The City of Dallas, Texas, emergency alarm system was compromised by a hacker or hackers late Friday night. All 156 outside sirens, usually used for severe weather warnings, were activated more than a dozen times between approximately 11:45 pm Friday and 1:20 am Saturday until engineers manually disabled the system.
The Dallas Outdoor Warning Sirens are designed to alert people outside to go indoors for shelter and information. The sirens are not meant to be heard indoors. Their primary function is to warn of imminent severe weather; but with no immediate sign of this, some people worried about reprisals for recent US military action in Syria.
The 911 emergency service, already under pressure through staff shortage, received approximately double its usual number of calls; and waiting time at its worst increased from the usual 10 seconds to around six minutes.
No details of the hack have yet been released, although it is believed the attacker is from the Dallas area. “For security reasons,” said spokeswoman Sana Syed, “we cannot discuss the details of how this was done, but we do believe that the hack came from the Dallas area. We have notified the FCC for assistance in identifying the source of this hack. We are putting in safeguards to ensure this type of hack does not happen again.”
Attacks against emergency alert systems are rare, but not unknown. In 2013, hackers breached an emergency alert system (EAS), causing TV stations in Michigan, California, Montana and New Mexico to broadcast a zombie warning, “the bodies of the dead are rising from their graves and attacking the living.”
Dallas engineers are thought to have located the source of their own breach, and have ruled out both their control system and remote access. If the attacker breached the communications channels this could explain the belief that he or they are local to the area.
At the time of writing, the police had not been notified.
Dallas Mayor Mike Rawlings commented on Facebook, “This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure. It’s a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind.”
In November 2016, the City Council approved a $567,368 budget to maintain and repair the emergency sirens over the next six years. Michigan-based West Shore Services, a distributor of Federal Signal outdoor warning products, won the contract.
When approached over the weekend, West Shore’s director of operations, Luke Miller, had not been informed of the breach by the Dallas Office of Emergency Management. “I am trying to get information along with everyone else,” he said. “I don’t know anything.”
Martin Zinaich, chief security officer for the city of Tampa, Florida, told SecurityWeek, “We keep putting more and more ‘things’ (including critical infrastructure) on a public network that everyone in the world, both good and bad, have access to — yet we still do not have information security being considered as part of a complete business risk profile.”
Zinaich believes it is symptomatic of an ever-worsening cyber security condition that will require drastic action to solve. In a paper comparing cyber security to the long, slow descent and ultimate destruction of Eastern Air Lines Flight 401, he says, “In short, what we have put in place are insecure computing devices connected together using insecure protocols over a fabric connected to support some of our most critical dependencies and let anyone in the world — good or bad — have access to it.”
His own solution would be for American CISOs to come together in a professional association, similar to the AMA, so that together they could influence the quality of security much as the AMA has influenced and improved the quality of medicine.