Every Tornado Siren In Dallas Hacked

Someone had some fun with the Dallas early warning tornado siren system on Friday, April 8th. All 156 tornado sirens were hacked to go off just before midnight until they were manually turned off individually, reports The Washington Post. Thousands of residents flooded 911 call centers asking if they were under attack, if there was a tornado or if the zombie apocalypse had begun. The sirens were blaring for at least an hour and was originally put down as a malfunction, however it was later revealed that it was a hack and the “hacker” must have had physical access to the siren control center.

This isn’t the first time Dallas has had problems with “hackers” breaking into their infrastructure, Only last year some unknown person/persons hacked electronic road signs (a prank we’ve seen before) in and around Dallas claiming “Work is Canceled — Go Back Home” and “Donald Trump Is A Shape-shifting Lizard!!”. Mayor Mike Rawlings claims the perpetrators will be found and prosecuted although we don’t share his confidence since last year’s attackers are still at large.

The video below is one of many on YouTube filmed by bemused Dallas residents.

UPDATE: This hack seems to have been accomplished via DTMF signals broadcast on radio frequency in the clear. Recognizing the vulnerability after the fact, the system is now using some form of encryption for the control messages. Thanks [Dan J.] for posting this in the comments below.

55 thoughts on “Every Tornado Siren In Dallas Hacked

      1. bob
        Prove it was a prank and not a ransom test.
        Did every siren work? At least the ones that didn’t MAY get repaired.
        I think this was a warning or at least there is more under the surface than officials are willing to admit.
        here is another interesting tidbit
        https://www.bleedingcool.com/2017/04/12/united-talent-agency-hit-cyberattack-ransom-bitcoins-rumored/
        United Talent Agency Hit By Cyberattack, Ransom In Bitcoins Rumored

        I need to shout the obligatory RUSSIAN HACKERS! RUSSIAN HACKERS! RUSSIAN HACKERS!!!!!
        Hehehehe.

    1. Correct, since landline connections to each device would be cost prohibitive. So we have 2 possibilities: 1. “disgruntled” employee aiding (or committing) the act. 2. Prankster who collected ‘intel’ on the system, by noticing the antennas on the control boxes – indicating what band the radio operates on, looking up FCC licenses, scanning those freqs using a DTMF decoder during their periodic tests, executing a “replay” attack using high powered mobile in the middle of the coverage footprint.

      Adding ‘encryption’ after-the-fact, is a PR lie. Unless they physically went out and touched each control box, it’s a complete fabrication. Almost tempting the pranksters for round 2.

      1. From everything I can find on the various products Federal Signal makes, there are some siren controllers that can receive 128bit or 256bit encrypted digital signals but most do not. The boxes can be setup to receive everything and react accordingly. The master controller can transmit encrypted signals as well. I should note that digital does not mean DTMF. If they are still using DTMF, then it is not encrypted. Another thing, there is a virtual networked COM port in the master controller so that you can control it through serial over a typical network. That serial communication can be encrypted too. I’m not too sure which one they are talking about. The main point being, even if they did turn on encrypted digital (what your typical police radio network uses), the system is still vulnerable to replay attacks since the key isn’t changing.

    2. But if it wasn’t someone working in the dark with a laptop and a balaclava, who was it?
      “It couldn’t have been someone sitting on their couch! Our multi-million dollar system is too advanced for that!”

      I think this is another example of the people in charge having no idea how something works, and spouting “HACKERS! They are in our stuff!”

      1. When the ‘hacker’ saw himself in the mirror he immediately activated all sirens. For safety purposes.
        He wasn’t sure it wasn’t some foreign enemy due to the balaclava and shit.

  1. Actually, this was much more interesting (and more inline with the subject matter of this web site) than it first appeared:

    https://www.dallasnews.com/news/news/2017/04/10/hacker-broadcast-signal-triggered-dallas-emergency-sirens-friday-night

    “City officials don’t know who triggered Dallas’ outdoor warning sirens late Friday, but they do know how it was done — by broadcasting a few tones, via either radio or telephone signal.
    In other words, there was no computer hack.”

