.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.