back to article Want to terrify a city with an emergency broadcast? All you need is a laptop and $30

Researchers have uncovered a remote hijacking vulnerability present in the systems many cities and organizations are using to manage emergency sirens and alerts. Dubbed SirenJack, the vulnerability would allow an attacker to remotely activate emergency alert systems manufactured by a company called ATI Systems. Bastille said …

  1. JeffyPoooh
    Pint

    "... warning sirens...only truly reliable method..."

    "Truly reliable"? Radio controlled?

    Has radio jamming recently been un-invented?

    1. Yet Another Anonymous coward Silver badge

      Re: "... warning sirens...only truly reliable method..."

      Beacons on mountain tops - the only reliable system

      1. Christoph

        Re: "... warning sirens...only truly reliable method..."

        "Beacons on mountain tops - the only reliable system"

        As long as you've got a spare hobbit to light them.

      2. GIRZiM
        Childcatcher

        Re: Beacons on mountain tops - the only reliable system

        Unless you're blind, you sightist bar steward!

        What about blind children, eh - have you no care for them, you monster?!!!

        1. Yet Another Anonymous coward Silver badge

          Re: Beacons on mountain tops - the only reliable system

          Unless you're blind, you sightist bar steward!

          Personal hat-mounted beacons would be available for the partially sighted.

          A small remote control pyrotechnic device could light them remotely

          1. GIRZiM

            Re: Personal hat-mounted beacons would be available for the partially sighted.

            Hmmmm. I can't say that the idea doesn't appeal - I am a sick b@$tard in many ways and really shouldn't be encouraged. But it doesn't help the fully blind - not unless they're lucky enough to be downwind of the stench of burning hair and molten flesh and/or within earshot of the sounds of crackling flesh (not to mention the screams of agony and terror).

            Also, whilst a small remote control pyrotechnic device could light them remotely were the shortcomings of the whole remote activation process not the very thing your approach was intended to surmount?

            1. Yet Another Anonymous coward Silver badge

              Re: Personal hat-mounted beacons would be available for the partially sighted.

              But it doesn't help the fully blind

              I assumed the portable beacons would be attached to the heads of the blind citizens. Even the most occularly challenged would be aware of the alarm once their own ear wax began melting.

              the shortcomings of the whole remote activation process

              True, perhaps equipping guide dogs with some sort of easily paw operated initiator (a'la Willey Coyote) would be more practical

              1. GIRZiM

                Re: Personal hat-mounted beacons would be available for the partially sighted.

                I assumed the portable beacons would be attached to the heads of the blind citizens. Even the most occularly challenged would be aware of the alarm once their own ear wax began melting.

                So did I ... I just didn't think it through properly - on the plus side though, it did provide an opportunity to mention the stench of burning hair and melting flesh, so it's an ill wind and all that.

                True, perhaps equipping guide dogs with some sort of easily paw operated initiator (a'la Willey Coyote) would be more practical

                Well, it'd have to be better than charades, wouldn't it?

                Something I saw on TV made me go "WTF !?"

                A Hearing-Dog-For-The-Deaf.

                WTF!?

                Is the dog trained to spell words out by biting its owner a set number of times? Or does it carry a typewriter around with it? Or a set of cards with letters on them or something? Maybe it does charades: six taps of the paw, wag tail, one paw, wiggle ear means "Six words...First Word...Sounds like....Shit! I was gonna say watch out, there's a car coming but judging from the look on your face as it hit you I guess you've already figured it out"

                But for the blind, well, barks (or even bites), something, yeah.

                Maybe the solution would be to set fire to the dog?

                People would notice that alright - even the sighted/hearing!

                1. Yet Another Anonymous coward Silver badge

                  Re: Personal hat-mounted beacons would be available for the partially sighted.

                  It's trained to do some trick when the phone rings so that the owner knows somebody is calling

                  1. GIRZiM

                    Re: Personal hat-mounted beacons would be available for the partially sighted.

                    What, like laugh?

                    Master, master, the phone is ringing, master?

                    What are you telling me for, dog? As if it weren't bad enough being deaf but the dog's gotta rub my nose in it too.

                    Exactly, master. Remember that time I had an accident in the kitchen? Remember what you did to me? The phone's ringing, master! Answer the phone, master! Master, answer the phone! The phone's ringing!

    2. Christian Berger

      Re: "... warning sirens...only truly reliable method..."

      Well but natural disasters usually don't jam radio signals. (at least not continuously) However things like earthquakes can easily break cables.

  2. veti Silver badge
    Mushroom

    Or alternatively

    You could always save your $30, and just make one phone call.

    Social engineering, the most powerful of all the engineering disciplines.

    1. bombastic bob Silver badge
      Devil

      Re: Or alternatively

      In Hawaii, it just happens when you click the wrong button in the UI.

      https://www.washingtonpost.com/news/post-nation/wp/2018/01/14/hawaii-missile-alert-how-one-employee-pushed-the-wrong-button-and-caused-a-wave-of-panic/

      (ok it's a link to the 'washington bleep' but still...)

      yeah, that's the cover story. social engineering notwithstanding.

