Hacker takes control of 156 emergency sirens in Dallas

[Shawn Knight]

Dallas residents were in for a rude awakening – quite literally – early Saturday morning thanks to what city officials are calling nefarious activity courtesy of a hacker.

Rocky Vaz, the director of Dallas’ Office of Emergency Management, said that all 156 of the city’s emergency warning sirens were activated shortly before midnight on Friday. Officials initially though a malfunction was to blame but as the activity spilled into early Saturday morning, it became clear that such was not the case.

As The Verge highlights, the sirens were activated in 90-second cycles a total of 15 times before workers pulled the plug on the system.

Vaz said the team investigating the matter eventually found a vulnerability used by the attackers to infiltrate the system and sound the alarms. The warning system was back online and functional by Saturday night, city officials revealed on Twitter.

While Vaz conceded that identifying the attacker(s) will be like finding a needle in a haystack, Mayor Mike Rawlings affirmed that authorities will find and prosecute the party or parties responsible.

Annoyance aside, the hack shed negative light on the city’s 911 call system which was overloaded with calls during the activity. The Dallas Morning News reports that more than 4,400 calls were placed to 911 between 11:30 p.m. and 3 a.m. which is twice the number of calls usually received between the hours of 11 p.m. and 7 a.m.

Permalink to story.

https://www.techspot.com/news/68866-hacker-takes-control-156-emergency-sirens-dallas.html

 

[EClyde]

Cool

 

[Uncle Al]

Hmmmmmmmm ..... considering the state of affairs in the world today, this sort of thing is beyond immature, it's simply stupid. I am surprised that so many of these systems remain vulnerable in this day and age, but then again, I have found a large number of AT&T switches that still have the same default password, never changed despite several administrators. We are indeed our own worst enemies .......

 

[Skjorn]

Hmmmmmmmm ..... considering the state of affairs in the world today, this sort of thing is beyond immature, it's simply stupid. I am surprised that so many of these systems remain vulnerable in this day and age, but then again, I have found a large number of AT&T switches that still have the same default password, never changed despite several administrators. We are indeed our own worst enemies .......

People are lazy. Most businesses still run XP. Not surprised.

 

[Rippleman]

While security should be paramount it will NEVER be 100%. To assist and discourage, a clear and strong deterrent has to be in place. Any emergency systems hack and/or attempt 20 years federal prison minimum sentence. Too harsh? Then don't do it. Too extreme? Then don't attempt it. Too crazy? Then don't consider it. Lives are on the line, extreme deterrent is needed.

 

[Scshadow]

Awww... I think its cute they think its just like finding a needle in a haystack. They probably don't even have the security logs to identify who intruded their system. The investigation is probably already dead. Most systems don't have the proper logs running on their systems. They hire cybersecurity experts to come in and find the hacker. They walk in and say where's the logs? No? Okay like what do you expect me to do?

 

[Kotters]

While security should be paramount it will NEVER be 100%. To assist and discourage, a clear and strong deterrent has to be in place. Any emergency systems hack and/or attempt 20 years federal prison minimum sentence. Too harsh? Then don't do it. Too extreme? Then don't attempt it. Too crazy? Then don't consider it. Lives are on the line, extreme deterrent is needed.

On the flip side, zero tolerance policies have been found to not be particularly more effective than more lenient sentencing policies. There's only so much deterring you can achieve by punishment.

Securing systems is hard. This means you should put in more effort to secure them. Right now much infrastructure is networked and vulnerable. We have a long way to go before "make hacking more punishable than murder" is among the best options.

 

[HafizNafes89]

While security should be paramount it will NEVER be 100%. To assist and discourage, a clear and strong deterrent has to be in place. Any emergency systems hack and/or attempt 20 years federal prison minimum sentence. Too harsh? Then don't do it. Too extreme? Then don't attempt it. Too crazy? Then don't consider it. Lives are on the line, extreme deterrent is needed.

While I agree with you, I am actually more in favor of the death penalty! anyone caught hacking should be sentenced to death by lethal injection.

 

[MoeJoe]

L M A O

 

[Skidmarksdeluxe]

While security should be paramount it will NEVER be 100%. To assist and discourage, a clear and strong deterrent has to be in place. Any emergency systems hack and/or attempt 20 years federal prison minimum sentence. Too harsh? Then don't do it. Too extreme? Then don't attempt it. Too crazy? Then don't consider it. Lives are on the line, extreme deterrent is needed.

Yeah, I agree. Let's petition for convicted perps being sent to be burnt at the stake again. Make it public, in a sports stadium for instance with gate fees charged and refreshments being sold. A nice day out for the whole family to enjoy. (y)

 

[cartera]

Why are these even connected to the web? These should be offline with access at the permanently manned 911/999 call centres.

 

[Kibaruk]

Hmmmmmmmm ..... considering the state of affairs in the world today, this sort of thing is beyond immature, it's simply stupid. I am surprised that so many of these systems remain vulnerable in this day and age, but then again, I have found a large number of AT&T switches that still have the same default password, never changed despite several administrators. We are indeed our own worst enemies .......

I think this sort of things leave the ineptitude of those who are in charge of this things very visible. This systems are meant for emergencies situations, both security, safety and communication is extremely important, all of them failed and in a NONE EMERGENCY situation.

Since most governments are reactive instead of proactive, things like this need to happen before they rethink their ways and procedures. I'm only glad it wasn't during an actual emergency.

 

[wiyosaya]

Why are these even connected to the web? These should be offline with access at the permanently manned 911/999 call centres.

Marketing?

 

[wiyosaya]

While security should be paramount it will NEVER be 100%. To assist and discourage, a clear and strong deterrent has to be in place. Any emergency systems hack and/or attempt 20 years federal prison minimum sentence. Too harsh? Then don't do it. Too extreme? Then don't attempt it. Too crazy? Then don't consider it. Lives are on the line, extreme deterrent is needed.

On the flip side, zero tolerance policies have been found to not be particularly more effective than more lenient sentencing policies. There's only so much deterring you can achieve by punishment.

Securing systems is hard. This means you should put in more effort to secure them. Right now much infrastructure is networked and vulnerable. We have a long way to go before "make hacking more punishable than murder" is among the best options.

I have to agree.

It is highly likely that they installed these without ensuring that there were proper security measures in place. In any installation like this, security has to be the top priority, and if it is not, those specifying the requirements need to be sent back to school to learn that the internet is often a dangerous place that warrants the utmost in security on installations like this.

AFAIK, there are already laws in place making hacking of any sort illegal. A stiffer penalty would basically do nothing, and perhaps might give a false sense of security when planning a system like this - which would be, IMO, totally stupid. A law will not enhance security.

 

[Rippleman]

I have to agree.

It is highly likely that they installed these without ensuring that there were proper security measures in place. In any installation like this, security has to be the top priority, and if it is not, those specifying the requirements need to be sent back to school to learn that the internet is often a dangerous place that warrants the utmost in security on installations like this.

AFAIK, there are already laws in place making hacking of any sort illegal. A stiffer penalty would basically do nothing, and perhaps might give a false sense of security when planning a system like this - which would be, IMO, totally stupid. A law will not enhance security.

Then how about a slap on the wrist and a 20 minute time out?

 

[wiyosaya]

I have to agree.

It is highly likely that they installed these without ensuring that there were proper security measures in place. In any installation like this, security has to be the top priority, and if it is not, those specifying the requirements need to be sent back to school to learn that the internet is often a dangerous place that warrants the utmost in security on installations like this.

AFAIK, there are already laws in place making hacking of any sort illegal. A stiffer penalty would basically do nothing, and perhaps might give a false sense of security when planning a system like this - which would be, IMO, totally stupid. A law will not enhance security.

Then how about a slap on the wrist and a 20 minute time out?

Perhaps we ought to have people hired for jobs like this that are actually qualified to do a job like this? My bet is that chances are, the person hired was not qualified. What is scary about this is that no one noticed. So what does that mean?

Now we go down the chain of command and put them all in jail? Yep, I would be in favor of that. However, it exposes a bigger problem.

There are probably a few politicians along the way, and yes, we would all love to see politicians jailed. It becomes negligence, IMO, if it happens more than once. Voters will have to hold their politicians accountable.

 

[Darius Moon]

Must admit that I would love to hear if the vulnerability was:
1. Password: 12345 or manufacturer default.
2. System listed on Shodan.io and it didn't have protection against brute force pwd attacks.
3. Software found on recycled laptop.
4. Credentials found on postit note on bottom of recycled keyboard.
5. Main controller pc runs on pcanywhere.
6. Main controller pc runs outdated rdp/os.
7. Main controller pc runs outdated java/jboss.
8. Etc
Hmm, I suspect if it's basic issue, we will hear (lol) about it from other cities.

 

[Darius Moon]

I have to agree.

It is highly likely that they installed these without ensuring that there were proper security measures in place. In any installation like this, security has to be the top priority, and if it is not, those specifying the requirements need to be sent back to school to learn that the internet is often a dangerous place that warrants the utmost in security on installations like this.

AFAIK, there are already laws in place making hacking of any sort illegal. A stiffer penalty would basically do nothing, and perhaps might give a false sense of security when planning a system like this - which would be, IMO, totally stupid. A law will not enhance security.

Then how about a slap on the wrist and a 20 minute time out?

Perhaps we ought to have people hired for jobs like this that are actually qualified to do a job like this? My bet is that chances are, the person hired was not qualified. What is scary about this is that no one noticed. So what does that mean?

Now we go down the chain of command and put them all in jail? Yep, I would be in favor of that. However, it exposes a bigger problem.

There are probably a few politicians along the way, and yes, we would all love to see politicians jailed. It becomes negligence, IMO, if it happens more than once. Voters will have to hold their politicians accountable.

I like the idea, but that doesn't seem to be happening on much worse cases like lead poisoning in flint.

 

[cartera]

Marketing?

Marketing on a emergency tannoy system covering a whole city, Is that a thing?

 

[Reachable]

What gets me is the fact that it was done repeatedly. If a kid wanted to set the alarms off and exult in not being completely powerless in this world for a few seconds, that's one thing. But to do it over and over again, at night when people need to sleep, it becomes an attack on the whole city by a dangerous misanthrope. All laws aside, if one were to judge what punishment should be meted out with the free hand of appropriateness, then the person should be removed from society for a while and prevented from doing further damage unitil they mature.

 

[Darius Moon]

Marketing?

I remember that the mayor said it was an example of another severely outdated system so thinking it may not be on the Internet yet.

 

[nestorius]

What gets me is the fact that it was done repeatedly. If a kid wanted to set the alarms off and exult in not being completely powerless in this world for a few seconds, that's one thing. But to do it over and over again, at night when people need to sleep, it becomes an attack on the whole city by a dangerous misanthrope. All laws aside, if one were to judge what punishment should be meted out with the free hand of appropriateness, then the person should be removed from society for a while and prevented from doing further damage unitil they mature.

All of these malicious hackers should be removed from society, permanently.

 

[MonsterZero]

So glad I moved to Ft. Worth lol