Carrie Rengers

Have You Heard

Researcher finds Sedgwick County siren system vulnerable to tampering

By Carrie Rengers
Balint Seeber, director of vulnerability research at San Francisco-based security firm Bastille, says he found a vulnerability to hacking with Sedgwick County's warning notification system.
Balint Seeber, director of vulnerability research at San Francisco-based security firm Bastille, says he found a vulnerability to hacking with Sedgwick County's warning notification system. Courtesy photo

UPDATED —Sedgwick County has sirens to help keep residents safe in an emergency, but are the sirens safe from outside tampering?

No, says Balint Seeber, director of vulnerability research for San Francisco-based Bastille, a software company that on Tuesday attracted attention for Seeber's findings with similar systems that Boston-based ATI Systems built nationally.

"Sedgwick County is aware of Mr. Seeber’s voiced concerns," the county's communication department said in an e-mailed statement following questions from The Eagle.

ATI Systems creates warning notification systems for communities, schools, businesses and the military.

"Sedgwick County has evaluated the security of the warning system with ATISystem management and taken specific actions to initiate safeguards," the county's statement said.

It does not say what those actions are or when they were taken.

"Then that's probably part of their security posture, and we should respect that," says Ivan O’Sullivan, Bastille's chief revenue officer.

"They're taking it seriously."

ATI Systems president and COO Ray Bassiouni laughs at Seeber's assertion that Sedgwick County's system is vulnerable.

"It's very strange," he says. "They are concerned about nothing."

Bassiouni says there's a time function in the signal that requires a synchronization technique that would be 99.99 percent impossible for someone to hack.

"Probably if you give him another 10 years, maybe he can figure it out," Bassiouni says.

Seeber says after he collected enough data, he was able to see San Francisco's siren system pattern in three weeks, and he says his skills aren't unique.

He conducted his study into Sedgwick County's system from a hotel room at the Hyatt Regency Wichita on a short visit to Wichita in early February.

Seeber first began looking into the vulnerability of warning systems when he moved to San Francisco a couple of years ago and started hearing regular testing of that city's system.

"For me, as a newcomer, I was initially not sure what was going on, and it really grabbed my attention," he says.

Seeber noticed radio antennas on siren poles.

"The security researcher in me was wondering how the system worked."

Bastille deals in radio frequency security.

"That's kind of why we exist," O'Sullivan says.

Seeber says radio frequencies are shared space. Even though a siren system has its own frequency, it is still part of a shared space that can be monitored. So Seeber says he began studying the radio spectrum each week during siren testing to see what activity matched the testing. He studied thousands of transmissions to see what correlated to the testing — so many that he says his interest began to wane.

Then in April a year ago, someone successfully hacked into the siren system in Dallas, which isn't an ATI system, and set off its alarms.

"That really sparked my interest and reinvigorated me," Seeber says.

Eventually, he found the signal — an unencrypted radio signal conveys commands to set off the sirens — and Seeber began analyzing it and turned the transmissions into raw data that he could collect and interpret.

Seeber says the data could be used to activate the siren system, which means it was vulnerable to someone using it for malicious purposes.

"We were curious as to whether it was specific to San Francisco."

He wanted to test someplace else with a similar system and a regular weekly testing time, which is how he came to Wichita.

"I flew out there and tested and found that vulnerability," Seeber says.

He also tested another market but isn't naming it because it is now using a different system.

Seeber says anyone with a $35 handheld radio — the kind popular with radio hobbyists — and a laptop could hack into a siren system and create a sound, a recorded message or anything else that's able to be broadcast.

"The laptop makes that message."

Seeber flew to Wichita on a Sunday so he could be ready with his hardware for the weekly noon Monday testing of Sedgwick County's system.

"While I was there, I managed to make the recording, do the same kinds of analysis and compare it against my findings in San Francisco," Seeber says. "At that point, we informed Sedgwick County of the vulnerability. . . . We forwarded our findings, and they said they would look into it."

Seeber says in particular he and Bastille wanted to share what he found with ATI Systems so it could address his findings. He says he urges other vendors to check their systems as well.

Bassiouni says because of the "big media disturbance" Bastille has created, the company added another layer of security to its system in San Francisco and is adding one in Sedgwick County. What he calls an unnecessary encryption upgrade for the county is being tested now and will be delivered in a week.

"In a week, there's no way that anyone can hack that."

Bassiouni says his company has about 5,000 systems worldwide and that in three decades it has never had a false activation.

In its statement, Sedgwick County said it is in regular contact with ATI Systems and relies on the company to provide upgrades in security as threats are identified.

"The top priority in Sedgwick County is keeping our citizens safe and secure."

Reach Carrie Rengers at 316-268-6340 or crengers@wichitaeagle.com.

This story was originally published April 10, 2018 at 8:54 PM with the headline "Researcher finds Sedgwick County siren system vulnerable to tampering."

Get unlimited digital access
#ReadLocal

Try 1 month for $1

CLAIM OFFER