Article posted: Apr 12, 2017
By Joakim Thoren, CEO
Cities in tornado zones have emergency sirens for a reason: to alert their populations of impending potential major storms, hail or other emergency situations either in the city or in surrounding environs. So, imagine the sheer panic raised when all 156 of Dallas' tornado sirens were sounding for approximately 90 minutes during the wee hours of the night over this past weekend.
By the next morning, stories began surfacing about the unplanned tornado siren blitz. The biggest takeaway was this: the warnings were not generated by the city, nor were they warning of potential tornadoes in the area. Instead, officials say, it was an unauthorized hack of their early warning system. The hacker or hackers, whom police believe was locally based, was repeatedly able to activate the system, and caused the entire system to remain down for nearly a day.
The FCC is assisting the city in its investigation into the hack and we certainly hope the individual or individuals responsible are found.
What's interesting about this hack is that rather than going for a monetary target or other high-profile mark, the hackers gunned for a system that is far less likely to feature highly sophisticated security. As we've repeatedly discussed, many of the "traditional" targets for hackers are now so well protected that hackers are looking to whatever is left of the "low-hanging fruit" variety. In Dallas' case, it is unlikely the city put much effort or money into protecting its seemingly innocuous tornado warning system from hackers. The same likely holds true for cities across the tornado belt.
But as was also seen in Dallas, problems in one area can begin a chain reaction of issues. In this case, more than 4,000 residents dialed in to the city's 911 emergency system to find out whether they needed to evacuate, nearly overloading the emergency system.
In the aftermath of the siren hoax, Dallas' mayor says the city will upgrade its security infrastructure - something they know will be expensive but after a hack like this it becomes easier to spend the money.
While we don't know the particulars of the Dallas system, what is very clear is that passwords alone are simply not enough - even for systems that no one suspects would ever be hacked. One simple solution Dallas officials can look to is strong two-factor authentication - it's a system that uses "something you know," such as a password, with "something you have," such as a smart card or one-time emailed passkey code. With such a system, the hacker would be missing part of the access chain which would have thwarted the attempt at sounding the tornado alarms.
For municipalities and businesses alike, two-factor authentication really should be a given. They simply make sense and in general are not expensive. Moreover, managing multi-factor authentication solutions is easier than ever with systems like our vSEC:CMS.