City emergency sirens can be hacked to sound rogue messages

A security researcher has shown that San Francisco’s warning system can be used to play any message he wants.

The news: Balint Seeber, from security firm Bastille, spent the last two years decoding the radio signals that switch on the weekly test of San Francisco’s emergency warning system. Now, reports Wired, he’s worked out how to control the system himself, and he could inject any audio he wants to be played throughout the city.

Why it matters: Imagine the panic caused by a city warning system falsely announcing, say, a nuclear strike (something that, unfortunately, isn’t much of a stretch). Plus, the hack can be performed using a laptop and $35 worth of radio equipment, and Seeber says he knows two other cities (and potentially many more) that could have their speakers, made by a firm called ATI Systems, similarly compromised.

Dumb smart cities: The attack is possible because, while individual data packets used to control the ATI warning systems may be encrypted, Seeber was still able to work out how to reproduce the overall control signals. As we’ve pointed out before, cybersecurity concerns often go neglected in the development of connected systems inside cities—and the upshot is that attacks like this are possible.

This story was updated on April 11 to explain that individual data packets in the warning system are encrypted.