An attacker, with the right equipment, could activate vulnerable sirens "at least tens of miles away." (Image: supplied)
A vulnerability in a popular emergency alert system, widely used across towns and cities, exposes sirens to hijack, allowing hackers to trigger false alarms.
Security researchers at Bastille, a security firm with a focus on finding radio frequency vulnerabilities, found that the vulnerability in emergency alert systems supplied by Boston-based ATI Systems can be exploited by sending a malicious activation message over the radio airwaves.
Because the radio protocol that ATI uses isn't encrypted, activation messages can be forged.
This put cities like San Francisco and other major landmarks and installations at risk of cyberattack, including One World Trade Center in New York, West Point Military Academy, and the Indian Point nuclear power station -- all of which are ATI customers.
Read more: Dallas' emergency sirens were hacked with a rogue radio signal | Emergency Alert System open to more 'zombie' hackers after accidental SSH key disclosure | New LTE attacks can snoop on messages, track locations and spoof emergency alerts | CNET: What you need to know about emergency cellphone alerts | Hawaii senator says feds should handle alerts[1][2][3][4][5]
The vulnerability, dubbed "SirenJack," might take some flak for becoming the latest in a long list of branded vulnerabilities[6] with a name, a logo, and a website.
But the impact of the flaw could be serious if exploited
These emergency systems are found across the US, primarily used to warn against natural disasters and terrorist attacks, but also inbound threats from hostile nation states. The systems are far from perfect. Almost exactly a year