[SystemSafety] a Dallas accident [No Classification]

Peter Bishop pgb at adelard.com
Tue Apr 25 15:43:29 CEST 2017 

Other possibilities might be:

1) Replay of a recording of genuine test radio transmission(s)
2) Hack into a control point and issue the commands from there
   - apparently there is no log of control commands
   - but the hacker might be smart enough to erase the log

Peter Bishop

On 24/04/2017 09:17, Barnes, Robert A (NNPPI) wrote:
> This message has been marked as No Classification by Barnes, Robert A (NNPPI)
> 
> 
> I've seen some technical speculation that points to it being a pirate radio signal, rather than a computer hack.  To put a bit of meat on the bones, I've looked at publically-available information about the Dallas warning system is available online.
> 
> What we know about the Dallas system:
> 
> 1) Modern system, installed between 2007 and 2010,
> 2) 154 Federal Signal 2001-130 outdoor warning sirens,
> 3) 1 Federal Signal MOD6024 omni-directional warning siren,
> 4) Controlled by UHF radio broadcast,
> 5) 3 control points: City Hall Emergency Operations Centre, City Hall Police Dispatch, CIS Radio Shop,
> 6) At least one of these control points supports remote activation over the internet,
> 7) Control points use a Federal Signal Commander SS2000+ Local Hardware Activation Point and a radio transceiver,
> 8) At least one of the control point PCs was running Windows XP in 2012,
> 9) The SS2000+ supports 2-tone Emergency Action System (853+960 Hz), DTMF or Audio Frequency Shift Keying (AFSK).
> 
> Based on the above, one way in which it could have been done is as follows:
> 
> 1) Use the FCC online licence database to look up all the radio licences held by the City of Dallas (which I have deliberately omitted from this analysis),
> 2) Use a scanner or cheap SDR to monitor those frequencies during a siren test and find the control channel,
> 3) Obtain a high-power radio transceiver that covers the system frequency,
> 4) Use something (sound card, Arduino, whatever) to generate the EAS tones (853+960 Hz),
> 5) Feed those to the radio and transmit on the siren control channel.
> 
> Again, I found out all this information in less than an hour, using nothing more than Google.  To me, the Dallas siren hack is the perfect storm of a system with poor inherent security, coupled with poor information security on the part of the City of Dallas that led to lots of technical information about the system being available online.
> 
> Since the hack, the City has said that they've "added encryption", which to me smells like they've changed over from 2-tone EAS or DTMF to AFSK, which can use much more complex (and slightly more difficult to replicate) codes for siren activation.  However, this raises an interesting issue: increasing complexity always raises the spectre of reduced reliability, which is rarely welcome in a safety related system of any flavour.  On the other hand, the risk of unauthorised activation of the sirens has public safety consequences; therefore, there is a balance to be struck somewhere.
> 
> Regards,
> -Rob
> 
> -----Original Message-----
> From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Gergely Buday
> Sent: 23 April 2017 19:40
> To: The System Safety List
> Subject: [SystemSafety] a Dallas accident
> 
> https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/?utm_term=.789f8d806ae3
> 
> http://www.theverge.com/2017/4/9/15235306/hackers-activated-emergency-sirens-dallas-texas-cybersecurity
> 
> https://www.wired.com/2017/04/dallas-siren-hack-wasnt-novel-just-really-loud/
> 
> Have you seen a technical description of the hack?
> 
> - Gergely
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
> 
> The following attachments and classifications have been attached:
> The data contained in, or attached to, this e-mail, may contain confidential information. If you have received it in error you should notify the sender immediately by reply e-mail, delete the message from your system and contact +44 (0) 3301235850 (Security Operations Centre) if you need assistance. Please do not copy it for any purpose, or disclose its contents to any other person.
> 
> An e-mail response to this address may be subject to interception or monitoring for operational reasons or for lawful business practices.
> 
> (c) 2017 Rolls-Royce plc
> 
> Registered office: 62 Buckingham Gate, London SW1E 6AT Company number: 1003142. Registered in England.
> 
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
> 

-- 

Peter Bishop
Chief Scientist
Adelard LLP
24 Waterside, 44-48 Wharf Rd, London N1 7UX
http://www.adelard.com
Recep:  +44-(0)20-7832 5850
Direct: +44-(0)20-7832 5857

Registered office: Stourside Place, Station Road, Ashford, Kent TN12 1PP
Registered in England & Wales no. OC 304551. VAT no. 454 489808

This e-mail, and any attachments, is confidential and for the use of
the addressee only. If you are not the intended recipient, please
telephone 020 7832 5850. We do not accept legal responsibility for
this e-mail or any viruses.

More information about the systemsafety mailing list