back to article DTMF replay phreaked out the Dallas tornado alarm, say researchers

Strap yourself into the DeLorean: researchers from Duo reckon the Dallas tornado alarm incident was a case of old-style DTMF phreaking. On Friday night, someone figured out how to activate all 156 of the city's sirens in a stunt hack. It turns out the sirens, from Federal Signal, use one of the oldest signalling techniques …

  1. Orv Silver badge

    I doubt finding the frequency was much of a trick. Often the system shares the same radio repeater as a voice radio system, so it may already be well known. Even if not, these sirens are tested regularly on a set schedule, so you know when to look for the signal. Sending the tones takes several seconds; which is enough to scan a sizable chunk of the band.

    If all that fails -- go park near the transmitter site with a spectrum analyzer during one of the scheduled tests, you'll figure it out pretty fast.

    1. Christian Berger

      Actually a spectrum analyser won't be ideal...

      ... since it sweeps the band. So you might only get the rough frequency, or you have to sweep slow enough so you might miss it.

      The better alternative is a frequency counter. Those "lock onto" the strongest signal (you have to filter out mobile telephone transmitters first), and give you the frequency instantaneously, if you are close enough to the transmitter. (or if you have a directional antenna)

  2. m0rt

    If you think about it, nothing has really changed. :) Just the vector...oh...wait...

  3. Jay 2

    The more things change, the more they stay the same. Or more realistically, they've never changed! I'm sure this will get people running for their nearest box of Captain Crunch (or whatever cereal it was that was phreaker-friendly).

  4. This post has been deleted by its author

  5. ElReg!comments!Pierre

    Disgruntled insider, or hopeful insider?

    From the previous article on the hack:

    Mayor Mike Rawlings:

    "This is yet another serious example of the need for us to upgrade and better safeguard our city's technology infrastructure. It's a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind."

  6. Flakk

    Kevin Mitnick? Are you thinking of John Draper?

  7. Scott 29

    The earliest phreaking used MF, not DTMF. Two different things.

    1. Mike 16

      Pedant Freak Alert

      Draper (Captain Crunch) used SF (Single Frequency, specifically 2600 Hz, although I knew at least one trunk that used 2400), via the famed Whistle. MF was used on some trunks _after_ the SF signal enabled it, but there were SF-only signalling systems up to at least the mid 1970s.

      "Whistling" either the original MF or the consumer followon DTMF ("TouchTone") would require quite some skill. Perhaps worthy of some amateur entertainment contest: "Listen, he can whistle all four parts of this tune at once, with one mouth!"

      As for guessing the RF frequency band, one could estimate the length of the antenna elements...

      1. Anonymous Coward
        Anonymous Coward

        Re: Pedant Freak Alert( what was the name of the blind kid)

        He had perfect pitch and made free phone calls all of the time. The ATT engineers were more interested in how he did it than giving him grief about it.

  8. kain preacher

    I hope that prank was worth it. What was done is a federal crime. If caught the person or persons behind this will meet people that have had all humor surgically removed.

    1. jamesb2147

      I kind of hope they aren't caught, and it seems unlikely they will be. This hack didn't take loads of sophistication, which means the systems weren't configured in so much as a basic defensive posture, which means they probably weren't configured in a way to retain any useful logging.

      In terms of the wireless signal, the police would have needed to triangulate it, or at least use a device with a directional antenna to track the user down while they were broadcasting. I've found such technical devices to be well beyond the capability of local enforcement officers who have limited training in the use of electronics. Anyone responsible for the system would have been busy fighting the fire that was the activation and subsequent inability to shut it down.

      If there's a way to track the attacker, it's likely to only be through the hacked computer system.

      As to my hope, they brought governmental security to the news forefront for a brief period with a nearly harmless, but highly visible hack. That deserves an award, in my book.

      The fact that it pissed people off... well, they should really be directing that ire at those who configured the system without any security to begin with. If you leave your house unlocked every day, you can't be surprised if one day you find someone helped themselves to your belongings. In this case, the intruder merely left you a note "suggesting" you start locking your door. You're a damn lucky fool and should be glad the intruder was not more nefarious.

      1. Orv Silver badge

        The FCC would be the agency to do it, and they aren't exactly proactive these days. Often the actual triangulation ends up being done by amateur radio operators. Problem is this isn't like a cell phone where you have a network of towers always monitoring -- triangulation of signals like this is mostly done by hand, and requires a longer transmission than the few seconds sending the tones would have taken.

  9. Bandikoto

    It needs to be simple to set off

    This sort of system needs to be simple to set off and quickly. It needs to be resilient against power outages, backhoes, and sabotage. Setting the sirens off needs to happen if a twister was spotted or is imminent - warning times vary from zero if a twister has just been spotted to twenty minutes if one is already on the ground. Multiple agencies may be responsible for setting off the sirens, namely the county may set off some or all of the sirens in the county, or a particular city may do so.

    A radio-controlled system fits the bill. There are no one-time pads as multiple people need to be able to set all or portions of the system off, from diverse locations. An encrypted radio system (e.g. P25) could be used, but that would require retrofitting the ancient control boxes on each of those towers and no doubt a certification effort before they're deployed - when the emergency manager says to start the sirens, those sirens had better start howling. This incident will no doubt cause those who haven't started the certification process of an encrypted control system to highly consider doing so.

    Still, public safety is nothing to mess with. The ability to make such a replay attack has been there since before the systems were first deployed - the radio equipment necessary was already in the hands of (a section of) the public.

