BSidesCHS 2015: Exploiting Mass Emergency Notification Systems


You’ve received emergency notifications; had a storm warning interrupt the season finale; had your phone go berserk with an “amber alert” which annoyed yet somehow gave you a warm fuzzy the government is looking out for you.  You’ve driven under an interstate notification sign and cursed “traffic delays due to construction” when you’re already running late. But how did those messages get there and who REALLY sent them?  Easy to laugh off one warning of “ZOMBIES AHEAD” but what if the message also came over your phone and radio simultaneously?

With a footprint the size of nations, emergency notification systems stand ready for the worst disasters to the most localized emergencies, dangers, weather, and more.  These “system of systems” are held together by embedded devices, fragile protocols, and terrible implementations in an IoT nightmare so unreliable it fails as often as it succeeds.  But why does it persist?  Lets explore the government mandated backdoors into commercial & public communications networks ripe for exploitation!

This talk will demonstrate how messages are initiated & distributed as well as how an attacker could inject, modify, disrupt, or even take over major parts of the larger system with the click of a button!  We’ll explore the devices, their vulnerabilities, and the future of these systems in the US under the Integrated Public Warning & Alert System (IPAWS) as well as in other countries.  While walking the tightrope of legality, it will give you the background and tools along with multiple live demonstrations and invite you to participate in a “BSides Emergency Notification System”.  Even if you don't hack these systems (and I'm not saying you should), I'm sure you'll find the discussion eye opening and engaging in an area where RF hacking, IoT/SCADA, and critical infrastructure collide to create one hell of a mess!