General Discussion

Typically, a city will have just one, central computer workstation that is used to manage a city-wide deployment of civil defense horns. Hacking into that system either from the network its connected to, or by gaining physical or logical access to the actual terminal is all that’s needed to carry out the kind of attack seen in Dallas over the weekend [Steve Jung, a security researcher and penetration tester who has helped assess the security of such systems] said.

It wouldn’t be the first time. In 2013, for example software and equipment by the firm Monroe that is used to managed emergency alert systems was the target of a hack during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the “dead are rising from their graves,” and advising residents not to attempt to apprehend them. Researcher Mike Davis of the firm IOActive discovered those flaws and, later, in the digital alerting systems – DASDEC – application servers, which receive and authenticate EAS messages. A scan of the public Internet at the time by IOActive found 412 systems running vulnerable Monroe Electronics software. A subsequent patch by Monroe to address some security issues in its products failed to address serious security issues.

The software that controls civil defense and alerting systems like the Dallas sirens is often vulnerable to both network and application-focused attacks, experts say. “I would venture to guess that this is a relatively new frontier for that kind of software – even to think about an application focused attack,” Jung said. “In 20 years in (information security) I’ve never seen static code analysis of one of those boxes,” he said, referring to the siren systems.