By infrastructure-hacking standards, the overnight triggering of the Dallas storm-warning system on April 7 was relatively benign.
Starting at about 20 minutes before midnight more than 150 sirens across the city of 1.3 million people blared periodically, alarming residents in this tornado-prone part of the country.
Worried that something was amiss, locals overloaded the city’s 911 emergency-calling system, causing what could have been harmful delays, while officials scrambled to figure out what was going on. They shut down the system at 1:17 a.m. and worked overnight with West Shore Services, a Michigan-based company hired by the city last year to maintain the network, to fix the problem, according to local news reports.
Initially officials suspected a technical malfunction, but by Saturday afternoon it was clear that someone in the area had duplicated a radio signal used to trigger the sirens. It took city officials most of the weekend to put the system back online, and as a temporary fix they added a layer of encryption to the transmitters on the sirens, making them harder to hack.
“This is yet another serious example of the need for us to upgrade and better safeguard our city's technology infrastructure," Dallas Mayor Mike Rawlings wrote on his Facebook page.
“It's a costly proposition,” he added.
Indeed, municipal connected or wireless infrastructure offers an enticing target for hackers because cities typically lack the funds to constantly upgrade their networks with the latest security features. And as cities become “smarter” with more connected and wirelessly controlled devices, the risk to public infrastructure will increase, providing hackers more opportunities and security specialists more business. The growing number of connected devices, including everyday objects with the ability to "communicate" with other devices and be part of what's known as the internet of things, is exacerbating these concerns.
“Unfortunately, there is no silver bullet for issues like this,” Billy Rios, a cybersecurity researcher and founder of advisory firm Whitescope, told Salon in an email. “The software that runs on these devices is horribly insecure and it will be some time before the overall state of security for devices like this improves.”
Hacking can occur with internet-connected devices or wireless radio transmitters like the ones that control the Dallas storm sirens. And both require similar vigilance against malevolent attacks.
Researchers routinely find vulnerabilities in municipal hardware and software, including with traffic lights and smart parking meters. But some of the biggest concerns lie with what's referred to as the kinetic hacking of municipal water, power and sewage systems, said Vyas Sekar, a faculty member at CyLab, Carnegie Mellon’s Security and Privacy Institute.
“These are incidents that are waiting to happen,” Sekar told Salon. “The internet of things and other things that control the physical environment — this is a concern for a lot of us in the security community, especially because a lot of these systems that interact with the physical world have not been designed from a security mindset.”
Kinetic hacking involves exploiting vulnerabilities so that criminals can control physical objects that are connected to the internet or through wireless transmitters.
Last year Iranian hackers infiltrated the system operating the floodgates of the Bowman Avenue Dam near Rye Brook, New York, in what officials believe was a test run against U.S. infrastructure. That incident proved that hackers could have opened the gates and flooded a nearby neighborhood. Other targets in recent months have included the power grid of the Ukrainian capital of Kiev — part of it went dark in December after Russian hackers infiltrated the system — and San Francisco’s light-rail network, which was commandeered in a ransomware attack.
Among the biggest concerns is hacking through the web because those attacks can be done from anywhere in the world. But as the Dallas storm-warning system incident shows, local hackers can compromise wireless systems, too. And unlike internet-based attacks, hacking wireless systems that target specific devices doesn't leave traceable evidence, making it harder to capture or identify perpetrators.
This week Dallas officials announced an examination of its “critical systems citywide” to look for any hacking vulnerabilities. The City Council authorized spending as much as $100,000 to add security upgrades to the emergency siren system.
Sekar, who studies how to add enhanced security to older infrastructure systems, said it’s vital to think about security in a holistic way.
“Having continuous testing, continuous validation and penetration testing are all part of this holistic approach,” he said. “You need multiple layers of security: the wireless layer, the network layer, the hardware layer, the software layer, and so on. You can’t just look at one piece of the puzzle.”
For Dallas officials, the siren hack was a warning. And now they appear to be taking a more holistic approach to examining at their entire public safety system. Fortunately for them, the hack led to only a minor financial setback. The next time infrastructure is hacked, it might not be so benign.