    1. Dan J.
      If you were an official would you want to scare the Genpop if it were actually a computer hack?
      Maybe it is related to this
      https://www.bloomberg.com/news/articles/2017-02-21/dallas-police-and-fire-pension-backs-cutbacks-to-avoid-collapse
      Dallas Police and Fire Pension Backs Cutbacks to Avoid Collapse
      http://www.zerohedge.com/news/2017-04-03/dallas-mayor-pulls-support-massive-taxpayer-bailout-police-pension
      Dallas Mayor Pulls Support For “Massive Taxpayer Bailout” Of Police Pension

      Zerohedge reported 4/4 sirens hacked 4/8.
      If we read between the lines below there are LOTS of angry people with enough interest to actually threaten the GOV.

      http://www.nbcdfw.com/news/local/Confrontation-in-Austin-over-Dallas-Police-and-Fire-pension-crisis-418025553.html
      For now House Bill 3158 preserves retiree benefits but eliminates future cost of living increases until the fund is more secure.
      “The guys working today, we’re taking a cut. We know that. I’m willingly taking a cut to my pension to save the overall fund,” said Dallas Firefighters Association President Jim McDad
      The bill also switches Deferred Retirement Option Plan (DROP) accounts to annuities paid over time, eliminating the option of large lump sum withdrawals that put the fund in even worse shape last year. Interest on DROP accounts is also eliminated. In the past, DROP participants were promised interest as high as 10% when the fund’s investments could not produce such returns.
      Dallas Mayor Mike Rawlings and Former Mayor Tom Leppert opposed the bill, saying it is too hard on taxpayers.
      “The citizens, the taxpayers, had nothing to do with the failure of this fund,” Mayor Rawlings said.
      HB 3158 would increase the taxpayer contribution from the current 27.5% of employee pay to at least 34.5%. The current annual sum of $124 million would rise to $134 million with an additional $11 million added on top of that.

        1. Oliver
          Well lets see NSA spying on everyone, DNC getting answers from debate officials, invading Iraq for no apparent reason, Bill Clinton did not have sex with that woman, Reagan didn’t sell arms to Iran via the Contras.
          How many of the above were considered “tinfoil hat wearing conspiracy” theories?
          Forgot Stuxnet.
          If I were you I would read more history because History is essentially conspiracies by one group to gain power over another.

          1. As far as ” invading Iraq for no apparent reason” goes, I would encourage you to look at a map of the Middle East. Look at where Iraq and Afghanistan are. Look at what country is in the middle. Find which of these 3 were trying to get access to nuclear arms during this time frame. (also look at base placement http://bit.ly/2ouAV3P , it’s a U shape surrounding that OTHER country.)
            Next look at South Korea and North Korea. Again we have troops in South Korea, adjacent to a country striving for Nuclear power…
            Next look at Germany, where we also have a large amount of troops stationed. It’s adjacent to the “USSR” countries, and I shouldn’t need to bring up the cold war to explain why this makes sense.
            The move to Iraq wasn’t because of terrorism, we just needed a story that dumb Americans would believe. In the grandest of grand schemes (this is tinfoil hat territory) losing all the people in the trade center is better than losing the state of New York a few nukes. Maybe the US did 9/11, or maybe it was perfect coincidence that it happened to give us a false reason to go to the middle east with hundreds of thousands of troops to “find bad guys”. Turn off the news, look at the maps, look at the troops, look at the political games that each country is playing. It will make better sense.

      1. Doubt that’s the motive as it’s moot to make protest without clearly communicating to the media what the protest is about.

        Those sirens are to alert for a few different things, so a different code for this alert, another for that. I’ll not classify this as a hack as all that had to be done is receive the dtmf for the monthly test and rebroadcast it. Hence, just a simple high school level prank requiring only Daddy’s ham shack and a recorder.

        Those of us old enough to remember the ’60s will easily recall that the monthly test was a siren for imminent attack.

  2. I can’t help thinking that they mustn’t “test” the system very often. With the emergency service number being inundated with calls it is a very different to what would happen if a fire alarm went off – ( in Australia at least fire alarms are tested every month which makes it often enough coulpled with false alarms that when an alarm does occur no one even flinches.

    Now this would have been amusing to watch the chaos erupt as concil workers ran around trying to shut the system down and the necessary knee jerking by government agencies to “fix” the problem tampering with a safety system is potentially rather dangerous to innocent bystanders.

    On the otherhand if there is a serious flaw with the system which the management is well aware of and refuse to do anything about than it very well might be justified.

