GOOD MORNING DALLAS!In the grand scheme of things going on right now, an RF attack on public emergency notification systems in Dallas, TX, is pretty low on the "give a crap" scale of things. I must acknowledge, the Shadow Brokers dumping old exploits is a delight to pentesters and interested parties looking to expand their arsenals or fill their bag-o-tricks. Never mind the ongoing state of politics, the economy, and never ending FUD. All of this makes it even more difficult to gather any attention to yet another writeup on vulnerabilities in critical infrastructure or mass communications. Though we're getting some traction on SCADA and ICS due to commercial exposure, consumer interest in IoT, and repetition from industry pros, the reality is this recent round of emergency notification systems attacks will likely blow over just as fast as any other story and we'll forget all about it until another 3AM false alarm wakeup alert pisses us off enough to care until we fall back asleep!
If you're reading this post, you may have seen one of my previous talks on vulnerabilities in the US Emergency Alert System (EAS), Integrated Public Warning and Alert System (IPAWS), Common Alerting Protocol (CAP), Commercial Mobile Alert System (CMAS), or other systems which comprise, interconnect, and/or drive mass notifications. If you haven't, I've added links to past posts and videos on the subject.
The question I get the most regarding these presentations is "how come I've never heard about this before?". Soon followed by "shouldn't you be more responsible with your disclosure or be helping to fix the issues?". The only way I can answer is "exactly" and "no" regardless of how frustrating those answers are to give. I'm hardly the first to disclose vulnerabilities in emergency notification systems, several of which I reference in my talks. Even still, with names much better respected than mine behind them, these issues continue to be ignored, brushed off, and even denied by local, state, and federal agencies implementing them.
While the cause of these issues are largely technical and easy to fix, the blockers to fixing them are political and not nearly as difficult as some authorities claim. In the end, the story tells itself again and again...
"Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say" - New York Times 4/8/2017
"Hackers set off Dallas’ 156 emergency sirens over a dozen times" - ArsTechnica 4/9/2017
"Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack" - ArsTechnica 4/12/2017
Am I encouraging others to do this? No.
Am I enabling others to do this? Unlikely. Anyone seeking to do this could easily find the information and means without my presentations or posts.
Am I surprised by the lack of attention or action on the issue? At this point, not at all. My first attempt to disclose RF based attacks was in 2012. State emergency management officials from 2 states rejected the findings multiple times. I waited 2 years to present the findings and its been 3+ years since. There was zero action then and very little now. Somebody just woke up a whole city with just 1 part of the system in Dallas, imagine how loud you'd have to be to wakeup the government!