Bull Session
Hacking Infrastructure
April 13, 2017
Episode Summary
On this episode of The Digital Life, we discuss our vulnerable infrastructure, in light of the recent hacking attack on the Dallas emergency sirens. Our real world infrastructure — from power plants to airports to dams — is increasingly subject to both online and offline security breaches, which represents a significant problem in a world where the Internet of Things (IoT) is just beginning to take hold.
While the Dallas hack was accomplished via a radio or telephone signal — not an online breach — it nonetheless provides a prime example of how such attacks disrupt municipal emergency response. Over 4,000 calls flooded the city’s 911 system, forcing real emergencies to wait. Unfortunately, the spectrum of these attacks runs from malicious prank to terrorism and it’s hard to know what kind of attack is happening as it occurs.
Potential outcomes, including the difficulties brought on by service disruptions for electricity, water, transportation, etc., not to mention increased skepticism of emergency systems, could potentially be life threatening. What are the solutions for such hacks on critical infrastructure? And how should we view these types of events and react to them in a resilient fashion in the future?
Resources:
Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say
Sirens in Dallas, Texas Maybe Civil Defense Tests? Hackers?
Culprit broadcast signal that triggered Dallas’ emergency sirens Friday night
Someone hacked every tornado siren in Dallas. It was loud.
Welcome to Episode 202 of The Digital Life, a show about our insights into the future of design and technology. I’m your host Jon Follett, and with me is founder and cohost, Dirk Knemeyer.
Greetings listeners.
For our podcast this week, we’re going to talk a little bit about hacking critical infrastructure in light of the recent Dallas hacking attack over the weekend. On Friday night, there was a hacking attack on the Dallas Emergency Sirens that basically warn folks about tornadoes, other weather emergencies, or just emergencies in general.
This attack I think shows how our real-world infrastructure is just frequently being undermined by these security breaches.
I don’t know if “frequently.”
Well, I mean surprisingly, these incidents are becoming more common, so maybe you’re right. That “frequently” isn’t-
It’s hyperbolic Jon.
It’s not hyperbolic. It’s-
You’re like a tabloid baby.
Yes, The Digital Life daily news here. But there are more and more examples every month of sort of major and minor hacking problems. For instance, a few months ago we were talking about how the servers at [/den/ 00:01:45] were brought down by a denial of service attack due to this IoT botnet. Now, totally different circumstances, but I would say that the level of complex systems that we now have combined with just this sort of wave of technical know-how combined with whether you call it hacking for a prank or for something more malicious.
Those two things are converging, so people understand how to manipulate these systems and then there are a variety of reasons to do that, whether it’s for attention, whether it’s to cause some mischief, or whether it’s to actually cause harm.
Yeah.
Which we can all touch on today. Let’s start with a little bit of a summation of the Dallas Emergency Siren hacking attack. I have from YouTube, user Theme Park Brews posted this on Friday night.
Can you guys hear that? What the heck is going on? So, I was looking at Twitter, and I was trying to see what was going on, and there are sirens going off all over Dallas right now, so if you guys know what’s going on, let me know in the comments below because I have no idea. I’m in Dallas, Texas. It is 11:51 PM, April 7th, and I just want to know what’s going on. It sounds like every single alarm within at least a 20-mile radius here is going off, and I’m checking out Twitter. It sounds like it’s going on all over Dallas.
So that’s a little bit of audio from YouTube. YouTube and Twitter are really turning into the news resources for the digital age, but all 156 of the city’s emergency sirens went off late on Friday night, so around 11:30, and that continued for several hours before the city sort of figured out what to do about it. In the meantime, there were well over 4,000 calls to their 911 system, which is from what I understand, not too good to begin with.
It was overwhelmed now with calls from people worried about the sirens going off. Early today, it was revealed that the hack was actually completed via a radio or telephone signal that triggered all the alarms at the same time, so it wasn’t strict-
Sound hi-tech Jon. I got to tell you.
Well, it wasn’t strictly a malware or a computer hack the way we would-
Kim Jong Un wasn’t on the other side of this? Putin?
