Hijacking Emergency Sirens

Turns out it's easy to hijack emergency sirens with a radio transmitter.

Posted on April 17, 2018 at 6:29 AM • 20 Comments

Comments

Ross SniderApril 17, 2018 10:03 AM

@John

Hard to speculate, but this is exactly the sort of thing that would be in the portfolio of a MISO (Military Information Support Campaign). On the larger stage, America is running a global propaganda program, but closer to the ground much of the signals activity is aimed at disruption and deception that stuns Syria in a way that makes broader military and intelligence efforts successful.

The trick with MISO and Mass Propaganda exercises is that it can be pretty difficult to tell them apart from "just accidents" and "highly opinionated trolls." This one may very well be "just an accident."

Ross SniderApril 17, 2018 10:06 AM

These signals seem like they would be easy to trigger, as they probably are modulated in a fairly easy format, and also aren't receiving competing signals.

Even more sophisticated signal hijacking can be done. A famous go-to, unsolved example, is the Max Headroom broadcast in Chicago (https://en.wikipedia.org/wiki/Max_Headroom_broadcast_signal_intrusion) where some local party overrode a live television broadcast on at least two occasions.

Who?April 17, 2018 11:30 AM

I am sorry if my words sound too harsh. In my humble opinion "security through obscurity" does not work.

A unique "security through obscurity" layer may temporary stop a hijacker. But it must be understood as a delay only. A "security through obscurity" countermeasure deployed inside an organization is not only visible to a few people but also some sort of "not too widely deployed countermeasure." In any case, an effective countermeasure needs to be audited by people that knows what they are doing. Patching an obscure proprietary protocol adds just a bit of complexity to the attack, but it will never be a replacement for true security through well-known protocols and cryptographic layers.

BlytheApril 17, 2018 12:39 PM

I would think that the activation mechanism dates back to at least the 1980s, when they likely did not think someone would connect a radio transceiver to a laptop to scan for the transmissions; then program their own trigger using a $30 radio from Amazon. Perhaps they even thought that people had other things to do with their time.

Somewhat related: Living in a situation where those things would go off all the time, there was more concern that everyone tuned them out and went about their usual business when the sirens sounded.

VApril 17, 2018 1:04 PM

@Blythe:
> Somewhat related: Living in a situation where those things would
> go off all the time, there was more concern that everyone tuned
> them out and went about their usual business when the sirens sounded.

That could well be the rational thing to do. It's a question of how many years of your life are spent hunkered down in a basement somewhere vs. possible lost years of life multiplied by the probability of an actual alarm.

Les NuysApril 17, 2018 1:35 PM

Yes, they can hijack the horns, but can they get them to do a snappy sax-trumpet bebop number ?

Peter A.April 17, 2018 1:35 PM

Such old systems are everywhere waiting for anybody to trigger. I only wonder why they aren't misused more often.

Two examples from Poland.

One is railway emergency stop system. It uses simple FM-modulated signal on one of railway radio channels. An engineer seeing an emergency pushes a button and his radio starts emitting the signal. Radios an all locomotives in the range receive that signal and initiate emergency braking. On old locomotives which don't have that the engineer himself recognizes the characteristic chirp and is required to initiate braking. Restarting the traffic requires confirmation that everything is safe and coordination on the radio with dispatch and all trains affected. It takes some time. The system has been misused a few times, once by a disgruntled former railway worker who still had a handheld radio with this function. If I remember correctly, there was another case involving a malicious ham radio licensee. But basically anybody could do that. In those cases the perpetrators were caught quite soon but with current technology and miniaturization I can easily imagine disorganizing railway traffic at a major junction for months on end.

Another example is tram switchgear control in some cities. There's an IR transmitter on board and the motorman approaching a switch presses one of two buttons - left or right. A receiver is mounted on overhead wires and connected to the control system which operates switch actuators. There were several derailings and accidents in Cracow, with one fatality, caused by a malicious person sending the signal to change switch position while a tram was riding over it. The person was caught and convicted eventually.

Just passin' thruApril 17, 2018 3:29 PM

I wonder if there's a command to keep them silent. Better yet, a command for a firmware/software update.

Daniele NicolodiApril 17, 2018 4:33 PM

The "vulnerability" comes with a name, a logo, and a dedicated website...

Security SamApril 17, 2018 5:23 PM

Rural America uses WWWII sirens
That are immune and impervious
Not only to local amateur tinkerers
But, to global hackers anonymous.

FRexApril 17, 2018 10:01 PM

It's very often the case that something is secure only because no one has yet bothered to crack it.

Gerard van VoorenApril 18, 2018 3:51 AM

What bothers me in this story is the lack of actual info, which occurs way too often and that this site loads forever. A typical case of moneymaking.

NameApril 18, 2018 4:26 AM

Highjacking sirens is bad, but there is more interesting vulnerability. Just attack on regular siren test. Most people will react much slower and the rest might even ignore it by default.

Clive RobinsonApril 18, 2018 11:40 AM

@ Who?

In my humble opinion "security through obscurity" does not work.

It does and it does not, the trouble is it has become a mantra that gets quoted all to often, the follow on result is pro and anti positions.

You need to look at the evoloution of security to understand how security is by no means an absolute but is instead a question of resources available to both sides of the question.

Security started of as a survival advantage mechanism before we even learned to talk let alone write, and it can still be seen in creatures that are herbivores or omnivors.