          1. But different patterns are used to signify the nature of the warning. When they wail for a longer period of time, it means you are supposed to run outside to see if you can find the funnel cloud. ;) In the small town I glad they still sound them fore a fire. Gives people on the street to think about where they are and what volunteers that will be blasting down the streets.

    1. Eh, if it were to happen at like noon exactly, sure I can see why one would be confused about the public’s response. But keep in mind this happened at around midnight on an odd day. It doesn’t fit the “testing” pattern.

      1. Another Dallas resident here. I was downtown when they were going off. My buddies and I made a drinking game where we took a shot every time it went off, and needless to say we didn’t fare too well.

    1. Denmark: First wednesday of May, we’re testing all warning sirens throughout the country. Not testing more is probably because zombie apocalypse, will break out in the US… ;P

    1. It feels kinda like ham radio. No encryption allowed. Systems are controlled by 2-tone signals. These days, I think it safe to say that something more along the lines of digital communications protected with AES-256 or equivalent should be used for any kind of infrastructure if you want to maintain the possibility of control.

    2. The systems in my area (SE Wisconsin) can either be activated locally or remote via DTMF over POTS and/or 2m public safety band. They also provide feedback as to their status. With the FCC Narrow-Banding a few years ago, the majority had to be retrofitted or replaced.

  3. I used to install systems like this. Honestly, they are more like loudspeaker pagers on telephone poles than anything.
    To save from having to run control cables to each station, each siren would have a built-in VHF or UHF radio.
    There will be a control station that will have a computer interface, and maybe even a POTS interface, and a radio transmitter.
    They control station can be “logged into” by calling a landline number and entering a dtmf code, this gets you into a basic menu. You navigate like a regular phone system interface. “Press 1 to… Press 2 to…”
    Some can be triggered by a computer that can spit out data over rs232 from a monitoring client looking at emergency alert channels, weather monitors, etc. Anything really, it is just an API.

    When the control station gets activated, it will transmit an FM carrier with a subcarrier. Most often TPL or DCS.
    This is not security, it is to reduce carrier interference and control squelch.
    This will “talk” to each station after being amplified by a central repeater, most often changing the frequency.
    To activate the stations, the control station will transmit more DTMF codes to identify the stations. They can usually be configured to trigger individual sirens, but in systems like this, they usually all alert with one common activation DTMF code.

    Honestly, some of these systems can be triggered by sitting there during a test and scanning for the carrier frequency, and the subcarrier tone. Or if someone was drinking and/bored, they could sit there with a DTMF radio and start pushing buttons…

    I do not condone tampering with emergency alert systems. But this type of radio control system has been installed for years.
    Thankfully, many of the problems with them are being solved by upgrading the systems to digital with the recent FCC narrowbanding and modernization.

  4. I work with these systems for a living. 90% of the country all it takes is to record the OTA signals during an actual activation a play back with enough power to reach the receivers. Takes any decent quality voice recorder or app and a crappy $20 Baofeng radio. I’m surprised it doesn’t happen more often.

  5. imminent attack sirens dont scare me too much;

    “…if you recieve enough gamma radiation to cause sterility,
    or severe sickness, you’ll be killed by blast,
    flying debris, or heat anyway.”

    its powerplant mentdowns that have a need/use for a siren…
    but there is no such thing, or do modern (E.B.S.) systems have a code for that too???

    PS: they should have a code for meltdown, afterall there IS a code for zombie attack as such code was used for testing where i live and zombie attack alert was flashed accross TVs here a while ago… but MELTDOWNS ARE REAL … shows what kind of people are in charge… facebook generation… zombie warnings on gov infrastructure but no possible warning if fukushima happens here.

    PPS: i realise this is about tower-top sirens but we dont have those where i live because twisters here are small and last like 20 mins.

  6. So knowing the testing schedule in my local city, I could record with SDR from various locations over the course of a few weeks and compare what shows up similar across those areas then simply replay it back on the same freq?

  7. Note to all levels of governments in all countries…for the love of god please keep all critical infrastructure un-networked or at the very least as far away as possible from the internet.

  8. So they are doing the mock tornado warning today in WI, with plenty of advance notice so people don’t freak out too much. Perfect time to “record” for a later “replay”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s