Hacking emergency services: How safe is the 911 system?
Connecting state and local government leaders
Recent breaches in Ohio, Texas and Washington, D.C., illustrate the cybersecurity vulnerabilities of 911 centers and other emergency services infrastructure.
In February 2013, viewers of KRTV, a CBS affiliate in Montana, experienced a modern-day version of The War of the Worlds when hackers breached the emergency alert system and broadcast a realistic-looking message warning that the zombie apocalypse was afoot. The EAS tones played, a message bar appeared at the top of the screen and a computerized voice alerted viewers that the “bodies of the dead are rising from their graves. Follow the messages on screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous.”
A handful of other TV stations in five states experienced similar hacks, which were later traced to firmware vulnerabilities.
While the zombie hack caused chuckles among viewers -- some of whom assumed it was a viral marketing campaign for The Walking Dead television series -- recent hacks targeting public safety infrastructure haven’t been so funny:
- Mere days before President Donald Trump’s inauguration, hackers used ransomware to disable 70 percent of the cameras on a police closed-circuit surveillance network in Washington, D.C.
- Also in January, ransomware sent several local government offices in Ohio “25 years back in time,” including a county police force and the 911 center. The telephones and radios at the 911 center remained operable, but dispatchers had no computer access, which lengthened response times.
- In April, someone breached the Dallas emergency siren system, causing 156 horns around the city to blare for 90 minutes in the dead of night and panicking residents who flooded 911 centers with thousands of calls. At first, officials suspected a technical malfunction, which gave way to fears that the sirens’ computer system had been compromised. In the end, it turned out the hackers used radio signals to trigger the sirens.
Cold War-era legacy systems vulnerable
The U.S. emergency system runs on very old equipment; most of it dates to the 1980s. Since world interconnectivity did not exist, systems were designed for safety, ease of communication and reliability, not cybersecurity. Not only was there no such thing as “hacking,” pranksters and criminals had no way to quickly determine, for example, what radio frequency would actuate an emergency siren, and there was no publicly available documentation on its default credentials. Thirty years ago, determined hackers could have engaged in spycraft to obtain the information, but it would have been difficult or impossible for them to get the hardware they needed to produce the tones to pull off the hack.
The internet has changed the game. Finding information, even sensitive information on default login credentials for emergency systems, has become easy; in many cases, manufacturers themselves post instruction manuals online. Meanwhile, inexpensive pocket-size devices are capable of reproducing what were once thought to be complicated signaling protocols.
Smart technology no more secure than old systems
Antiquated legacy systems aren’t the only issue. As the internet of things expands, cities are becoming “smart,” implementing more wireless and internet-enabled devices and interconnecting emergency infrastructure. While connecting infrastructure to the internet can improve safety by allowing officials to remotely monitor and control systems and promote communication, it also opens the door to hacking.
The risk is higher on the local level than on the national scene. More attention is paid to critical infrastructure on the national stage; security protocols for power generation and transfer systems are highly regulated. Cities and counties are not subject to the same regulations, are notoriously underfunded and may not see the importance in allocating scarce funds to cybersecurity.
If a private-sector company suffers a bad data breach, the CEO may be forced to resign. While it looks bad when a city is publicly compromised, no one is fired or voted out of office. Local officials throw their hands up in the air, call the hackers who did it evil and spend far more money trying to track them down and punish them than they do on fixing the actual issue or looking for other, similar vulnerabilities.
What’s at stake and what can be done?
Hackers have numerous motivations for targeting emergency infrastructure. Ransomware is used to attack emergency services for the same reason it is used against health care facilities: fast, easy money extorted from an entity that absolutely cannot afford to be locked out of its systems. Hackers may also be motivated by political or religious ideologies, seek to cause further disruption as part of a real-world terrorist attack or even just want to pull a prank.
Any system is only as secure as the individuals defending it, and there is no such thing as a system that cannot be breached, given sufficient time, intelligence and resources. However, attacks can be prevented by taking proactive security measures.
First, local officials should perform regular system and data backups; always change manufacturer default login credentials before connecting hardware to a network; ensure that operating systems and software are kept up to date; and train employees to spot social engineering techniques, such as phishing emails.
Local governments should also follow in the footsteps of private businesses and crowdsource security vulnerability testing. All cities have a hacker community, and if white-hat hackers are given incentives to find vulnerabilities in a city’s infrastructure, those problems are less likely to be found by malicious actors. A white-hat hacker in New Castle County, Del. , for example, recently discovered a vulnerability in a public safety mobile app and alerted authorities who patched the problem.
However, the entirety of a city or county’s cybersecurity cannot be crowdsourced. Local governments need the help of security professionals, but they may not have the budget to hire them in-house. Outsourcing cybersecurity to a managed security services provider is a good option for cash-strapped local governments. An MSSP can provide dedicated, around-the-clock security operations support to government entities. Staffed by experts with years of experience protecting critical infrastructure, MSSPs can cost far less than in-house security personnel.
Government agencies must take their vendors' security seriously as well, adopting vetting and security protocols that many major corporations have already put in place. These protocols must be a part of the selection process for any new vendor, as must service-level agreements in case vulnerabilities are every found or new ones emerge.
The zombie hack amused people but caused no disruptions; the Washington, D.C., and Ohio ransomware attacks went largely unnoticed by anyone except for law enforcement and emergency responders; and the Dallas siren hack kept citizens awake for 90 minutes but caused no long-term damage. The next breach could take down a 911 center’s phones or broadcast “news” of a terrorist attack, causing mass hysteria. Emergency infrastructure security is a matter of public safety, and taxpayers should demand that local officials take it seriously.