In light of recent events, particularly the Dallas siren hack we'd like to go through a couple of plausible scenarios that might explain this attack and how they relate to the need for more security when designing RF-enabled devices and implementing RF-enabled networks.
For now, let’s look at the Dallas incident to examine how some public safety and large-scale RF networks work, how they might be vulnerable to such attacks, and what you should take into account when designing and securing such networks.
Dallas – Networks, Topologies, and Sirens
Let’s have a look at an overview of the potential components involved in the Dallas scenario. With a central controller node at the headquarters, there would be some sort of control module.
For example, a computer and software would be interfaced to radio equipment, and then connected to an antenna.
The individual sirens are spread out over a large area, which is an important factor to consider, and is one reason that RF is such a good way to control these systems. At each node, there is a pole with a siren, a radio receiver listening for commands to control that siren, as well as some sort of module that actually controls the siren and whether or not to emit alarms.
The Dallas Office of Emergency Management (OEM) has not revealed how their network is organized or what sort of security it had, or has, so we are still left to hypothesize on how this might have happened. While there are a number of theories, here I am going to discuss the types of networks that might be deployed in Dallas and the types of transmission technologies in use.
Single Frequency Networks
One possible scenario for Dallas is that they use a single-frequency network. In this situation, all the sirens and radios operate at either end of a single-frequency network, which is registered with the FCC.
A single-frequency network uses a large single transmitter to cover an entire emergency region. The transmitter might be up high on a tall building or on a hill and uses a very, very large power output to allow the radio waves to propagate over a significant distance and cover the entire array of sirens. Since all of the Dallas sirens appear to have been set off at once, this may indicate some sort of centralized control over all of them, as opposed to individually, visiting each one and setting it off.
So, in the single frequency network attack, the attacker most likely traveled to a high point to achieve a good propagation to all the sirens. The equipment to undertake this sort of attack would have included a powerful transmitter, a power amplifier, and antenna set to the specific frequency used by the Dallas system (or around about those frequencies).
Radio Repeater Networks
In this network there is a centralized instance of a single repeater to cover a large region. The repeater accepts weaker signals on one ‘input’ frequency and rebroadcasts them at a stronger signal on a different ‘output’ frequency to cover the larger area.
How does this play out? One hypothetical scenario is that a controller module at headquarters sends out a transmission on the input frequency, which is registered to a particular repeater. The repeater then rebroadcasts the same transmission over the output frequency, but at a much stronger signal. The siren modules will be listening on the output frequency, and anything transmitted on the input would be repeated to the output. That's how you can cover this broad area.
We’ve briefly covered network configurations, now let’s take a look at how commands are sent.
COMMAND TRANSMISSION: Analog or Digital?
Analog RF Networks
The simplest and least costly approach to use is an analog technique. A normal analog single-frequency or repeater network, most likely using narrowband FM, is used to send voice data. To listen to these transmissions, all that is needed is a hand-held radio, which is easily purchased from eBay or Amazon for less than $30. You don't really need anything more sophisticated than that.
If it's analog transmission, then you can send a series of tones. One possibility is exactly the same sort of dual-tone multi-frequency (DTMF) tones you hear when you dial the digits on a telephone. What might be the case here is that tones are transmitted from headquarters to a receiver and demodulator at each node, and each node is programmed to listen for a certain sequence of tones. Upon receiving the tones, the node will enact some command, in this case, to activate the sirens.
Now, in either single-frequency or analog case, if there is someone out there that has found the frequency in use, they can simply listen for those tones to be transmitted prior to the monthly test. In some cases, where there's practically no security, those tones are transmitted in the clear, and you're able to replay them to achieve the same effect.
Where might the attacker be? On a single-frequency network, the attacker needs to be up high, with a very powerful transmitter,a power-amplifier, and antenna. With an analog repeater, the attacker simply needs to transmit close to the repeater, perhaps with a directional antenna, on the input frequency, and have those tones in the initial broadcast, rebroadcast by the repeater over the entire network to achieve the same effect.
Digital Repeater Networks
With a digital repeater, emergency headquarters has a radio to send digital data instead of just narrowband FM. Data is rebroadcast by the digital repeaters to ensure full coverage of the emergency area.
There may be one repeater, or in the case of modern public safety networks, it might be established as a simulcast network, which means that multiple synchronised repeaters would cover an even broader, geographic range.
The difference here is, instead of tones such as the DTMF tones, there would be a distinct packet of data. This is received by a radio, decoded and then the received command is put into action, in this case, to activate the siren at each node.
With a digital network, there is the option of including encryption. However, in many networks encryption is not implemented for various reasons, such as key management or simply the much higher cost charged by the manufacturer.
To listen to ‘encrypted’ (where it is not properly implemented) transmissions the attacker may simply need a handheld radio. Alternatively, the attacker can use a computer or existing radio equipment with a demodulator. As with the analog example, the attacker can wait for the time when the equipment testing occurs to record the transmissions. To attempt to perpetrate an attack, the attacker rebroadcasts the recording just as with an analog network. However, this may not succeed as it depends on how the encryption was implemented. The Dallas OEM did not use encryption.
There is a nuance in certain networks (either analog or digital) when they're trunked networks. A trunked network uses a more sophisticated type of repeater system.
