Hacker uses early warning system for fake message campaign

Australians got scary texts, emails and phone calls from a trusted emergency warning service late last week after a hacker broke into its systems and used it to send fake messages.

On 5 January, the intruder compromised systems operated by the Early Warning Network, an Australian company that provides early warning information about severe weather events and bushfires to clients across the country. Started in 2007, the company provides emergency warning services to federal, state and municipal government clients to help protect their citizens.

The hacker used EWN’s systems to send messages to citizens via email, landline phone calls, and SMS. The messages, sent from alerts@ewn.com.au, were titled “EWM Hacked – Privacy Alert” and read:

EWM has been hacked. Your personal data stored with us is not safe. We are trying to fix the security issues. Please email support@ewn.com.au if you wish to subscribe. ewn.com.au ASX AER

The company moved quickly to fix the problem, catching the attack and shutting off the system. Nevertheless, a “small proportion” of its database received the alert, it said in a Facebook notice. Reports indicated that tens of thousands of people had been affected.

On Monday the company updated its post, adding that the hacker had hijacked a legitimate account to login and post the nuisance spam. It also dismissed fears that the link in the nuisance message could have been a phishing attempt, adding:

The link used in this alert were [sic] non-harmful and your personal information was not compromised in this event.

Luckily, Aussies are a savvy bunch. Comments on the Facebook post came mostly from people who said they had received the message and deleted it as suspicious, although a handful said that they had clicked on the link and were now worried. To its credit, EWN answered these comments – along with direct emails – reassuring concerned citizens that the message wasn’t a threat and their personal information was safe.

Some municipal councils in Australia that subscribe to EWN services and distribute alerts to their citizens also reposted the company’s warnings.

This is not the first time that an early warning system has fallen victim to a mischievous hacker. On Friday, 17 April 2017, Dallas residents got a rude awakening when all 156 of the city’s emergency sirens went off between 11:40 PM and 1:20 AM.

Calls from worried citizens doubled over the night to at least 4,400 according to officials, who admitted that a hacker had compromised its early warning infrastructure. The city, which said that the sirens had been triggered using a radio signal rather than via the internet, subsequently installed encryption equipment to make the sirens more secure.

A year later, San Francisco-based security company Bastille found a vulnerability that it labelled SirenJack, affecting emergency alert equipment created by ATI Systems. The sirens it investigated used unencrypted radio protocols for remote control, enabling researchers to create malicious activation messages and beam them to the devices directly. The vulnerability affected the city of San Francisco among others, the research team said, adding that attackers could play their own music or alerts across cities using something as simple as a “handheld radio you can buy from Amazon.”

Aside from the potential for phishing campaigns and malware distribution, attacks on early warning systems pose another danger: the ability to spread confusion. An intruder could use attacks like these to spark panic among a wide population, possibly as part of a bigger attack by a terrorist group or nation state. The tendency for initial warnings to spread quickly on social media could throw cities into chaos.

It’s yet another area where enhanced security measures are crucial to avoid attackers exploiting vulnerabilities at some critical point in the future.