SirenJack: Cracking a 'Secure' Emergency Warning Siren System

Black Hat USA 2018

Presented by: Balint Seeber
Date: Thursday August 09, 2018
Time: 15:50 - 16:40
Location: Tradewinds EF

SirenJack is a vulnerability that was found to affect radio-controlled emergency warning siren systems from ATI Systems. It allows a bad actor, with a \$30 handheld radio and a laptop, to set off all sirens in a deployment. Hackers can trigger false alarms at will because the custom digital radio protocol does not implement encryption in vulnerable deployments.

Emergency warning siren systems are public safety tools used to alert the population of incidents, such as weather and man-made threats. They are widely deployed in cities, industrial sites, military installations, and educational institutions across the US and abroad.

Sirens are often activated via a radio frequency (RF) communications system to provide coverage over a large area. Does the security of these RF-based systems match their status as critical infrastructure? The 2017 Dallas siren hack showed that many older siren systems are susceptible to replay attacks, but what about more modern ones?

I studied San Francisco's Outdoor Public Warning System, an ATI deployment, for two years to learn how it was controlled. After piecing together clues on siren poles, and searching the entire radio spectrum for one unknown signal, I found the system's frequency and began passive analysis of the protocol. Monitoring the weekly siren tests, I made sense of patterns in the raw binary data and found the system was insecure and vulnerable to attack.

This presentation will take you on the journey of the research, and detail the tools and techniques used, including leveraging Software Defined Radio and open source software to collect and analyse massive sets of RF data, and analyse a custom digital protocol. It will also cover the Responsible Disclosure process with the vendor, their response, and subsequent change to the protocol. A proof-of-concept will be shown for good measure.

Balint Seeber

A software engineer by training, Balint Seeber is a perpetual hacker, the Director of Vulnerability Research at Bastille Networks, and guy behind spench.net. His passion is Software Defined Radio and discovering all that can be decoded from the ether, as well as extracting interesting information from lesser-known data sources and visualising them in novel ways. When not receiving electromagnetic radiation, he likes to develop interactive web apps for presenting spatial data. Originally from Australia, he moved to the United States in 2012 to pursue his love of SDR as the Applications Specialist and SDR Evangelist at Ettus Research.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats