Interrupting all programs —

Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack

System doesn't encrypt commands used to set off signals, official admitted.

A siren similar to the type set off by a "hacker" in Dallas last weekend.
Enlarge / A siren similar to the type set off by a "hacker" in Dallas last weekend.
Getty Images/CPCollinsPhotography

Last Friday night, as midnight approached, someone managed to trigger the emergency siren system used by the city of Dallas for tornado warnings and other emergencies. And that someone managed to keep the alarms in action for 95 minutes—even after emergency services workers shut them off. The entire system had to be shut down.

Dallas officials initially blamed "a hack" for causing the midnight siren escapade—a statement that was initially interpreted as some sort of network intrusion into Dallas' emergency services computer systems. But in a statement issued yesterday, Dallas City Manager T.C. Broadnax clarified the cause, saying that the “hack” used a radio signal that spoofed the system used to control the siren network. He would not go into details. "I don't want someone to understand how it was done so that they could try to do it again," Broadnax said. "It was not a system software issue, it was a radio issue."

Broadnax said that measures had been taken to prevent the incident from happening again, but he would not say what those measures were.

Alert sirens, especially older ones like those used in Dallas, are usually controlled by tone combinations used by the Emergency Alert System broadcast over the National Weather Service's weather radio. Alternatively, they can also be controlled by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a dispatcher or command center terminal sent over UHF radio frequencies that were set aside for emergency agencies' use by the FCC in 2004 (these are typically in the 700 MHz range).

If the frequency used by the sirens in Dallas for DTMF or AFSK wasn't monitored, an attacker could conceivably broadcast an endless number of guesses at DTMF or AFSK encoded commands until the sirens were set off—and then just play that command signal repeatedly. But it's possible that someone managed to gain access to documentation for the siren system and knew exactly which commands to send.

Channel Ars Technica