Hacking The City of Dallas’ Infrastructure: Phreaking The Emergency Management System

If you were sleeping in Dallas, Texas on the night of Saturday, April 8th, 2017, you may have had a rude awakening.

At approximately, 11:42 PM that night, Dallas’ emergency warning system unexpectedly became active. Sirens that are normally used to alert citizens of an impending emergency turned on with a blaring screech. This wasn’t a few malfunctioning units. This was all of the city’s 156 sirens around the city.

Surprisingly, no one knew what was going on including the City’s Office of Emergency Management (OEM). It took another thirty minutes from the time that they started for OEM to acknowledge they were active. It then took another hour before they were able to turn them off. For a total of 90-minutes, the city didn’t have full control over an integral part of their infrastructure. To make matter worse, they had to completely turn off the system in order to get the sirens to shut off.

Several questions arose from this mishap. Was it a test of the system or something else? Why couldn’t anyone from OEM turn the sirens off? Why did it take so long for them to acknowledge the system was even active? Why did the entire emergency warning system become active?

Hackers at Play

During a press conference, Dallas City Manager, T.C. Broadnax, provided further insight into the malfunction. After an initial investigation, city officials realized that the system had actually been hacked.

Early indicators suggested their computer network was breached. As the evidence unfolded, the investigators realized that the hackers were able to penetrate the emergency warning system by transmitting malicious radio signals at specific frequencies that eventually activated the sirens.

This kind of attack is a very old method that was commonly used when telephone land lines were more popular. It is called “phreaking” where a hacker uses tonal sounds that would generate a response such as dialing a call for free to a long-distance number for free. Or in this case activating Dallas’ geographically separated emergency sirens.

Although, Mr. Broadnax was vehement that this was not a “system software issue”, he did admit that the system’s age and the failure to encrypt the radio networks used to communicate with the sirens were the top factors leading to this mishap.

Interestingly enough, internet sleuths dug deeper into Broadnax’s presentation of the events. After scouring for more clues on what really happened, they were able to find that details of the warning system were readily available on the city’s website! These details showed that the systems backend was indeed software driven.

Secondary Effects of An Initial Hack

As with Mr. Broadnax’s statements at the press conference, many organizations believe that if one of their systems are hacked that the others systems will remain unaffected. This couldn’t be further from the truth. The secondary effects of the initial hack can be just as bad if not worse as the initial intrusion.

This event that began as a phreaking attack against the emergency warning system compounded into a pseudo Distributed Denial of Service (DDoS) attack against the City’s 911 calling system. So many people were calling 911 to report the noise from the sirens that the system collapsed by the excessive call volume. The situation was further compounded when citizens did not receive any word on what was going on. The panic was so intense that call hold times went from 10 seconds to six minutes.

The take home from this part of the incident is consider how this affected legitimate calls for fire or police. Also consider what if this was the beginning of a much larger terrorist attack. Thankfully, this didn’t occur, but the potential of something like this to disrupt first responders is a real threat to their ability to deal with a mass casualty incident.

The Human Element

Regardless of the technology, its age, or its complexity, we see that humans are an essential element to maintaining a city’s infrastructure in good working order.

City officials need to require that their administrators carry out comprehensive cyber security awareness training, network testing, and development of breach responses. Training city workers should include the five elements of cyber resilience which are: identify, protect, detect, respond, and recover.

First, a trained workforce probably would have known better to have not post the details of the emergency warning system on the City’s website. Second, it appears that the City didn’t fully understand how their older emergency warning system worked with the newer technologies in their City’s infrastructure when it didn’t perform as expected. Third, it’s probably clear that the City could have done a better job of responding to this emergency by having plans in place to deal with the large volume of 911 calls in the event of a “real” DDoS attack. Finally, the City needs to create redundancies to disseminate information to calm citizens if something like this should happen again.

Now, this may be a tall order for budget strapped municipalities with overworked city employees. However, the alternative can be far more expensive, quantitatively as well as qualitatively. There are currently several companies within the cyber security industry that focus on cyber resilience. Large organizations that find it difficult to stay abreast of the changes in technology and the assets within their infrastructure should consider contracting with a firm that can augment already strained IT Departments. Currently, there are several companies that specialize in these activities such as Rylet Industries, LLC. A specialist can provide a comprehensive risk assessment, employee training, and breach response expertise to create a cyber resilient posture to strengthen a city’s infrastructure.

Regardless, of who or how city officials choose to protect their infrastructure, they must start to consider the growing impact of cyber security Our civilization is moving a technological pace that never been seen all of mankind. Protecting the interests of their citizenry must include a conversation on cyber resilience.

 

This post was written by Sandy Braccey and edited by Eric Powell for Rylet Industries, LLC

Copyright 2017 Rylet Industries, LLC. All Rights Reserved.