SirenJack: Security Vulnerability Found in Wirelessly Controlled Emergency Sirens

Balint Seeber from security research firm Bastille has recently disclosed a major security vulnerability found in wirelessly controlled emergency sirens called "SirenJack". These sirens are used in many states and cities within the USA to warn large populations of disasters or other dangers, although at the moment only sirens by ATI System in San Francisco have been identified as vulnerable. The vulnerability stems from the fact that the wireless protocol used to activate the sirens is not encrypted, so a bad actor could record the monthly test activation transmissions, analyze them and forge control signals of his own. This would allow a hacker to take control the sirens at will using a simple $30 handheld radio and a laptop, or a transmit capable software defined radio.

This security research release comes after the Dallas tornado siren hack, which occurred in early 2017. During that hack a hacker activated 156 tornado sirens placed around the city of Dallas, Texas. In contrast to SirenJack, the Dallas siren hack was most likely caused by a more standard replay or brute force attack, since simple DTMF tones are used to activate Dallas' siren system.

ATI Systems have indicated that they have already patched the vulnerability as Bastille responsibly disclosed the vulnerability to them 3 months prior. However, it is likely that sirens created by other contractors in other states may have the same or similar vulnerabilities.

In the video below Balint shows the SirenJack vulnerability in action on a test siren setup. During the test he is able to take control of the siren and transmit any arbitrary audio to it using a software defined radio. Several other SirenJack video are available on Bastille's YouTube channel

SirenJack Proof of Concept
SirenJack Proof of Concept

One comment

  1. a

    nothing new unfortunately. many emergency warning systems in various countries have similar vulnerabilities. most of these protocols aren’t strong enough to use them in garage-door openers (but’s it’s ok for public safety it seems)

    short description how to hack them:
    – receive
    – flip a few bits
    – transmit the result
    – et volia, the sirens are singing their irresistible song

    example from Poland:
    https://github.com/sq5bpf/multimon-ng-stqc/blob/master/README_STQC (scroll down to “English version”). the decoder uses one line od sed, the encoder uses just some sox magic: https://github.com/sq5bpf/multimon-ng-stqc/blob/master/stqc2.sh. nothing interesting really

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.