I would hope not. I would hope they’re not sitting there with cellphones trying to set off Dallas’s emergency siren system, but this just shows the spectrum right?
Yeah.
So on one side of the spectrum you have what are more or less pranks, and on the other side of it, you have digital terrorism, right?
Yeah.
So in the Ukraine, there was a power plant that was hacked with malware, which more or less took out people’s power for many hours. So you have this real-world infrastructure that’s intersecting more and more with technology, and I think part of the problem that we’re facing now is how do we react to this possible wide array of hacking attacks, because this really is almost like the weather.
Like you have weather where you just need to grab a coat or an umbrella and you don’t really pay much mind to it, and there’s weather where you damn well better stay indoors and get into your basement because it’s very serious.
We’ve got this same spectrum of possibilities now with these hacking attacks, and I think we’ll figure it out, but it will take a little time to truly, as a group, sort of figure out what the right reactions are because 4,000 to 9-11 while other emergencies are being held up, that’s an unintended consequence that no one wants, I would think.
Maybe the hacker wanted it. Who knows?
How does all of this play for you? In this particular case it’s just kind of silly because it sounds like a city-wide rave from that audio, but I’m sure in the middle of it, if everywhere you go a siren’s going off, that’s got to be pretty alarming.
Yeah, it really is a reflection of how we’re still in the early days, the Wild West of these technologies. I think about the electricity industry. Electric powered lights started in the 1870s. We’ll talk about New York City. The industry in New York City, it started in the 1870s and by the early 1880s, if you would look up in the sky from within New York City, within Manhattan let’s say, the sky was crisscrossed with electric wires.
There were just electric wires hither and thither and hanging everywhere. It was not uncommon for people to be electrocuted by them because a live wire would fall or even just installers trying to put up the new line and there’s so many other lines they’re contending with in this horrible infrastructure, and it’s because it was early days in the Wild West.
There were two things that improved the situation. One was technology, and not surprisingly talking about the electricity industry, it was Thomas Edison who innovated underground wires and a system, a very crude by today’s standards, system of a box where these wires ran through that moved underground.
The other part was legislative, was laws were then passed. Standardization was established where there were enough disasters, enough catastrophes that things needed to change. So there was a technology then that enabled the change and it all kind of fell into place at that point.
We’re still in the “live wires hanging crisscrossed over our heads” stage of this sort of Internet of Things, connected environments, technology. I’m filling in some blanks here. I don’t have insider knowledge, but you have a municipal government that is probably dealing with budget shortfalls in lots of different ways that is probably at best, slightly behind on technology, possibly horribly behind on technology.
Nonetheless, doing their best within the limitations they’re faced with to put a system in place that’s leveraging some of the technology in ways that seem logical and sensible and smart. It’s a catastrophe, clearly, because of what happened, and so after that failure, again in the 1870s, 1880s, a pedestrian getting electrocuted arbitrarily, there’s going to be improvement. There’s going to be change.
A lot of other municipalities looked at what happened in Dallas that night, and they were like, “That can’t happen to us. What are they using? What are we using? How do we avoid it?” Something like this very well could happen again. This isn’t the end of it, but it’s one step in moving from the early days, the Wild West, the almost more sort of tinkering and trusting and just having faith that things will work out into systems that are more sustainable, more resilient. We just aren’t to them yet.
It’s immature. It’s early days, Jon.
Yeah, I think the Dallas system, to your point, is an older one, and it clearly has a remote access element to it which very well could be handled via computer, although they were explicit in saying that that system was not compromised, that it was this older system that was triggered by telephone or radio.
They’re all daisy-chained together. I mean, they’re all part of the same system at the end of the day.
And that’s what’s very interesting about the Internet of Things because some of these systems are being upgraded with sensors to make them either provide information from the environment they’re in or accept commands from remote inputs. So the promise of the Internet of Things is really to wire up some of your new infrastructure which will have the stuff built in, but also to retrofit your older pieces so that whether you’re running a farm or whether you’re running some manufacturing, you can wire it up and it becomes IoT enabled.
