It’s 3 a.m., and you are awakened by the sounds of sirens blaring outside. All of the cell phones in your house start to chirp, and when you look down, you see an emergency notification with a warning to evacuate immediately. The alert says to head north and that all major roads will be used as one-way streets to enable a rapid evacuation. Twenty miles north of your town the same thing is happening, except in this case, the warning is telling everyone that they should head south.
As you get on the highway and begin your journey north, the state highway reader boards confirm the evacuation route, and you get in line to travel northbound using the southbound lanes. Turning on the radio, you hear very little additional information other than what the DJs are seeing on their own cell phones and sharing on-air. When you enter the highway, you see a car barreling down on you, evacuating the wrong way. You narrowly avoid a head-on crash; the car behind you is not so lucky. Multiple collisions occur along a 40-mile stretch of highway because drivers followed the instructions transmitted and delivered to their cell phones as well as the directions posted to the highway signs dozens die in these accidents.
In the following days and weeks, you will see a massive investigation by the FBI, the Department of Homeland Security (DHS), and local authorities because, in reality, there was no actual emergency. No alerts were ever authorized by anyone. Instead, critical communication systems had been hacked and manipulated to cause chaos.
Authorities would eventually learn that the digital road signs were connected directly to the internet and had negligible log-on requirements. The sirens that initially woke everyone were controlled by the county emergency management office. Their systems had been accessed with the username and password belonging to the director of emergency services. Password re-use was the culprit here. That same user had also set up the link between the emergency service center and the Federal Emergency Management Agency (FEMA) and to issue wireless emergency alerts (WEA) to cell phones. The hacker had used this particular user’s internet connection inside the emergency operations center to issue alerts through FEMA's Integrated Public Alert and Warning System (IPAWS).
This hypothetical situation may sound far-fetched to some or perhaps seem like the plot to a new movie, but pieces of this scenario have previously happened across the United States. This past weekend, the news was all about the tornado sirens in Dallas, Texas. Although the complete details of the Dallas tornado alert hack have not yet fully emerged, it is now clear that unencrypted radio signals triggered the alerting system – likely easily preventable. This hack was no high-end spycraft or National Security Agency (NSA) zero-day exploit. Like almost all of the major cyber/data breaches that have occurred over the past 15 years, this one will come down to the basics:
- Outdated hardware
- Lack of encryption
- Password problems and lack of two-factor authentication
- Vulnerability management issues
- Phishing or spear phishing
What’s more concerning about the Dallas incident is that a critical system used to alert people to an impending disaster should have been very well protected. After the incident, this vital system was out of service for a significant amount of time while authorities worked to investigate the incident and secure the system. If the hackers were able to gain access, where else could they have gone? Cities and counties hold truckloads of personal information about people, just like you and me. These records can include everything from police and court records to personal financial information relating to your online bill-paying habits. After this incident, the City of Dallas has ordered a review:
City Manager T.C. Broadnax said city officials are also examining the city's water, 911, dispatch and financial systems for vulnerabilities after the hack. Source Fox4news.com
The problems illustrated in this post will only continue to compound on each other. Security among connected devices continues to improve at a snail’s pace. Take digital highway signs for example. What are the chances that the state you live in will rip down and replace 250 digital signs because the vendor went out of business and is no longer providing security updates? The answer is zero.
That said, these signs have been routinely hacked in the past all across the United States and abroad. The same goes for the emergency alert systems. Both television and radio emergency alert systems have been compromised in the past, resulting in false alerts being broadcast to the public at large.
While the main theme of this post has demonstrated the flaws in emergency service and alert systems, projecting these same problems to a personal level can readily be done. How long will your television, smart refrigerator, or cable modem be receiving security updates? If bad guys can gain access to those devices in your home, to where else can they pivot? What can they see on your security cameras, or what data or information can they steal from your home network? Who is responsible for ensuring that all of these devices are secure?
Looking to the future
As more and more interconnected devices are added at all levels i.e., government, businesses, and private homes, I fully expect that this is a problem that will get worse before it gets better. There has been no real standard set for how these devices should be added and managed. More often than not, when a device is added, security is an afterthought if it is thought of at all.
Private industry is the group most likely to deal with these issues first. There are numerous financial and regulatory requirements that will bring about ad-hoc best practices by companies that have the resources and expertise to anticipate and develop solutions for such situations.
In government and non-profit organizations, information security is often underfunded. Due to resource constraints, entities such as social services agencies, schools, and hospitals will likely lag well behind and run the risk of becoming outmoded
Private individuals (you and I) are the ones who will be the last to adapt. Security is not easy, and very few personal users will have the know-how to properly segment and secure their home networks.
Focus on the basics:
- Update your software; vulnerability and patch management are critical.
- Manage passwords and add two-factor authentication wherever you can, especially with critical systems.
- Give people the least amount of privilege they need in order to complete their tasks. Access control is a huge issue.
- Have an incident response plan and test that plan. You can’t excel and execute well in a crisis if you’ve never practiced to discover what works and what does not.