National emergency alerts potentially vulnerable to spoofing
In January 2018, months before the first presidential alert test went out, millions of Hawaiians received a similar, but seemingly genuine, message on their phones: someone had launched a ballistic missile attack on the state.
It was, of course, a mistake, but that event made the CU Boulder team wonder: How secure are such emergency alerts?
The answer, at least for presidentially-authorized alerts, hinges on where you look.
“Sending the emergency alert from the government to the cell towers is reasonably secure,” said co-author Sangtae Ha, an assistant professor in the Department of Computer Science. “But there are huge vulnerabilities between the cell tower and the users.”
Ha explained that because the government wants presidential alerts to reach as many cell phones as possible, it takes a broad approach to broadcasting these alerts—sending messages through a distinct channel to every device in range of a cell tower.
Fake messages
He and his colleagues discovered that hackers could exploit that loophole by creating their own, black market cell towers. First, the team, working in a secured lab, developed software that could mimic the format of a presidential alert.
“We only need to broadcast that message into the right channel, and the smartphone will pick it up and display it,” Ha said.
And, he said, the team found that such messages could be sent out using commercially-available wireless transmitters with a high success rate—or roughly hitting 90 percent of phones in an area the size of CU Boulder’s Folsom Field, potentially sending malicious warnings to tens of thousands of people.
It’s a potentially major threat to public safety, said Grunwald, a professor in computer science.
“We think it is concerning, which is why we went through a responsible disclosure process with different government agencies and carriers,” he said.
The team has already come up with a few ways to thwart such an attack and is working with partners in industry and government to determine which mechanisms are most effective.
Key takeaways from the research:
· Cell phone users can’t opt out of presidential alerts, text messages sent to phones in the U.S. in emergencies.
· Researchers have discovered that hackers could, theoretically, spoof such alerts, blasting false messages to phones in a confined space like a sports stadium.
· The team is currently working with cell carriers and government agencies to develop ways to thwart such attacks.
— Read more in Gyuhong Lee et al., “This is Your President Speaking: Spoofing Alerts in 4G LTE Networks” (paper presented at MobiSysy ’19, Seoul, Korea, 17 June 2019)
