Emergency sirens sold by Acoustic Technology use an unencrypted command and control system broadcast over the air, which allowed attackers to commandeer them.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The vulnerable alarm systems are deployed in municipalities, as well as on military installations, university campuses, and oil and nuclear power plants.
- A fix is being tested in San Francisco, though it is unclear if wider deployment has been rolled out in other areas.
A vulnerability in alarm systems made by Acoustic Technology, Inc. (ATI) has been discovered by Balint Seeber, the director of vulnerability research at Bastille Networks. The vulnerability, dubbed SirenJack, permits attackers to gain control of emergency alert sirens, granting the ability to play any sound that the attackers choose through the alert siren.
The command and control system for the sirens uses an unencrypted—and therefore insecure—wireless communication system. According to a press release, a malicious actor can use an off-the-shelf radio and a laptop to analyze the control packets, reverse engineer them, and then broadcast their own control packets using the same hardware. This exploit is further evidence of the dire need for encryption in enterprise tools, especially when they are in any way connected to sensitive data or a private system.
The ATI HPSS16, HPSS32, and MHPSS siren systems, as well as the ALERT4000 siren controller are confirmed by Bastille to be vulnerable. Bastille has been able to read and reproduce the control packets in San Francisco and two other locations, the release said. According to ATI's website, sirens are also deployed at One World Trade Center, the Indian Point Energy Center nuclear power plant, University of Massachusetts Amherst, and West Point Military Academy, though Bastille has not tested deployments in those areas.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
Bastille produced a proof-of-concept video demonstrating the vulnerability, though this demonstration uses a wired connection between the antenna of the test deployment speaker and the radio, as the frequency used by the siren hardware is a licensed band, which would make broadcasting on that frequency illegal.
The company gave ATI the industry standard 90 days to deploy a patch before public disclosure. Presently, ATI is testing a patch in San Francisco, though it is unclear if this patch is being widely deployed to all customers as of yet.
In a statement to Wired, a representative from ATI indicated that Bastille's research was illegal, as the company was "violating FCC regulations against intercepting and even merely divulging the existence of government radio signals without authorization." Companies taking a hostile stance toward security researchers is the wrong approach, and it is difficult to be an optimist about ATI's stance in this case. In a separate statement posted to Bastille's website describing the vulnerability, they note that the results of the research are "likely true," though note that "this is not a trivially easy thing that just anyone can do."
To ATI's credit, the design of this system is not a DTMF-based control system (which they note in their statement), such as the one built by Federal Signal commandeered by hackers in Dallas last year. The design of that system allowed attackers to capture and repeat control packets, making it comparatively trivial to assume control of that hardware.
Bastille's website notes the importance of public disclosure of these vulnerabilities, particularly as false alarms prompted by hackers gaining control of alarm systems can erode public trust. Additionally, they point out that "vendors don't know who currently uses their technology: products may be sold through 3rd parties, names of technical contacts may have changed, entire customer companies may be been merged into different businesses. Only through a public announcement can these customers be warned they have a vulnerability and reach out to their vendor for a patch."
In a statement to TechRepublic, ATI CEO Dr. Ray Bassiouni downplayed the risk associated with the vulnerability, stating in part that Bastille has "technically sophicated hackers," who indicate that "additional security is needed for the unlikelihood that a hacker who is as sophicated would be able to develop a method to activate our system."
- 10 signs that you aren't cut out to be a telecommuter (free PDF) (TechRepublic)
- As legal threats rise, this new report aims to guide ethical hackers (ZDNet)
- Chaos Engineering: A cheat sheet (TechRepublic)
- Security warning: Your suppliers are now your weakest link (ZDNet)
- BranchScope vulnerability could be the next Spectre/Meltdown flaw for the enterprise (TechRepublic)