On 04/13/2017 06:44 AM, lrk wrote:
----- Forwarded message from Razer <g2s@riseup.net> -----
To: cypherpunks@lists.cpunks.org From: Razer <g2s@riseup.net> Subject: Update: Dallas tornado alarm hack was a 'phreak' occurrence Date: Wed, 12 Apr 2017 20:43:04 -0700
Phone Phreaks!
DTMF replay phreaked out the Dallas tornado alarm, say researchers
Strap yourself into the DeLorean: researchers from Duo reckon the Dallas tornado alarm incident was a case of old-style DMTF phreaking.
On Friday night, someone figured out how to activate all 156 of the city's sirens in a stunt hack.
It turns out the sirens, from Federal Signal, use one of the oldest signalling techniques around: Dual Tone Multiple Frequencies, or DTMF, originating back in the analogue telephony era. The earliest phreaking attacks exploited the tones used to route phone calls to make free long-distance and international calls.
For those who've never noticed the beeps that happen when you press buttons on a fixed-line phone, DMTF represents its symbols with pairs of beeps in this layout:
[Image: DMTF tone chart from Wikipedia]
Telephone network have long been secured against phreaking, but apparently not the Federal Signal sirens in Dallas. It looks like the system was set off by a simple replay attack: record the signal sent during a system test, and play it back.
Duo's blog post notes that the DMTF signals, carried over 450 MHz radio carriers, aren't encrypted, so an attacker wouldn't even need to try and interpret the symbols.
The other big compromise, according to Duo, was that someone got access to the computers that control how long the sirens would sound when they were activated. That compromise also made it harder for city officials to shut the system down. ??
Bootnote: Duo is surprised that the attacker was able to work out the radio frequency in use, which sits oddly with the author's theory that a disgruntled insider is the most likely attacker.
The Register notes that an insider would probably know what frequency the system used, and 450 MHz is in a band familiar with UHF hobbyists. If the sirens' radio used licenced bands, the FCC has the database online.
Even for the 700 MHz band, reserved for public safety in the USA, it's easy enough to buy suitable transmitters.
FYI, tone systems like touch-tone don't work over digital voice. Those synthesizer systems will not recreate the tones accurately. Trunked systems have other engineering problems which make them the wrong tool for public safety but the only thing that counts is that Motorola got the taxpayer's money.
And the sound of a snare drum, high hat, cymbals, oboe, etc, has never been the same since 'music went square wave' either. Odd that digitized DTMF tones shouldn't work. No frequency component to any of them so high that is should matter. What I find strange is there's a set of 'outband' tones, not normally used for civilian communication that police and fire departments have used historically to prevent intruders into their communications systems. Dallas must have cheaped the contractor installing the system. Rr