To get a survival advantage sole knowledge of a ripening source of fruit or a bees nest etc gives significant advantage. The problem is trying to keep the "sole knowledge". You only have to basic options open to you,

1, Hide the location
2, Hide the source existance

Both of these are "obscurity" methods the first on it's own is largely ineffective as others seeing you with some of the source will know it exists thus will deploy their resources against you either overtly with fist or club or more covertly by following... The second method reduces but does not eliminate the attacks.

Obviously with increasing development and the forming of groups other tactics can be employed by both sides.

For some considerable period of time this aspect of security had no reason to change. In fact it was the development of "stock keeping and herding" gave rise to the next aspect which is the need to get a physical resource from one place to another and keeping it secure at any given place.

From this you can see the basics of all physical security we still use today for tangible physical things.

The development of writing however took security into a new direction from the tangible physical to the intangible informational. Which is a problem in a number of ways, because most humans do not see the difference thus make the mistake of transferring physical world assumptions into the information world where more often than not they don't fit or fit well. You see this in explinations of crypto as being a "lock" or a "safe" which puts the wrong image in peoples heads. In their head they see a physical object that is in effect unique thus do not see how an encrypted file can be endlessly duplicated and worked on in parallel. They also don't tend to see the idea of "inteligent agents" that in effect turn an individual into an army of attackers that can come from any direction.

Thus even though many humans do know about "broadcasting" from radio and television they don't see it provides security by obscurity. Various Navys realised that you could broadcast a message from headquaters that anybody and everybody could receive, but that also ment that an attacker had no way of knowing where the intended recipient of the communications was provided they sent no response. So the attacker would know that a message had been sent at what time and even it's length, but assuming the crypto was secure not anything else. It was later realised during WWII that other information did leak in the frequency and length of what were in effect standard messages (traffic analysis). Therefore various militaries adopted "channel stuffing" where a link would be fully occupied much like some "numbers stations" are reputed to work.

Both these forms of obscurity are quite effective thus there is a place all be it narrow for "security by obscurity" even in the information communications world.

However you can also use the idea of "security by obscurity" even in a wired network where the location of all the nodes are known. I've explained this before on this blog along with how the use of store and forward, interleaving and indeterminate retransmission can make traffic analysis ineffective.

So yes security by obscurity is something I expect to see more of built into neyworks over time.

Matt from CTApril 18, 2018 2:43 PM

>Rural America uses WWWII sirens

I'm going to assume the poster meant WWII.

And it is a fair bet most volunteer fire department sirens* in use date to the Civil Defense era immediately following WWII. Even the ones that are newer usually still depend on DTMF, or other simple tone schemes, over well known frequencies.

It's not even security through obscurity, it's security through public trust -- it is only marginally more difficult to maliciously set off the fire sirens than it is to maliciously pull a fire alarm box on a street corner.

You record the DTMF tones on a tape recorder (iPhone today?) and key up a mic in any one of a number of radio-equipped vehicles whether actual fire apparatus or the privately owned vehicles of officers and play it back, and siren goes off. Newer systems may have built-in unit identifiers that get transmitted when the radio is keyed, many older ones lack this feature.

In my area, to the best of my knowledge, there was only a single persistent prankster since this system rolled out in the early 1970s replacing the expense of the leased, dedicated phone lines that previously served the task.

The analogy to pulling a fire alarm box to setting off a fire siren is even more apt considering in many (most?) communities that have both volunteer firefighters and a telegraph fire alarm system, pulling the fire alarm box will cause the box number to be tapped out over air horns to alert the firefighters. It also gets printed at the dispatch office, so the dispatcher can also make a voice and/or alphanumeric page out of the incident.

*Volunteer departments using outdoor sirens, often one on the firehouse and often others at strategic locations in town, is/was fairly common in the northeast. As radio paging systems became more common, and reliable, and noise complaints increased their use has declined. Even in my relatively wealthy state, many fire companies could not afford pagers for all their members until the early 1990s.

I personally don't see a need for them for everyday use but I fully support maintaining them as a fallback system -- even telephone tree call lists are not reliable backups as last hurricane through my area saw all telephone services except Verizon Wireless fail within 48 hours and not return fully for the better part of a week.

They aren't common in tornado prone areas where outdoor sirens, instead, are associated with weather warnings.

In addition to sirens and horns, I even know some communities that would alert their ambulance volunteers via a carillon -- less intrusive than a siren, but the distinct tune would still alert volunteers who did not have a pager with them.

echoApril 18, 2018 2:52 PM

@Clive

Yes, I agree 'security by obscurity' is a yes and no, or "it depends". I note binary thinking exists in a number of fields such as physics of all subjects. (Bio-social scientisist are not so prone but not immune to this.) I daresay this can be helpful as a shortcut but can steer and obscure discussion in unhelpful and sometimes misleading ways. In an informed consent environment this can be successfully litigated as was one recent case.

The 60Hz myth was another such annoying meme - that moving pictures couldn't be detected by the eye over a framerate of 60Hz. This is empircally not true and can be as high as 200-230Hz or even higher. Of course, this doesn't mean higher framerates are always better as cinema viewers become stressed with higher framerates as the brain works harder to process a higher volume of visual data.

Citation ReqdApril 18, 2018 5:40 PM

[echo]:
> cinema viewers become stressed with higher frame rates as the brain works harder to process a higher volume of visual data.
[citation required]
What's the frame-rate of real life?

HmmApril 18, 2018 8:19 PM

"What's the frame-rate of real life?"

Well that depends on how fast you're moving relative to light speed. But don't take my word for it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.