Phone Phreaks!
DTMF replay phreaked out the Dallas tornado alarm, say researchers
Strap yourself into the DeLorean: researchers from Duo reckon the Dallas tornado alarm incident was a case of old-style DMTF phreaking.
On Friday night, someone figured out how to activate all 156 of the city's sirens in a stunt hack.
It turns out the sirens, from Federal Signal, use one of the oldest signalling techniques around: Dual Tone Multiple Frequencies, or DTMF, originating back in the analogue telephony era. The earliest phreaking attacks exploited the tones used to route phone calls to make free long-distance and international calls.
For those who've never noticed the beeps that happen when you press buttons on a fixed-line phone, DMTF represents its symbols with pairs of beeps in this layout:
[Image: DMTF tone chart from Wikipedia]
Telephone network have long been secured against phreaking, but apparently not the Federal Signal sirens in Dallas. It looks like the system was set off by a simple replay attack: record the signal sent during a system test, and play it back.
Duo's blog post notes that the DMTF signals, carried over 450 MHz radio carriers, aren't encrypted, so an attacker wouldn't even need to try and interpret the symbols.
The other big compromise, according to Duo, was that someone got access to the computers that control how long the sirens would sound when they were activated. That compromise also made it harder for city officials to shut the system down. ®
Bootnote: Duo is surprised that the attacker was able to work out the radio frequency in use, which sits oddly with the author's theory that a disgruntled insider is the most likely attacker.
The Register notes that an insider would probably know what frequency the system used, and 450 MHz is in a band familiar with UHF hobbyists. If the sirens' radio used licenced bands, the FCC has the database online.
Even for the 700 MHz band, reserved for public safety in the USA, it's easy enough to buy suitable transmitters.