When we think of Cyber attacks, we often envision that it is a computer, wireless device, Smartphone, or a server room in a large data center that is being attacked. We also assume that it is the private and confidential information of employees and customers that will be covertly hijacked and stolen, to be used for malicious purposes later. While this is all mostly true, one my previous blog posts also mentioned that the Cyber attacker is also bent upon physical destruction as well (can’t remember when I wrote about that one, but is there somewhere).
But, it seems like that the Cyber attacker, seems to be bored now with Information Technology assets. The theme of attacking the actual physical infrastructure is not taking front and center stage. This is best exemplified by a recent article about a flaw in the Emergency Management System that most cities use to alert their citizens of any crises situations that may occurring (such as natural disasters, or even other worse things).
Apparently, it has been discovered that most of these systems actually have a flaw in them in which a Cyber attacker can actually via remote control, activate these sirens at any time they desire to, even in the late night to early morning hours. These of course, are all false alarms. This actually happened last year, in Dallas, TX, when some 156 sirens went off “ . . . waking up residents and sparking fears of a disaster.”
This kind of Cyber attack even has a name for it, and it is called “SirenJack Attack”, and it was a vulnerability that was discovered by a security researcher at a security firm known as Bastille. The specific of Emergency Management System that this affects is manufactured by ATI Systems, which is based of Boston, MA. But, this system is not just used by the state and local municipalities, it is also being used by the educational facilities (such as universities and colleges), military facilities all across the United States, and even heavy duty industrial sites that are found in the major cities.
In fact according to Balint Seeber, a Managing Director at Bastille: “since the radio protocol used to control affected sirens is not using any kind of encryption, attackers can simply exploit this weakness to activate sirens by sending a malicious activation message . . . all that is required is a $30 handheld radio and a computer . . .” (SOURCE: https://thehackernews.com/2018/04/hacking-emergency-alert-sirens.html).
In order to launch this kind of attack, all that a Cyber attacker apparently needs (along with the cheap equipment just listed) to be in the specific radio range, and from there, identify the specific radio frequency used by the targeted siren in order to send a so called “secret message” in order to activate these alarms. Apparently, radio protocols are not encrypted by any means, and thus are very susceptible to being fooled, or tricked.
An example of another prime target for the Cyber attacker is the City of San Francisco outdoor public alert system, where more than 100 warning sirens in which the Cyber attacker can easily exploit and cause great mayhem and chaos across the entire city. Just imagine that. It would be a total nightmare come true.
The security researchers at Bastille alerted ATI Systems about this critical flaw in their emergency management systems, and they had said that patches would be soon made available. But, the only problem with this is that these systems are specifically designed for each customer, so a uniform patch will not work. As a result, great effort and time will have to spent to create customized patches that will cure all of these systems. Because of this, ATI Systems has advised their customers to examine their specific emergency management systems to see if this flaw actually exists, and to notify them so that the appropriate can be crafted.
All I can say to this WOW!!! I never realized that this could even be a possibility. I have always heard the sirens go all without fail on the first Tuesday of each month here in Chicago. I just hope this weakness can be solved in due time (meaning, ASAP, which will be difficult to actually happen given these customized designs).
Because now that the Cyber attacker can now impact physical based infrastructures, they can now cause a huge city like Chicago, NYC, or even LA to go into great pandemonium. For example, because of this flaw, they can now trick the citizenry of these large cities that some disaster is occurring, while at the same time, striking also at the very heart of these cities IT infrastructures as well, making all of this a perfect storm of totally bringing a large city to its knees.
Just think if this happened in NYC…the major financial capital in the United States…there would be total chaos on the equity markets, causing huge financial losses. God, I pray that this situation never happens. But given the ever growing sophistication level of the Cyber attacker, anything is now possible, from anything to everything.