The emergency alert systems that blare out warnings during natural disasters, terrorist incidents or manmade calamities could be hijacked into sending out false alarms.
A security company, Bastille, said Tuesday that it had found a vulnerability in San Francisco’s emergency alert system that would allow hackers to trigger the city’s sirens or even blare out malicious messages.
The Boston manufacturer, ATI Systems, said it had developed a patch that will be rolled out shortly and noted that such a hack “is not a trivially easy thing that just anyone can do.”
Balint Seeber, director of vulnerability research at Bastille, which has offices in San Francisco and Atlanta, Georgia, said he began studying vulnerabilities in the system of 130 or so public sirens and outdoor speakers scattered about San Francisco in 2016. Once he determined the radio frequencies employed, he said it would be easy to hijack the unencrypted system, even using only a $30 radio and a laptop.
A hacker could broadcast his or her own voice as a public address audible to the entire city, Seeber said.
ATI’s siren systems are installed at military bases, nuclear and petroleum plants, universities and urban centers across the country.
False alarms have caused dangerous panic, as was seen in Hawaii on Jan. 13. Human error, not hacking, caused an emergency text message warning of an incoming nuclear attack at a time of heightened tension with North Korea. It sent residents flooding into the streets, into underground shelters and clogging freeways on the islands.
A hacker did trigger all 156 emergency sirens in Dallas to sound off on April 7, 2017, waking up city residents.
An expert on the nation’s emergency alert systems, retired Rear Adm. David G. Simpson, said older parts of the nationwide network were not designed to thwart hackers.