Computer Hacker or Hackers Attacked and Accessed Indianapolis 9-1-1 Center in December 2014

This week it was learned that computer hackers accessed the emergency 9-1-1 system in Indianapolis that dispatches all police, fire and EMS vehicles across Indianapolis. The attack started December 20, 2014 and lasted several days. The information about the attack was not made public until a speech Tuesday afternoon, January 20, 2015.

“We haven’t said this because we wanted the investigation to continue, but we had our own cyberattack against our public safety communications systems.”

— Public Safety Director Troy Riggs

Officials say the cyberattack slowed the 9-1-1 system down, but since there is a redundant computer network, public safety was never compromised. Officials did not say what part of the network was affected. Computer systems in dispatch centers provide a variety of information, which could include emergency protocols, premise histories, security access codes at residential and business properties, general residence information, vacation watch information, general business information, business agent information, fire pre-plan information, emergency vehicle selection response information, a variety of geographical information system data, radio communications control and functions, and radio channel and radio security information.

Premise histories can include information, such as whether a resident has any particular hazards or threats on their property — usually based on experiences from prior visits to a property during a previous Police and/or Fire/EMS response. Examples could include whether a resident possesses guns or other weapons with details, such as “resident keeps a sword next to the front door” or “vicious dog on the property” or medical history information. Also hazardous materials information, Material Safety Data Sheet information and other fire safety information can also be stored on public safety information systems.

For security reasons, officials did not specify exactly what part of the system was affected. A full breach could involve hackers modifying vehicles selections in Computer Aided Dispatch (CAD) systems, or could involve downloading the premise histories of residences and business properties across the city. The breach would likely cause administrators to need to audit their system to make sure hackers did not change configurations.

Regarding encrypted radio systems, hackers could gain access to radio registration information, and possibly register an outside black market radio so that it could become part of the network and monitor radio communications that police believe are encrypted and private. A careful audit of the system would be required to check to determine whether a radio asset is on the system that doesn’t belong on the system. If such a radio were discovered it could be disabled remotely, and the system passwords and encryption keys could be changed so that the radio is no longer permitted on the system. The system may have protections against this type of false registration, but that doesn’t mean it can’t be overcome.

On the modern radio side, computerized digital signals are used to transmit voice, and researchers at University of Pennsylvania have shown that radios can be hacked with a toy made by Mattel at low power. The disruption could cause 9-1-1 administrators to need to turn off encryption or transmit in “the clear” in order to get the radio system to work. The digital signals are easier to mess up with lower power jammers than the “old school” analog radios. “Old School” systems can be jammed, but it is easier for radio signal investigators to discover the source of the jamming.

The University of Pennsylvania researchers listed a scenario where an attacker could choose to attack only uplink messages on the radio control channel of a 9-1-1 trunked P25 system (the system that most 9-1-1 centers use). The cyber attack could effectively cause disruption of the entire trunked network at an extremely low cost to the attacker, the researchers reported.

The researchers declared that hackers could use some tricky methods to make it hard to detect where their interference and attacks on the radio system are originating. Basically the attacks could move around and last mere hundredths or even thousandths of a second — making it difficult to detect the location of the attacks. For example, an attacker could choose to deploy multiple battery-operated jamming devices in a metropolitan area, placing them in public locations to make tracing of the devices harder to achieve. The researchers said the devices could be surreptitiously attached to vehicles of third parties, such as taxis, delivery trucks, or other vehicles that are known to be constantly moving around in the areas covered by the public safety radios. Such devices could be made to automatically activate in a zone at any given time or location, or commands to control the devices could be executed over the air. They could jam the various towers that are operating in the community.

Older, more robust radio systems used in the 1970s and 1980s are not vulnerable to this type of attack because low voltage devices cannot overpower the system of the single tall radio tower. If a powerful jamming device were used, it would have to be activated for a prolonged time period to be effective, and its strong signal could be detected by a method called triangulation that can pinpoint the jamming signal — even if it is moving.

“I’m not going to go into our behind the scenes operations, but because of our redundancies and the close work with the sheriff’s office, we were able to continue to dispatch vehicles on time; it did not affect that but it could have.”

— Public Safety Director Troy Riggs

Riggs acknowledged a hacker attack could happen again. He added that he believes cyberattacks and hacker attacks are the number one safety threat to businesses and government agencies in the United States.

Some experts have criticized the everyday common use of sophisticated radio systems because it gives hackers greater opportunity to overcome the sophisticated system. By limiting the sophisticated system to sporadic use by tactical teams (SWAT) and drug sting operations, and mixing up communications with text messaging and other methods; public safety professionals would be deploying the same methods that the hackers with mobile low power jammers would employ to avoid detection — intermittent and sporadic activity. Having the sophisticated system on 24/7 for everyday police communications is just plain stupid, because hackers have all day to chip away at the system, according to some experts.

Indianapolis city officials say they quickly identified the cyber attack and then took steps to stop it. However, even if officials can take steps to stop intrusion, they still probably don’t have an effective, quick method to stop a brute force attack on the system that would simply bring the radio system down with low power moving jammers. Those could make the radio system totally unusable. Ironically, the P25 system that was required by the federal government to have a more functional capacity in a post 9/11/2001 world, might actually be more at risk than the “old school” radio system.

Meanwhile, the Indianapolis Department of Homeland Security and FBI are investigating the breach.

Reference …
University of Pennsylvania Security Weaknesses in the APCO Project 25 TwoWay Radio System [PDF]

Get updates from The Cardinal CRIME BLOG ‘Plus’ on Facebook. Just ‘LIKE’ the ‘Arlington Cardinal Crime & Forensics’ Page (become a fan of our page). The updates cover all posts in the 24/7 Crime Alerts! and sub-categories. See all of The Cardinal Facebook fan pages at …