Dallas city officials have added extra encryption and other security measures to the outdoor warning sirens hacked early Saturday.
The hack also prompted the city to evaluate critical systems for potential vulnerabilities, City Manager T.C. Broadnax said in a statement late Monday. City officials are reviewing security for financial systems, a flood warning system, police-fire dispatch and the 911/311 system.
Broadnax told reporters separately on Monday that the hack came over a radio frequency and not over a wired computer network. The attack was "not a system software issue; it was a radio issue," he told the Dallas Observer and others.
The city believes the hack came from the Dallas area, but officials haven't detailed how it occurred. Dallas police are working with the FBI and the Federal Communications Commission (FCC) to validate what they think happened and find the source. The hack caused all 156 emergency sirens to activate for about 90 minutes, scaring some residents and doubling the number of calls to 911.
Radio security experts theorized the incident may have been a simple "replay attack" where the hacker recorded the radio signal sent out on April 5 at noon as part of a monthly test of the emergency siren system. Then, the hacker could have played that signal back repeatedly early Saturday. It would take a hacker with a software defined radio (SDR) or other off-the-shelf radio frequency test equipment to pull off the attack, said Chris Risley, CEO of Bastille Networks, a company that remediates radio frequency vulnerabilities.
Frequencies used for outdoor sirens are public and are managed by the FCC. Various security techniques, including encryption, are used to protect signals sent by radio.
Even if a "replay attack" was not used, the regularly scheduled siren test would allow an attacker to make multiple recordings of the "activate sirens" radio stream over several months and then analyze it for specific commands to trigger the alert, he added. SDRs are becoming cheaper and more capable and there is an abundance of open source software that can decode activation protocols.
Risley said other cities are probably just as vulnerable as Dallas.
The Dallas incident highlights how vulnerable and unprotected U.S. enterprises and government authorities are, said Matt Little, chief product officer for encryption provider PKWare. "Traditional security perimeters are breaking down. This attack reaffirms how necessary encryption is," he said.
Many siren systems are decades old and Dallas may have been relying on low-level encryption, perhaps even 64-bit encryption based on the Data Encryption Standard (DES) from the late 1970s, he said.
"Sirens are analogous to a lot of aging critical infrastructure that was built for high availability, and always has to be online, so security took a back seat to that," Little said.
Dallas may have decided after the hack to upgrade encryption or improve the authentication system regarding who gets access to encryption keys, Little said.
In the Dallas case, a hacker could have listened to the low-level encrypted activation signal sent to sirens for some time, then used a brute force attack to figure out the encryption key needed. "It seems to be a large brute force effort to compromise a signal tower," Little said.
In some ways, radio-controlled systems like a siren warning system with even weak encryption could actually be more secure than some Internet-connected devices with no encryption, he said. For example, unprotected cameras connected to the Internet that were attacked by the Mirai botnet were used in a coordinated D-DOS attack on Dyn servers last October. The result: widespread Internet outages.