SirenJack is a vulnerability found in ATI Systems’ emergency alert systems that can be exploited via radio frequencies (RF) to activate sirens and trigger false alarms. The radio protocol used to control the sirens is not secure (activation commands are sent ‘in the clear’ - no encryption is used). A bad actor can find the radio frequency assigned to a deployment, craft malicious activation messages, and transmit them from their own radio to set off the system. All that is required is a $30 handheld radio and a computer.
How was the SirenJack Vulnerability Discovered?
Balint Seeber, Director of Vulnerability Research at Bastille, discovered the vulnerability when he noticed that the emergency alerting system in San Francisco used RF communications and that its signals were not encrypted. Balint monitored the radio spectrum to find the frequency used by the city’s Outdoor Public Warning System. Once the frequency was found, analysis of the radio protocol quickly showed that commands were not encrypted and therefore vulnerable to forgery, rendering the system susceptible to malicious activations.
discovering the SirenJack vulnerability
WHITEBOARDing the sirenjack vulnerability
PROOF OF CONCEPT