Sirens designed to broadcast alerts across large areas like cities and industrial sites risk being affected by a security vulnerability detected in San Francisco’s emergency warning system, researchers said Tuesday.
San Francisco’s network of about 114 warning sirens could have easily and inexpensively been hijacked by bad actors and used to broadcast false alarms prior to quietly undergoing a security upgrade last month, according to research from Bastille, a threat-detection company that publicly disclosed their findings Tuesday.
The sirens scattered across San Francisco are activated via radio frequencies, and until recently they used an unencrypted protocol that made the commands that controlled them accessible to eavesdroppers, according to the security firm.
San Francisco tests the emergency system every Tuesday, giving Bastille ample opportunities to intercept the radio transmissions used to activate the sirens and study the unencrypted data packets used to activate the weekly alert.
“Because they are transmitted in the clear, its possible to observe these over sequential tests and then analyze the packet format,” said Balint Seeber, Bastille’s director of vulnerability research.
“Once a malicious actor has analyzed that protocol, they can craft their own payloads and transmit them … thereby triggering a false alarm,” Mr. Seeber added.
Dubbed “SirenJack, the vulnerability was confirmed in products sold by ATI Systems of Boston, including the emergency alert system in San Francisco and two other locations, according to Bastille.
ATI’s other customers include range from cities and power plants, to universities and military installations, including One World Trade Center, Indian Point Energy Center nuclear power station and the West Point Military Academy.
“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” said Bastille CEO Chris Risley.
Bastille notified both ATI and San Francisco of the vulnerability earlier this year, Mr. Risley added, and the city’s Department of Technology said in a statement Friday that steps were taken to address a security bug affecting its citywide warning system.
“We worked proactively with our vendor to patch the vulnerability. Initial testing shows the firmware upgrade minimized the threat. Nevertheless, we will continue testing,” said Linda Gerull, the department’s executive director.
ATI said in a statement Tuesday that other customers would receive security patches shortly, albeit while downplaying the vulnerability detected in San Francisco.
“Before customers panic too much, please understand that this is not a trivially easy thing that just anyone can do,” the company said.
Wide-scale emergency system have been hacked in the past, including notably during an incident in 2017 that activated over 150 tornado warning sirens across Dallas, Texas.