A local white hat hacker identified security concerns with an emergency public safety app that's widely deployed in New Castle County, and is slated for a funding increase in the county's FY 2018 budget.
The vulnerability with the Rave Panic Button application was discovered in January by Randy Westergren, who wrote about the issue on his security blog.
"It's impossible to differentiate between a legitimate user and an illegitimate user," he said.
Anyone can download and install the app, but the average Delawarean wouldn't be able to do much with it without a license. Using his technological skills, Westergren was able to reverse engineer the app, which includes access to highly-secure 911 emergency services, building plans, and points of contact for emergency situations.
"I was able to see a lot of the functionality of the code written in the app itself," said Westergren. "It's indicative of a greater lax of security in the system as a whole."
Being a white hat, he immediately contacted Rave with his concerns.
Todd Piett Chief Product Officer at Rave Mobile Safety told WDEL they quickly patched the problem and paid Westergren a finder's fee for making them aware of the problem. Bounties or finder's fee are common in the tech industry.
"We were grateful that he found that issue, but the reality is that there's a number of safeguards on the server side that would prevent anyone from doing anything, even if they were able to register," said Piett.
"After Randy identified the vulnerability, we put some additional encryption and other methods of ensuring that the a falsified registration can't be made, so we're very confident now in the security of the application."
Without a serial number or the full access of a registered user, Westergren couldn't see much more without crossing over into potential illegal activity. But he believed the potential risks could be high.
"You have the ability for anyone to sort of impersonate or spoof emergency calls...if you're a bad guy and you wanted to do something bad to a school or hospital you have a treasure trove of everything you'd need to do that," he said. "You've got denial of service issues, where you could interfere with legitimate alerts."
Piett said users couldn't get into security protocols without compromising the app, but said safeguards already in place include restricted access for users of the application. He added their app only dials 911 for users at the push of a button--it doesn't change the way a call is routed or the way a caller would interact with existing emergency services.
"You couldn't actually activate a case because once you get into that point--our system in the back-end--it doesn't recognize that that phone number was authorized," said Piett.
Piett said Westergren stopped as he started to access Rave's servers, which he said are audited.
"Is that to say that a more sophisticated hacker couldn't have used that exposure and really probed and tried to discover something? I'd be lying to you if I said that," Piett said. "Randy did identify a way that you could get through our registration process and simulate being a user. Once you had those interfaces exposed, it is possible that somebody could have...tried to dig in more. Now, again...we already patched that, and encrypted that, and obscured all of the references he had mentioned."
Piett said the vulnerability, which he called an oversight in the application's roll-out, was never exploited.
"There was nobody that we could see [that had] any access to the system or anything that had happened. Now, again, I don't want to discount the fact that we had a vulnerability that we shouldn't have had in there, and Randy discovered it. But the reality is the exposure was pretty minimal, and what he did identify was quickly patched."
Westergren said a basic outside review of security for the app would have easily found what he reported.
"I know the thing that I did report is very low-level, so if that's there, the likelihood that many other things are there is very high," Westergren alleged.
Piett said the app hadn't be assessed by a third-party security firm prior to Westergren's discovery and that only the company's servers had undergone such an inspection. The app has since undergone a security review, Piett said.
New Castle County's Usage of Rave Panic Button
New Castle County first rolled out the Rave Panic Button in schools, shopping malls, community centers and other large facilities in November of 2016. The app has buttons to notify police of a number of scenarios, including active shooter, fire, police, or medical.
From the push of a button, during an emergency, the app not only calls 911, but gives police instant information on how to access the facility, increasing the potential for more rapid response times. It also sends out notifications to anyone working in the building that there's an emergency.
"[What I found] is quite serious...I am sort of in disbelief that the app is this widely-deployed--not just in our country--but it's used by other municipalities across the nation. There's quite a bit of concern [since] the things I found are very cursory, and it makes me wonder what else is in there," said Westergren.
Jeff Miller, New Castle County Emergency Chief of Emergency Communications Division, said Rave Mobile Safety communicated the vulnerability to him from the beginning and he was pleased with their quick fix.
"They had to interrupt the system for three to four hours, which meant no one could have used the panic button if they were in need of it; then, they sent a message to all panic button users that they had to update their panic button or it wasn't going to work--that apparently, their new rock-solid no one getting in the backdoor spoofing anyone's phone number type of thing" was complete.
Miller has been a customer of Rave mobile safety since 2012 when the county rolled out usage of Smart 911.
When you call 911, every second counts, and now a new system in New Castle County will shave…
"We have great confidence in them," said Miller. "I believe in Rave Mobile Safety's ability...they pay people to try to hack them just to be sure--[how rudimentary this was] kind of causes me to be quizzical a little bit because they already pay people to try to hack them, and I can't believe another hack wouldn't have found it."
"[Piett] did tell me that it was something they should have discovered, he was very honest about that," said Miller.
Miller said the panic button worked flawlessly when used by the Jewish Siegel Community Center in Brandywine Hundred during two of the facility's recent bomb scares.
The Siegel Jewish Community Center was shuttered early Wednesday in response to another bomb…
"If I had any cause or concern anyone's information could be potentially jeopardized or stolen from [Rave], we would shut the panic button off immediately."
In the Fiscal Year 2018, County Executive Matt Meyer proposed $160,000 in funding for Rave as the county continues to try expand usage of the panic button system. The payment reflects, not exactly an expansion, but rather a licensing fee which then allows the county to use the panic button as widely as it desires.
"We're trying to get this into all of the schools during the summertime, when it's slower, so by next school year, I hope to have all of the schools use the panic button."
Online Terrorists: Attacks on 911 emergency systems rise nationwide
Attacks on public safety systems and infrastructure have become a larger concern recently.
The Washington Post in October 2016 reported about what they called the largest cyberattack on the country's emergency-response system ever, after a malicious Twitter post attacked cellphone software, forcing users to repeatedly call 911. In Dallas in April 2017, hackers were able to set off tornado sirens, faking an emergency alert and scaring residents. Also in April 2017, AT&T users had trouble calling 911 nationwide due to what the company, at the time, called a "service issue." The FCC is investigating the widespread outage.
The attacks could lead to safety standards being set on the federal level to protect public safety applications. Rave said they're looking at investments in various tools that could find and track vulnerabilities.
"Every day you check your app store, and there's something new with the numbers 911 in it, and it gives all of the 911 centers grave concern," said Miller. "When you push this button, where's it going, when it gets here, and how can we ensure it's getting to the right 911 center."
Miller said Rave is involved in beta testing with the U.S. Department of Homeland Security to develop security checks for all 911 apps with the Association of Public-Safety Communications Officials (APCO).
"My understanding is that [Rave] passed fairly well," said Miller.
"It's kind of a tough world out there, people are out there with malicious intent, whether they're trying to hack into your bank system or trying to screw with the alert system, there's people out there that are constantly doing it," said Miller.