Hackers equipped with just a laptop and a $30 handheld FM radio could have hijacked the emergency alert system sirens of San Francisco. The hack could have made them go off whenever they wanted, and made the system broadcast custom messages, according to researchers.
A researcher from wireless security startup Bastille found that the emergency alert systems made by ATI Systems—which makes and installs emergency mass notification and alert warning systems—transmitted commands unencrypted, allowing anyone with a radio transmitter (and the ability to reverse engineer the commands) to hijack them.
“You could set off multiple siren networks repeatedly,” Balint Seeber, director of vulnerability research at Bastille and the one who found the vulnerability, told Motherboard in a phone call. “Say a military base or residential area near a nuclear power plant—you could set them off repeatedly and scare a large portion of the population.”
Bastille made a video to show how a hacker would attack sirens taking advantage of this flaw. In the video, Seeber makes sirens play a test message, as well as Rick Astley's Never Gonna Give You Up.
ATI confirmed the existence the flaw to Motherboard, but downplayed Bastille’s findings, saying that the flaw is “largely theoretical” and stressed that it’s not easy to exploit it in the wild.
“A very sophisticated observer may be able to deduce much of the packet format, but it is not trivial to do so,” a company representative said in an email to Motherboard. “We are adding additional encryption to make the commands as secure as possible.” The spokesperson said these changes will be made in San Francisco and two other unnamed locations identified by Bastille as vulnerable.
Read more: The Mystery of the Creepiest Television Hack
Seeber said he first became interested in the alert system—called the Outdoor Public Warning System—when he moved to San Francisco more than two years ago. That’s when he started wondering how secure it was, he told me. Quickly, he said, he realized that it was possible to intercept commands and issue his own.
The San Francisco Department of Technology announced last week that they had upgraded the firmware and "minimized" the threat of attacks like the ones Seeber and Bastille are warning of.
There’s no evidence anyone has ever taken advantage of this flaw, but similar incidents have happened in the past. Last year, hackers took control of Dallas’ emergency sirens, firing off all of the city’s 156 emergency sirens for almost two hours overnight.
The ATI spokesperson pointed out that the Dallas incident was enabled by a system made by another company and said that system was much less secure because it used an old protocol to transmit commands.
The cybersecurity company, in any case, recommends all ATI customers to check with ATI whether they need a security patch.
This story has been updated to include the announcement from the San Francisco Department of Technology.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Get six of our favorite Motherboard stories every day by signing up for our newsletter.