      1. Jason Bloomberg Silver badge

        Re: Or alternatively

        n Hawaii, it just happens when you click the wrong button in the UI.

        The real problem in Hawaii was that the alert could not be easily cancelled, could not be quickly confirmed to be a false alarm.

        1. Yet Another Anonymous coward Silver badge

          Re: Or alternatively

          A test message containing the phrase "this is not a drill" didn't help

  3. Christian Berger

    That wasn't a design goal

    Seriously the design goal is that in case of an emergency there will be an alert. False alerts are not really a big problem, unless they actually happen rather often. So for example using TLS as part of your protocol, would be a problem as there is a chance it might fail because of expiring certificates or because there was some intermittent power outage causing the clock to be wrong.

    1. Cuddles Silver badge

      Re: That wasn't a design goal

      "False alerts are not really a big problem, unless they actually happen rather often."

      False alerts are a huge problem, even if they're rare. There's a reason the parable of the boy who called wolf exists, and it would only take one or two false alerts for people to lose trust in the system. Hell, just look at people's behaviour when a fire alarm goes off, even in a building that has never had a false alarm - a significant number of people will almost always refuse to take it seriously.

      And of course, that's on top of the significant economic damage and disruption that could be caused by forcing everyone in a city to drop what they're doing and leave work. At best, you're looking at the best part of a day's work and the equivalent of millions of pounds being lost. Throw in injuries and the like caused during the panic, potential for looting while people are out, and so on, and the effects of even a single false alarm can be very serious. Just look at the already mentioned Hawaii screw-up - blocked roads, reckless driving, jammed phone lines preventing emergency calls being made, delayed flights, and so on - and that was a partial text alert with no sirens, early in the morning, that was cancelled in under 40 minutes.

      Sure, you don't want your system to fail to give a real alert, but you really don't want it giving out false alerts either.

  4. x 7

    at least the yanks HAVE warning systems......ours got turned off years ago

    Though what you were supposed to do it the alarm went off is anyone's guess

    Hawkwind got it right: DO NOT PANIC!

    https://www.youtube.com/watch?v=a8pGS4cWbHo

    1. Yet Another Anonymous coward Silver badge

      Though what you were supposed to do it the alarm went off is anyone's guess

      I thought we were supposed to lie down, put a paper bag over our head or something…?

    2. SImon Hobson Silver badge
      Mushroom

      Though what you were supposed to do it the alarm went off is anyone's guess

      I believe the standard advice is : go the smallest room in the house, sit down, put your head between you knees, ... and kiss your a**e goodbye. Icon representative of one occasion when this manoeuvre might be appropriate.

  5. tip pc Silver badge
    Gimp

    it must be scary living in fear of the warning Siren going off

    I remember as a kid at school hearing the broadmoor sirens being tested i think Tuesday mornings at 11, and then hearing it going off one late winter afternoon. We where advised to stay in doors etc. At least we all new what it was and what to do, i think a city wide siren would be more terrifying especially not knowing what threat we should be expecting.

    1. Anonymous Coward
      Anonymous Coward

      Re: it must be scary living in fear of the warning Siren going off

      i think a city wide siren would be more terrifying especially not knowing what threat we should be expecting

      Back in the early 1980s, I was in Wolverhampton town centre when the Cold War nuclear attack sirens went off. Not a pre-announced test, not a short burst, a good three minutes of wwoooooooOOOOOOOO

      wwwwwwwwOOOOOwwwwwww (if I remember the spelling right), announcing to the Wolverese that in a few minutes, Russian nuclear missiles were going to vapourise them (although arguably property damage would be difficult to prove).

      And you know what people did? Nothing. Diddly squat. They didn't even talk about it, they just ignored it and continued with their shopping. Which is a very sensible thing to do in the circumstances, but rather begs the question of why bother with the sirens.

      1. Yet Another Anonymous coward Silver badge

        Re: it must be scary living in fear of the warning Siren going off

        Would the USSR target Wolverhampton?

        The British might -

  6. JakeMS

    Temptation

    I must not do this

    I will not exploit this

    I will not have fun using this bug

    I must not allow myself to try this

    I... will... not... do... it...

    STOP don't do it.

    I'm holding myself back otherwise I may find it funny to cause mass panic.

  7. DNTP

    ATI systems?

    Should have gone with NVidia.

    1. Anonymous Coward
      Anonymous Coward

      Re: ATI systems?

      Most likely they could not get the drivers to work with linux.

  8. John Smith 19 Gold badge
    FAIL

    Wow. Security by obscurity strikes yet *again*.

    Unencrypted packets.

    Just the cheapest possible tech to implement a system that must never go off by "mistake."

    I'd say "Unfu**ingbelievable" but in fact I find it quite believable.

    1. GIRZiM

      Re: I find it quite believable.

      In fact, the only thing that would shock me would be to learn they'd done it properly in the first place!

  9. Michael Habel Silver badge
    Joke

    What have Team Red been up to now?

    Is there still any money left to be made selling these GPU thinigies?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021