Many computer security breaches are designed to stay under the radar, so they remain undetected and unmitigated for as long as possible. But every once and a while we see a breach that is meant to draw as much attention and wreak as much havoc as possible. If ever a security breach was designed to be difficult to ignore, it was the one that was exploited in Dallas last week to set off 156 emergency sirens—typically used to warn residents about tornadoes and other serious weather events—for more than an hour and a half on Friday night and into early Saturday morning, until the city finally unplugged and shut off the entire alert system.
It was an interesting security breach not just because it was loud but also because it targeted an emergency alert system. Those alert systems have become increasingly integrated into modern computing technology over the past few years. Where once upon people might have had to listen to the radio or watched TV news program to learn about school or other closings due to inclement weather, now every snow delay is simultaneously conveyed via multiple automated emails, text messages, and voicemails. Without your even asking or signing up, your phone may abruptly warn you about serious weather events in your area (sometimes even with a loud, rather sirenlike noise).
Of course, there are good reasons to make these alerts more widespread and more intrusive, and to convey them over multiple different channels. If there actually is an emergency—weather-related or otherwise—it’s important for as many people to find about it as quickly as possible. But it shouldn’t come as a surprise that as we’ve upgraded and advanced the technology behind our emergency alert systems, they’ve become increasingly vulnerable to compromise.
Which makes it all the more notable that the Dallas system was apparently compromised not because of any high-tech computer-based vulnerability, but rather by a more old-school technology: broadcast. According to the Dallas News, the compromise was perpetrated by broadcasting tones via radio or telephone signal on the specific frequency that was used to communicate with the warning sirens. Since the emergency shutdown on Saturday, officials have apparently added “some encryption” to the broadcast system to make it harder to manipulate.*
The officials investigating the incident believe it was perpetrated by someone locally within Dallas who had physical access to the central alert system hub that connected all of the sirens. If they’re right about that, it’s pretty good news—it’s easier to physically secure a main operations center, and it increases the odds of actually catching the perpetrator. An early alert system that someone needs physical access to in order to compromise is significantly more secure than one that can be activated remotely.
These lessons about manual fail-safe switches and the dangers of remote access are, in large part, the same ones we return to over and over again in discussions about how to protect the “critical infrastructure” from cybersecurity breaches. What precisely should be included in critical infrastructure has been the topic of long and ongoing debates—most recently, in January, when the Department of Homeland Security designated election equipment as critical infrastructure.
Those designations matter because the government gets more involved in handling the security of critical infrastructure systems (for instance, the electric grid and financial systems) than it does non-critical systems. These critical infrastructure systems are the ones DHS deems “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety,” and they’ve outlined infrastructure elements in 16 different sectors that meet these criteria. Depending on who you ask, organizations responsible for protecting critical systems either receive more support and intelligence from the government, or are subject to more onerous regulations and requirements put in place by the government. Each of those 16 sectors has a National Infrastructure Protection Plan, and emergency alert systems are mentioned in both the Communications Sector and the Emergency Services NIPPs.
The Dallas siren breach serves as a reminder that critical infrastructure is more than just the few things that we usually think of as “critical” like the energy grid. On the one hand, the Dallas incident seems almost like a silly prank (at least to those of us whose sleep wasn’t disrupted). But if people stop taking those sirens and other alert systems seriously when they go off, then all of the effort that’s been put into updating them to be more effective and widespread will have backfired completely.
*Update, April 10, 6:45 p.m.: This piece was updated with new information about the investigation into the security breach.