Hacking emergency services: How safe is the 911 system?

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Robert McFarlane
 

Connecting state and local government leaders

By Robert McFarlane

|

Recent breaches in Ohio, Texas and Washington, D.C., illustrate the cybersecurity vulnerabilities of 911 centers and other emergency services infrastructure.

In February 2013, viewers of KRTV, a CBS affiliate in Montana, experienced a modern-day version of The War of the Worlds when hackers breached the emergency alert system and broadcast a realistic-looking message warning that the zombie apocalypse was afoot. The EAS tones played, a message bar appeared at the top of the screen and a computerized voice alerted viewers that the “bodies of the dead are rising from their graves. Follow the messages on screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous.”

A handful of other TV stations in five states experienced similar hacks, which were later traced to firmware vulnerabilities.

While the zombie hack caused chuckles among viewers -- some of whom assumed it was a viral marketing campaign for The Walking Dead television series -- recent hacks targeting public safety infrastructure haven’t been so funny:

  • Mere days before President Donald Trump’s inauguration, hackers used ransomware to disable 70 percent of the cameras on a police closed-circuit surveillance network in Washington, D.C.
  • Also in January, ransomware sent several local government offices in Ohio “25 years back in time,” including a county police force and the 911 center. The telephones and radios at the 911 center remained operable, but dispatchers had no computer access, which lengthened response times.
  • In April, someone breached the Dallas emergency siren system, causing 156 horns around the city to blare for 90 minutes in the dead of night and panicking residents who flooded 911 centers with thousands of calls. At first, officials suspected a technical malfunction, which gave way to fears that the sirens’ computer system had been compromised. In the end, it turned out the hackers used radio signals to trigger the sirens.

Cold War-era legacy systems vulnerable

The U.S. emergency system runs on very old equipment; most of it dates to the 1980s. Since world interconnectivity did not exist, systems were designed for safety, ease of communication and reliability, not cybersecurity. Not only was there no such thing as “hacking,” pranksters and criminals had no way to quickly determine, for example, what radio frequency would actuate an emergency siren, and there was no publicly available documentation on its default credentials. Thirty years ago, determined hackers could have engaged in spycraft to obtain the information, but it would have been difficult or impossible for them to get the hardware they needed to produce the tones to pull off the hack.

The internet has changed the game. Finding information, even sensitive information on default login credentials for emergency systems, has become easy; in many cases, manufacturers themselves post instruction manuals online. Meanwhile, inexpensive pocket-size devices are capable of reproducing what were once thought to be complicated signaling protocols.

Smart technology no more secure than old systems

Antiquated legacy systems aren’t the only issue. As the internet of things expands, cities are becoming “smart,” implementing more wireless and internet-enabled devices and interconnecting emergency infrastructure. While connecting infrastructure to the internet can improve safety by allowing officials to remotely monitor and control systems and promote communication, it also opens the door to hacking.

The risk is higher on the local level than on the national scene. More attention is paid to critical infrastructure on the national stage; security protocols for power generation and transfer systems are highly regulated. Cities and counties are not subject to the same regulations, are notoriously underfunded and may not see the importance in allocating scarce funds to cybersecurity.

If a private-sector company suffers a bad data breach, the CEO may be forced to resign. While it looks bad when a city is publicly compromised, no one is fired or voted out of office. Local officials throw their hands up in the air, call the hackers who did it evil and spend far more money trying to track them down and punish them than they do on fixing the actual issue or looking for other, similar vulnerabilities.

What’s at stake and what can be done?

Hackers have numerous motivations for targeting emergency infrastructure. Ransomware is used to attack emergency services for the same reason it is used against health care facilities: fast, easy money extorted from an entity that absolutely cannot afford to be locked out of its systems. Hackers may also be motivated by political or religious ideologies, seek to cause further disruption as part of a real-world terrorist attack or even just want to pull a prank.

Any system is only as secure as the individuals defending it, and there is no such thing as a system that cannot be breached, given sufficient time, intelligence and resources. However, attacks can be prevented by taking proactive security measures.

First, local officials should perform regular system and data backups; always change manufacturer default login credentials before connecting hardware to a network; ensure that operating systems and software are kept up to date; and train employees to spot social engineering techniques, such as phishing emails.

Local governments should also follow in the footsteps of private businesses and crowdsource security vulnerability testing. All cities have a hacker community, and if white-hat hackers are given incentives to find vulnerabilities in a city’s infrastructure, those problems are less likely to  be found by malicious actors. A white-hat hacker in New Castle County, Del. , for example, recently discovered a vulnerability in a public safety mobile app and alerted authorities who patched the problem.

However, the entirety of a city or county’s cybersecurity cannot be crowdsourced. Local governments need the help of security professionals, but they may not have the budget to hire them in-house. Outsourcing cybersecurity to a managed security services provider is a good option for cash-strapped local governments. An MSSP can provide dedicated, around-the-clock security operations support to government entities. Staffed by experts with years of experience protecting critical infrastructure, MSSPs can cost far less than in-house security personnel.

Government agencies must take their vendors' security seriously as well, adopting vetting and security protocols that many major corporations have already put in place. These protocols must be a part of the selection process for any new vendor, as must service-level agreements in case vulnerabilities are every found or new ones emerge.

The zombie hack amused people but caused no disruptions; the Washington, D.C., and Ohio ransomware attacks went largely unnoticed by anyone except for law enforcement and emergency responders; and the Dallas siren hack kept citizens awake for 90 minutes but caused no long-term damage. The next breach could take down a 911 center’s phones or broadcast “news” of a terrorist attack, causing mass hysteria. Emergency infrastructure security is a matter of public safety, and taxpayers should demand that local officials take it seriously.

NEXT STORY: A brief history of GnuPG: Vital to online security but free and underfunded

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.