WHAT IS SIRENJACK?
SirenJack is a vulnerability found in ATI Systems’ emergency alert systems that can be exploited via radio frequencies (RF) to activate sirens and trigger false alarms.
HOW IS THE VULNERABILITY EXPLOITED?
The radio protocol used to control the sirens is not secure (activation commands are sent ‘in the clear’ - no encryption is used). A bad actor can find the radio frequency assigned to a deployment, craft malicious activation messages, and transmit them from their own radio to set off the system. All that is required is a $30 handheld radio and a computer.
HOW MANY ATI SYSTEMS ARE AFFECTED?
ATI systems has customers in and around cities, military installations, universities and industrial sites (including oil and nuclear) across North America and around the globe. We found the SirenJack vulnerability in San Francisco and confirmed it in two other locations, but we do not know which other ATI systems are subject to SirenJack. We urge all ATI customers to work with ATI to understand if their system is impacted and employ a remediation immediately
WHAT ARE THE POTENTIAL EFFECTS OF SIRENJACK?
The public relies on emergency warning systems to be activated only for legitimate threats, often weather or security related. False alarms cause widespread concern and increasing distrust in these systems, particularly as seen in 2017 after the Dallas Siren incident that set off over 150 tornado warning sirens citywide for more than 90 minutes.
HOW WAS SIRENJACK DISCOVERED?
Balint Seeber, Director of Vulnerability Research at Bastille, discovered the vulnerability when he noticed that the emergency alerting system in San Francisco used RF communications and that its signals were not encrypted. Balint monitored the radio spectrum to find the frequency used by the city’s Outdoor Public Warning System. Once the frequency was found, analysis of the radio protocol quickly showed that commands were not encrypted and therefore vulnerable to forgery, rendering the system susceptible to malicious activations.
ARE THERE ANY OTHER VENDORS OR MANUFACTURERS BESIDES ATI AFFECTED?
Bastille is not prepared to discuss vulnerabilities that may or may not exist with other manufacturers. At this time the company can only comment on the vulnerabilities as they relate to ATI Systems. However, Bastille encourages other siren manufacturers to recognize this vulnerability and work together to reinforce that all emergency alert systems are secured and not vulnerable to exploitation.
WHY DID BASTILLE CHOOSE TO DO A PUBLIC DISCLOSURE OF THE SIRENJACK VULNERABILITY?
Bastille practices security industry standard responsible disclosure. Vendors are first notified 90 days prior to public disclosure, allowing time for patches to be developed and deployed. The security community has learned that if vendors are not told of a date-certain for a public announcement then patch development is often deferred and available patches are not prioritized for installation. This leaves vulnerable parties open to attacks which can happen any time.
For example, six months before the Equifax breach, an independent researcher approached and informed Equifax about discovering several vulnerabilities including the one used to steal the private financial data of 147 million Americans. Unfortunately, the researcher did not insist on going public with the vulnerability and so it never got fixed.
The Federal Government recognizes this need for public disclosure and sponsors three Computer Emergency Response Teams (CERT) to manage tracking and announcement of these vulnerabilities. Bastille files its discovered vulnerabilities with the relevant CERT and follows all CERT announcement policies. For the SirenJack vulnerability we worked with the Department of Homeland Security's Industrial Control Systems, Cyber Emergency Response Team (ICS-CERT).
There is a second reason for public announcement: warning other potentially vulnerable parties who have not been contacted by the vendor. Many times vendors don't know who currently uses their technology: products may be sold through 3rd parties, names of technical contacts may have changed, entire customer companies may be been merged into different businesses. Only through a public announcement can these customers be warned they have a vulnerability and reach out to their vendor for a patch.