The trunked network has allocated to it a number of frequencies that are shared amongst multiple radio users, which means that a single public safety network can support a large number of users, such as the police, ambulance, fire, and other first responders. This operates over a fixed number of frequencies (a pool of channels) that are allocated on-demand as users need to make ‘calls’. These calls are either all analog or digital in nature depending on the type of repeater, just as in the standard repeater case described previously. However, regardless of the call type, a digital signalling (output) channel is still used by the trunking controller to inform radios of allocated channels, and another digital (input) channel is used by radios to request a channel from the controller.
Now, this is not only about calls between mobile users or people. It could potentially be calls to end nodes such as radio-enabled equipment. The radios in these end nodes might be configured to operate on a trunked network, and they might be assigned to a particular talk group. At headquarters, the radio might transmit out to a trunked repeater network, saying, "Call this particular talk group," so it establishes a call effectively to every single end node. They all start listening, and then the attacker would send either the tones in the analog trunked case, or dial packets in the digital trunked case. Either way, the network would receive the commands and have them sent out to each end node.
The primary problem with common trunked networks is that there is no method to authenticate a legitimate transmitter before setting up a call. Also, as with standard digital networks, there is no method by the network to authenticate the actual message that's being sent, and there's no low-level network encryption (it is commonly transparent to the network and implementation is left to the radios using the network). This means that this type of RF network is entirely open and susceptible to replay attacks.
With the Dallas incident, the media reported that some level of encryption was added in very short order after the attack took place. While the Dallas OEM didn’t supply further details of how this was done or what encryption was added, here’s what could have happened: If Dallas was already using a digital repeater network, with radios that supported “over-the-air rekeying,” then they could have enabled encryption or updated the existing encryption keys via a radio-issued command signal.
Encryption and Initialization Vectors
With encryption, the system is now far less susceptible to the “record/replay” attack. However, this depends on how the encryption was implemented. If the encryption requires an initialization vector to be sent before each actual data transmission, then the data is much safer. However with systems that do not use this, due to time or cost, an attacker can still just replay the improperly ‘encrypted’ packet – and control the network, encrypted or not!
Emergency networks mainly use analog or unencrypted digital
The vast majority of emergency warning systems are still using analog or digital hardware without encryption, this largely due to cost. Since it is less likely that Dallas OEM has one of the more sophisticated networks, it is somewhat unclear how Dallas added “encryption” in such short order after the attack.
Radio vs. Wired?
Radio offers many advantages over wired communication systems, such as flexibility and cost, but security is often overlooked. Wired networks are not 100% secure either, but there is substantial investment to protect them, whereas there is little-to-no investment to protect devices using radio-only networks.
If you set up a radio network, you must secure points within your system, particularly end nodes. Otherwise an attacker can simply perform something like the replay attack and take control of your end node, or gain entry into whatever radio or wired network that is also connected to your end node.
The requirement for security improvements to radio-enabled devices does not just apply to government agency alerting systems. Today, many buildings and cities are using the Internet of Things to become Smart Buildings and Smart Cities. To achieve this, radio-enabled networks are being deployed – often without having to pass the same security requirements as wired or Wi-Fi devices. The Internet of Things often uses low-energy protocols operating beyond secured Wi-Fi — these include ZigBee, Z-Wave and LoRa. Often multiple radios are installed on each sensor to allow for future flexibility, and security is nearly alwaysthe last thing on the manufacturer’s list of features to add as they rush to market.
The Internet of Things, the Internet of Radios
With Internet of Things, or the Internet of Radios, it seems all too often that security's overlooked and is the last consideration by manufacturers. The Bastille Research Team has found vulnerabilities in many common office and home devices. Last year, we notified brand name manufacturers of wireless keyboard and mice such as Logitech, Dell, and HP of the vulnerabilities in their products that would allow an attacker compromise their customers’ data and networks. Internet of Things sensors and controls operate key building security and infrastructure devices such as office entry and exit systems, windows, and HVAC. These are often deployed without the same level of security scrutiny and testing as the main Wi-Fi and wired network.
RF: Security through Obscurity
In the case of emergency siren systems, perhaps vendors and purchasers, thought it was security through obscurity, because they had their own special network, with their own dedicated protocol on their own frequency. However today, radio and computing technology is faster, more accessible and cheaper, enabling hackers the opportunity to research, exploit, and quickly find any weaknesses that exist.
What other RF-controlled infrastructure has similar security vulnerabilities to the Dallas OEM system?
Public safety is obviously a big issue, but there are also other issues in Smart Meters that control people's gas, electricity and water. There are concerns and interesting research that have turned up issues with the electricity grid and how various substations and transformers can be controlled using SCADA radio links and radio modems. In some cases, there's very little or no encryption, which means an attacker could even influence that network via the radio-enabled devices on that network.
As deployment of “Smart City” technology increases, there will be new and interesting ways to use radio-enabled technologies to control streetlights, traffic lights, and so on. However, these can all be vulnerable to attack if the network is not designed with security in mind from the very start.
If you'd like to learn more about what Bastille does to protect wireless infrastructure or how it can help you sense, identify, and locate your RF-enabled devices, especially those that you're not even aware of, please request a demo or your own Wireless Vulnerability Threat Assessment.