    1. Orv Silver badge

      Re: It needs to be simple to set off

      The basic problem is most of this equipment was installed during the Cold War, for Civil Defense reasons. No one has spent money on it in a very long time. Much of it was originally put in with Federal money but maintenance has been the responsibility of local governments.

      There *are* radio systems that could securely do this, but deciding to spend money on that instead of filling potholes tends to be unpopular. There's even talk of phasing the sirens out; these days people tend to ask questions like "can't we just alert everyone's cell phone instead?"

      1. OldRed

        Re: It needs to be simple to set off

        There are more secure radios but it requires everyone be on the same radio system. In a tornado a single lighting strike or small tornado can take the secure radio system down. Many cities are almost to the point the different departments can't talk to each other due to being on different secure radio system.

        If you put it on a secure system it works only as long as the secure system works.

        I have been in Dallas when the Armature radio storm net was in progress they handle a great deal more information than police or public service. Armature radio operators show up during a storm to help with communications and logistics. Often Hams are the only ones that can communicate with anyone over any distance for the first few hours after a tornado it the communications are taken out. Usually we are the only communication with the outside world for a couple of days until the telephone switches recover from the overload of calls in and out. The telephones may work fine locally but the long distance circuits are overloaded or locked out for all but priority traffic. The Red Cross, Salvation Army, FEMA and local agencies us the Amateur Radio Service to assist communications and provide services as they can when needed.

        It is usually communications. In the case of the Space Shuttle Columbia disaster the need was for a Ham operator with a radio, 2 horses with a pickup and trailer, a GPS and plenty of water. Armature Radio operators had to build several several temporary repeaters for this one.

        73

        W5RED

  10. ma1010
    Happy

    Yes, it's quite simple, really

    I'm a ham radio operator, and totally agree with other posters that the radio part of this would be simple. I happen to own a couple of radios that could have been used to do something like this because they can (not legally) transmit on those frequencies and send DTMF tones. Simple enough to record and play the tones back, too. (But I don't live in Dallas, nor am I an assbag like whoever did this.)

    So very many of our infrastructure systems are based on security by obscurity, and that really doesn't cut it with ANY systems these days. It looks like Dallas (and probably many other cities) need to step up their game a bit and modernize systems to prevent tampering.

    Not exactly the same thing, but for some reason the situation here reminds me of this.

    1. Trigonoceps occipitalis

      Re: Yes, it's quite simple, really

      " ... based on security by obscurity ... "

      I doubt that any one with a bit of technical training involved with the sirens is a hard and fast obdscuritatist. Rather I think that there is a belief that no one would be such an arse as to set off the sirens just because they can. The "hack" is so simple that I can't imagine that there is much, if any, kudos in being the perpetrator.

      I can only hope that the perps get shopped for bringing what ever club, society or group they belong to into disrepute.

  11. MJI Silver badge

    When I saw the word Tornado

    I was hoping it was about this

    http://www.bbc.co.uk/news/uk-england-york-north-yorkshire-39581712

    http://www.telegraph.co.uk/cars/news/tornado-steam-train-hits-100mph-secret-test-run-east-coast-main/

  12. Christian Berger

    Actually it has nothing to do with phreaking...

    ... as there doesn't seem to be any telephone network involved.

    There are still interresting things to phreak, for example some lift alarm systems are connected to the telephone network and can be called. If you call, they will pick up and put you through to the cabin. Via DTMF Tones you can even program them.

    1. patrickstar

      Re: Actually it has nothing to do with phreaking...

      There are still lots and lots of voice mail systems and PBXes around that obey the basic laws of phreaking.

      And other strange stuff connected to the public phone network and taking commands over DTMF.

  13. Melina1222
    WTF?

    Run, Forrest!

    I live in Dallas and almost had an anxiety attack when the sirens went off, mainly as the electricity had gone off in large sections of my neighborhood just a few minutes before. For about 30 seconds I was thinking "Crap. EMP bomb. Thanks, Trump."

    Also, three hours of listening to dozens of dogs upset by the sirens (siren + dog = nonstop barking) was equally difficult to tolerate. It'll be interesting to see if the phreaker is caught. And yes, Captain Crunch was the cereal with the whistle prize.

  14. allthecoolshortnamesweretaken

    This is so stupid and inconsiderate that I can't call it a prank anymore. Still, in a twisted way it's kinda nice (probably also the wrong word) to see something done old school.

  15. DMcDonnell

    FCC database

    Transmitters would be in the FCC license database. So a simple online database search would do to uncover the frequencies.

  16. patrickstar

    DTMF being "one of the oldest signalling techniques around"? Uhm, no.

    Pulse dialing is still supported by most exchanges, and there are actually some of those phones around. More common would be its close cousin, the current loop, which is used in many brand-new designs when you need very high reliability despite interference and can't do fiber.

    Morse code is still pretty widely used on radio.

    Semaphores and flag signals are still used.

    Even signaling by lighting huge fires is occasionally used...

  17. Amos1

    Same old, same old

    Same thing happened in the city where I live about a decade ago. Used a city channel assigned to the service department. The person who did it ran his prank about 3:30 AM once and the city called it a malfunction. Then it happened again at 3:30 AM but this time someone heard the tones. Did they catch the person? Probably but they couldn't prove it. How did they catch him? He shot his mouth off to some friends who were already mad about what happened and one called the cops. But they could never find the radio and he denied it and it never happened again. The city said it would cost $40,000 to encrypt the radio signal so they shut the sirens down. Then a tornado blew through town and they had to rebuild the whole thing and make it operational again. Typical government operation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon