A team of Greek researchers at the Institute of Geodynamics, National Observatory of Athens, have decided to look deeper into common and widely used seismological equipment and discovered multiple security vulnerabilities. These weaknesses could be fairly easy to exploit by remote actors with malicious intent and could disrupt the work of scientists and civil protection agencies.
Seismic activity monitoring devices are linked to the internet to provide research centers and scientists with live data feeds, enabling them to perform analysis, correlate with other positions, and made deductions. These stations use new-age seismographs, accelerographs, and GNSS receivers, which are basically a kind of pricey IoTs. As expensive as they may be, these devices don’t have strong user authentication layers to protect against third-party access and also use unencrypted communication protocols.
This practically makes it possible for a malicious actor to connect to these seismic observatories, get a live feed of data, alter the measurements, change configurations, and essentially create the situation that would generate a false alarm. Alternatively, the actor could “silence” these stations making them beam back wrong or no data at all, essentially depriving the authorities of the opportunity to identify seismic activity in time and to prepare accordingly.
In either case, the implications would be dreadful. Even if the scenario of missing an earthquake notice is somewhat strained, producing a phony event wouldn’t be hard and would be very damaging too. Creating a response to a large-magnitude earthquake costs a lot of money, human resources, work hours, mobilization of available resources, and panic for the people. Besides, such an event would bring distrust to the official agencies and alarm mechanisms, so the public wouldn’t respond with fervor in the case of a future emergency.
The researchers didn’t just discover the vulnerabilities but also put them to the test. They intercepted seismological data that is transferred through the SeedLink protocol, which is a widely used service in the field. In a follow-up test, they manipulated the waveforms transmitted by SeedLink, so the potential for catastrophic disruption was practically proved.
As the leader of the study (M. Samios) points out, solving these flaws is a matter of convincing the vendors of professional equipment to patch the bugs and up their data encryption game. Also, seismic network operators could work with infosec experts to develop new and safer practices that enhance their systems' security on both the software and the hardware level.