A radio hacker has discovered that all it takes to hijack emergency sirens in some American cities is a laptop and a widely available radio that only costs $35.
Radio hacker Balint Seeber has just revealed the hack publicly, as Bastille (the security firm Seeber works for) posted a press release about the vulnerability.
Wired has further reporting on the hack, and notes that vulnerable siren systems have been found in San Francisco and two other cities, “as well as hints they may be installed in many more.”
Seeber demonstrated the hack in a proof of concept video, as seen below.
Such a hack would not be unprecedented. As Wired notes, hackers gained control of Dallas’s 156 emergency sirens last April, causing the sirens to blare a signal for 90 seconds, 15 separate times.
The technique revealed by Seeber goes beyond causing the sirens to blare, however. Hackers could play any sound they wanted — the proof of concept demonstrates this by playing Rick Astley’s “Never Gonna Give You Up” over the speakers. (A familiar tune to anyone who’s spent any time on the internet in the past decade.)
The emergency sirens are sold by ATI Systems, which told Wired that “the vulnerability is largely theoretical and has not yet been seen in the field.” But an ATI statement to Bastille claimed the findings were “likely true” and the company planned to roll out a software update soon.
Bastille’s press release notes that “ATI customers include the City of San Francisco, other large urban and rural communities, military installations, universities, and industrial sites including oil and nuclear power generation plants, potentially affecting millions of people.”
A report from the San Francisco Chronicle last week noted that city officials were “quietly scrambling” to fix a security bug in the emergency system. “On Thursday, the Department of Technology announced that the problem had been fixed,” the report notes.
It seems that San Francisco may have escaped a potential hack in this case, but other cities and organizations with similar systems may not even know they’re vulnerable. And while it’s true that these hacks aren’t easy to pull off, dedicated hackers could manage it, and there wouldn’t be any costly equipment needed.
One other worrisome factor: it’s clear that hackers have increasingly been targeting infrastructure and city systems, which make potential hacks like these seem possible. Atlanta recently fell victim to a widespread ransomware hack, and Baltimore’s 911 dispatch system was temporarily shut down by a similar attack last month.