The emergency alert systems that blare out warnings during natural disasters, terrorist incidents or manmade calamities could be hijacked into sending out false alarms.
A security company, Bastille, said Tuesday that it had found a vulnerability in San Francisco’s emergency alert system that would allow hackers to trigger the city’s sirens or even blare out malicious messages.
The Boston manufacturer, ATI Systems, said it had developed a patch that will be rolled out shortly and noted that such a hack “is not a trivially easy thing that just anyone can do.”
Balint Seeber, director of vulnerability research at Bastille, which has offices in San Francisco and Atlanta, Georgia, said he began studying vulnerabilities in the system of 114 public sirens and outdoor speakers scattered about San Francisco in 2016. Once he determined the radio frequencies employed, he said it would be easy to hijack the unencrypted system, even using only a $30 radio and a laptop.
A hacker could broadcast his or her own voice as a public address audible to the entire city, Seeber said.
ATI’s siren systems are installed at military bases, nuclear and petroleum plants, universities and urban centers across the country.
False alarms have caused dangerous panic, as was seen in Hawaii on Jan. 13. Human error, not hacking, caused an emergency text message warning of an incoming nuclear attack at a time of heightened tension with North Korea. It sent residents flooding into the streets, into underground shelters and clogging freeways on the islands.
A hacker did trigger all 156 emergency sirens in Dallas to sound off on April 7, 2017, waking up city residents.
An expert on the nation’s emergency alert systems, retired Rear Adm. David G. Simpson, said older parts of the nationwide network were not designed to thwart hackers.
“It should be very concerning to citizens but certainly to emergency management professionals,” said Simpson, the former chief of the Public Safety and Homeland Security Bureau of the Federal Communications Commission.
Older alert systems, he said, “were never designed to counter an advanced cyber adversary. They are very vulnerable.”
Any vulnerability in emergency alert systems, trusted by the public, could undermine confidence in the government’s ability to detect and warn people of real threats, he said.
“If you set up a system where a large population is residing and knows that the system is exclusively for emergencies, and people have confidence that it works, when it goes off, people genuinely get really scared and distressed,” Seeber said.
ATI Systems is one of the larger players among manufacturers of the alert systems, and numerous military installations, such as Eglin Air Force Base in Florida’s Panhandle, are clients, according to its website. The company also notes that One World Trade Center, the New York skyscraper that replaced those destroyed in the 2001 terror attacks, uses one of its systems.
Other clients include the University of South Carolina among other academic institutions, and governments such as Sedgwick County, Kansas, surrounding Wichita.
Audible warning systems are crucial during emergencies, experts say, because high traffic can cause cell phone signals to go out and power to fail.
In its statement, ATI Systems said many of its military clients use more sophisticated encrypted emergency alert systems than the older system set up in San Francisco.
“It is interesting to note, for example, that when the ATI system was installed at San Francisco 14 years ago there was no such thing as an iPhone because they hadn’t been invented yet,” the company said.
Simpson, the former FCC official, said emergency management professionals should take a new look at alert systems across the country “to really better assess where the weak points are and assign clear accountability.”
At places like universities, he said, any legacy system without adequate safeguards to deter hacking could prove to be more disruptive than helpful if breached.
“What if that is hacked and a false message is sent? Might that be worse than any lives saved from having the system to begin with?” Simpson asked.
During a Senate field hearing in Honolulu last Thursday on the false missile alert that shook Hawaii, a commander acknowledged that the military made mistakes that compounded general alarm. Pacific Command, which oversees U.S. military operations throughout the Asia-Pacific region, knew the missile alert from the state’s emergency management agency was false yet did nothing when a duty officer triggered warning sirens at a joint base at Pearl Harbor.
Clarification: This article has been updated to change the number of public sirens and outdoor speakers in San Francisco to 114. An earlier version had an estimated number.