Hacked Dallas sirens, maintained by office furniture movers, shows U.S. not serious about critical infrastructure

We’d better not ignore these sirens.

Bob Sullivan

It’s tempting to ignore the warning sirens that blared Dallas out of bed Saturday night — but that would be a very serious mistake.

We hear so much about the importance of securing America’s critical infrastructure systems. Then you find out that the company responsible for maintaining the Dallas outdoor warning siren network — the one that was hacked Saturday night — is also as an office furniture moving company.

In case you missed it, Dallas’s outdoor sirens screeched continuously overnight Saturday, harassing many of the city residents with the ultimate false alarm.  Initially believed to be a malfunction, city officials conceded it was a hack by Sunday.

The sirens are supposed to warn residents about immediate danger, like tornadoes.

They did their job.

America just received perhaps the clearest warning ever that our essential services are comically easy to attack, putting our citizens in serious peril.  Will we listen, or just go back to sleep?

One can’t say it any plainer: When bricks start falling off a bridge into the water, you fix the bridge.  (Maybe.) That’s what we have here.

No one died Sunday morning. There was no blood, so there weren’t any dramatic pictures.  But there will be. It doesn’t take much imagination to see how easily this hacker prank (or, was it a test?) could have gone very wrong. For starters, it served as a denial of service attack on the city’s 911 system, which was overwhelmed with calls.

More than 4,400 911 calls were received from 11:30 p.m. to 3 a.m., the city said.  About 800 came right after midnight, causing wait times of six minutes. As far as we know, no one died because of this.  But that could have happened.

But that’s only the tip of the iceberg. Security experts I’ve chatted with have warned for years of a hybrid attack that could easily cause panic in a big city. Imagine if this hack had been combined with a couple of convincing fake news stories suggesting there was an ongoing chemical attack on Dallas.  Without firing a shot, you could easily see real catastrophes.  Take it a step further, and combine it with some kind of physical attack, and you have a serious, long-lasting incident on your hands. Death, followed by massive confusion, then panic, then a bunch of sitting ducks stuck in traffic.

Playing the “what…if” game sometimes leads to exaggeration. But it is called for when someone is about to ignore a warning sign.  So I asked security consultant Jeff Bardin of Treadstone71 to tell me why the Dallas incident should be taken seriously.

For one, it could have been a diversionary tactic.

“Testing the emergency systems, getting to a ‘cry wolf’ state of affairs, getting authorities into a full state of chaos and confusion while hacking and penetrating something else.  Kansas City shuffle,” he said.  “This looks to me to be a test of the systems. Could also be more than a test meaning what was hacked during this fake emergency?”

Dallas has been hit by “prank” hacks before.  Last year, traffic signs were hijacked to display funny messages like “Work is Canceled — Go Back Home.”  Very funny. But this means we know the city’s systems are being actively probed.  Any intelligent person has to consider what other systems this person or gang has toyed with. And, more important, what other cities have they toyed with.

“If I as a hacker can control the emergency systems, alarms, building security, HVAC, traffic lights, first responder system, medical facility interfaces, law enforcement, etc., all the normal physical systems that now have internet interfaces, I can control the whole of the city,” Bardin said. “What else was penetrated during this ‘test?’  How many other major cities in the US operate the same way? What was injected into these systems during the test for later access?”

Hopefully, the Dallas siren hacker is this is a kid who found flaws in a very old, insecure system and had some fun for a night, Bardin said. Perhaps it was someone trying to “prove a point,” though in a careless, dangerous way that did put lives in danger.

Point not made.  Life is full of disasters averted, then ignored. The planes that almost collided. The car accident narrowly averted. The key that was lost (without a duplicate!) but is found.

It’s 48 hours after a major U.S. city had its sirens blaring all night long. Are you hearing about federal investigations? Are you hearing about executive orders around critical infrastructure? (You did. But then, you didn’t.)

“Amazing this is not getting headlines,” Bardin said. “Not amazing that they have the uninitiated managing the systems who have a side job in furniture. Perfect. Just f**ing perfect.”

As for the furniture-moving company behind the sirens, it’s probably unfair to blame them.  The Dallas Morning News reported that Michigan-based West Shore Services was in charge of maintaining the system.

Indeed, here is the resolution from the city council back in 2015 authorizing payment of $567,000 to West Shore during a six-year period.  Yup, that’s around $100,000 annually, for repair and maintenance. And that’s a MAXIMUM.  I suspect it includes the price of replacing broken equipment. I’d think it doesn’t include penetration testing. I’m sure it doesn’t include overhauling the system from its old, practically indefensible architecture.

No wonder the firm needs a side business.

An operations manager for West Short told the Dallas Morning news he didn’t know anything about the incident.  The firm didn’t respond to my questions sent via email.

But the biggest question of all:  Will anyone hear this warning siren? Or will we all go back to sleep, like Dallas did?

UPDATE 6:30 p.m. 4/10/17 – Federal Signal Corporation, which made the Dallas sirens but does not currently manage them, said it was working with authorities to determine what happened.

“The City of Dallas, Texas, has multiple outdoor warning sirens installed across the Dallas area. The outdoor warning sirens were manufactured by and purchased from Federal Signal Corporation …  Although, Federal Signal does not currently have the contract to maintain the City of Dallas outdoor warning siren system, the company is actively working with the Dallas Office of Emergency Management to determine the cause of the unintended activation,” the firm said in a statement emailed to me.

Dallas Mayor Mike Rawlings seemed to get it, and called for serious investment in the wake of the attack.

“This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure,” he wrote on his Facebook page. “It’s a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind. Making the necessary improvements is imperative for the safety of our citizens.”

Let’s hope someone listens, and those sirens are heard far outside Texas.

Leave a Reply

Your email address will not be published. Required fields are marked *