Illustration by D. Thomas Magee
At 11:42pm last Friday night in Dallas, suddenly and for no apparent reason, what locals call the 'tornado sirens' went off. All of them. It was a clear, calm night; no foul weather presaged the blare of an emergency system so loud it's meant to wake sleepers inside their houses.
When the 156 sirens continued to go off in repeating 90-second cycles, seemingly without end, people started to worry about being bombed.
By 12:30am, the Dallas Office of Emergency Management (OEM) began to start shutting off the alarms manually. People were freaking out, flooding the Dallas 911 call center. Over 800 calls came in between 12am and 12:15am, creating wait times for up to six minutes, and totaling 4,400 calls for the 90 minutes the sirens blared.
Since it took half an hour for Dallas OEM to acknowledge the screaming sirens and local news had nothing, people turned to each other on Twitter and Facebook. Which, of course, was filled with speculation that World War III had started.
Half an hour into the chaos, the OEM tried to quell panic by issuing social media alerts saying not to call 911. It backfired and people became convinced it was a conspiracy and their local officials were lying to them. Some speculated it was some kind of cover for a crime in progress.
The sirens went off continuously until 1:17am.
At first, the public was told it was a malfunction. But officials soon admitted to press that it was a hack -- but a very peculiar one.
In a press conference at Dallas City Hall on Monday morning, Dallas City Manager T.C. Broadnax said the hack was done using radio frequency, and not via a computer network. Mark Loveless at Duo Security posited a clarifying detail, that it was probably done "through the use of Dual-Tone Multi-Frequency (DTMF) signaling via radio." According to press, city officials said that "it's a tonal-type system," suggesting the hack was done by replicating the tonal code -- the sounds -- that would set off the sirens.
Authorities still don't know who hacked and set off the Dallas County outdoor warning sirens, but they do know how it was done. This kind of hacking is usually called "phreaking," which is typically associated with the telephone system. In this context, it would be the kind of phreaking done when radio-frequency signal tones are perfectly reproduced to trigger various functions normally reserved for operators or telephone company employees. Like making free calls, eavesdropping and more.
Since tornado sirens use radio-frequency communications to work, this is feasible. Indeed, Duo Security discovered in their research that "the usual setup involves a number of sirens which are triggered/controlled by a series of DTMF tones via radio, typically via UHF 450mHz."
It's as fascinating as it is disturbing when you consider how many other similar systems exist across the US that are probably about as secure as the ones in Dallas.
Broadnax insisted that the hack was "a radio issue" and not a system software problem, and wouldn't tell reporters exactly how the compromise occurred. He added, "Our system is not software related and on a computer. It's a radio system."
This little detail caused the ears of hackers to perk up. They quickly discovered that the details for the city's early warning system are available on the Dallas City Hall website (circa 2012, when the system was last improved). And, of course, they were being passed around Twitter as security nerds picked over the available information. They were going to sleuth it out themselves -- because every hacker loves a mystery.
These hackers noticed that Broadnax was either mistaken or not being completely forthright: The city's own documentation states that the siren system could be activated via internet access.
This comment on @Dallas_Observer
— OMG ΉΆXOR (@SynAckPwn) April 11, 2017
by Broadnax is BS
From their own briefing on the system https://t.co/yfsUFEQQc4
Backend is PC/software pic.twitter.com/rUj710IEfe
Getting a straight story out of city officials would be nice, plus it might cut down on hysteria and conspiracy theories.
A reasonable theory is that this was a prank -- a really well researched and planned one, though. Another is that it was a test run to see how people panic and emergency services respond during an alarm. There's also the disgruntled employee theory, and my favorite, that it was a cover-up for an epic art or jewelry heist.
If you're a fan of heist films and watch a lot of Mr. Robot, the hack seems almost exhilarating. I mean, if you weren't one of the 1.3 million poor souls in Dallas wondering if they should run, cry, or stuff their kids and cats into a bomb shelter.
As fun as that all sounds, this was a reminder that security has been an afterthought for way too long on city systems. Shutdown of the alarms required them to disconnect everything, leaving the city without its emergency warning sirens until late Sunday night.
In the aftermath, local press noted that "no one at City Hall knew something like this was possible." Meanwhile, the Dallas Police Department is currently leading an investigation, with the FCC and FBI assisting.
Will this happen in other cities? Undoubtedly.
We security nerds can joke about it with our bar buddies from afar and analyze it online, but for the people who experienced this it was very real. It was a reminder of how helpless we feel, and how clueless our officials are about hacks and hacking. All while our universe gets a little more incomprehensible because we're not sure if our present peril is the result of incompetence or maliciousness.
Well, at least now city officials in at least one US city know something like this is possible. Broadnax told press, "As we brought the system back up, some encryption was added as part of our process to prevent this type of error from occurring going forward."
Error?
Well, anyway ... some encryption sounds good.
Image: Jupiterimages via Getty (Siren); Getty Images/iStockphoto (Downtown Dallas, TX)