What this shows is that there are lots of gaps where mischievous, malicious people can find ways to create problems when you become reliant on these systems. Not only from the perspective that, “Hey we are starting to really expose some of this so that there are that many more attack surfaces,” but we are also not necessarily keeping track of all the attack surfaces that already exist in these sort of ancient but still functioning systems and especially when it comes to government. There’s discussion about old government computers at the White House that were exposed to hacking.
I can’t imagine what operating systems those things are running on, but it does raise the issue that if you want to create mischief, if you want to create problems, the 21st century, the era of the empowered small group or the empowered individual, it’s upon us, and you have that much more ability to wreak havoc whether it’s something as seemingly benign as the outcome of this Dallas hack or something less benign as people have power cut or some other problem that could come up.
I liked the word you used earlier talking about “resilience.” These systems are not very resilient, so as part of design for IoT and better security, I think it’s important that the systems that we create have multiple backups, whether you’re talking about for this critical infrastructure, or as we consider things like global warming, where even the very foundations of our cities are going to be in trouble because we’ll have that much more flooding or that much more water coming into a city like our city of Boston or our neighbors on the East Coast in New York.
Resilience is sort of the watch word of technology infrastructure for the 21st century in light of hacking and in light of the weather conditions that we’re facing.
I mean the security industry is already one of the largest verticals in software. What was the word you said? The frequency of these dastardly attacks just reinforces that it probably still isn’t enough, that we’re under-investing in security. Look Jon, I mean part of it is decadence, right?
Here in the United States, large parts of Europe, other places around the world, we’re wealthy. We’re comfortable, and we forget the fact that the foundation for a higher functioning civilization begins with security. It begins with safety. With the internet, with all of these different modern communication tools and infrastructures, I’ll call them software infrastructures, we are really lax on the security part because we live in a physical reality of abundance and comfort.
We just kind of take for granted that we can’t really be given the shove, then the ways that we can. We are horribly exposed. I mean we’ve talked in a lot of different ways on the show about this over the years, but I’ve been very cavalier in saying, “Look, I’m certainly not going out there exposing my stuff, but I take for granted that my stuff is out there in a way, where for example, somebody could assume my identity and take all my money.” But I shrug and I say, “Well, you know. I’m participating in this world. I like participating in this world, and the government or the bank will bail me out anyway.”
That is a horribly irresponsible mindset, but it’s the mindset that most of us bring either consciously or unconsciously to our activities in the digital world. The fact is, we’re not safe. We’re not secure. We are exposed. To what degree is that going to cost us our lives or massively impact our lives for the worst? It’s probably not likely, but it could happen. We’re exposed for it, and we don’t seem to care too much.
The conclusion I think to all of this is in part at least to begin to understand our reliance on these systems and also that a certain degree of skepticism and resilience is going to be required to navigate going forward, especially when it comes to understanding the possibilities that you’re receiving information but you can’t always believe the information you’re receiving, seems to be the caution that we all have to take.
Listeners, remember that while you’re listening to the show, you can follow along with the things that we’re mentioning here in real time. Just head over to TheDigitaLife.Com. That’s just one “L” in The Digital Life, and go to the page for this episode. We’ve included links to pretty much everything mentioned by everybody, so it’s a rich information resource to take advantage of while you’re listening or afterword if you’re trying to remember something that you liked.
You can find The Digital Life on iTunes, SoundCloud, Stitcher, PlayerFM, and Google Play, and if you want to follow us outside of the show, you can follow me on Twitter @JonFollett. That’s J-O-N-F-O-L-L-E-T-T. And of course the whole show is brought to you by Involution Studios, which you can check out at GoInvo.Com. That’s G-O-I-N-V-O.Com. Dirk?
You can follow me on Twitter @DKnemeyer. That’s @ D-K-N-E-M-E-Y-E-R. And thanks so much for listening.
So that’s it for Episode 202 of The Digital Life. For Dirk Knemeyer. I’m Jon Follett, and we’ll see you next time.