What to Know
A security firm raised awareness about a security vulnerability affecting loudspeakers in San Francisco only requiring a walkie talkie
The firm demonstrated the hack by piping Rick Astley's "Never Gonna Give You Up" through the speakers
A similar speaker system in New York, at the Indian Point nuclear power plant, is not thought to be at risk because the facility is secure
A hacker’s warning about the security vulnerabilities of public loudspeakers used for emergency warnings in San Francisco has raised concerns about other such sirens installed by the same company in New York.
Balint Seeber, a researcher with cybersecurity firm Bastille, recently revealed how sirens installed by Acoustic Technology, Inc -- also known as ATI -- could be hijacked by bad actors with little more than a walkie talkie purchased from Amazon.
In a demonstration posted by the company, he broadcast Rick Astley’s 1980s hit-turned-internet meme “Never Gonna Give You Up” from a rental truck, but Seeber and Bastille warn that in the hands of a hacktivist, terrorist or hostile nation, the sirens could be hijacked to cause widespread panic.
“With this particular vulnerability it’s possible for a malicious actor to actually set the system into public address mode so that anything they say will actually be rebroadcast over an entire city,” he said.
Seeber began investigating the sirens in San Francisco in 2016, noticing that the city tested them at regular intervals. Then, he discovered that radio signals sent to the sirens were not encrypted and thus vulnerable.
Bastille created a software patch to close the security hole for San Francisco’s speakers, but warned that other cities and facilities that use speakers and could be at risk, citing a 2017 hack in Dallas that set off 150 emergency sirens made by a different manufacturer off for more than 90 minutes.
The Indian Point Energy Center is the most high-profile site in the tri-state that currently uses ATI sirens. But ATI told the I-Team that because the nuclear power plant is a secure property -- unlike San Francisco -- Seeber’s exploit would not work at the site.
“We have been providing systems for 30 years and have never had an instance of hacking,” Ray Bassiouni, a spokesman for ATI, told the I-Team in an email.
Entergy, which manages the Indian Point plant, would not say if it plans to have its sirens use encrypted radio signals in the future. But the nuclear operator said it has taken other measures to harden its siren systems against hackers.
One World Trade Center also had ATI speakers during construction, according to the company that manages the complex.
But they were taken out once the building was finished; security managers would not disclose to the I-Team what type of sirens One World Trade Center has now, only saying all security systems in the building are encrypted.