National emergency alertsNational emergency alerts potentially vulnerable to spoofing

Published 24 June 2019

On 3 October 2018, cell phones across the United States received a text message labeled “Presidential Alert.” It was the first trial run for a new national alert system, developed by several U.S. government agencies as a way to warn as many people across the United States as possible if a disaster was imminent. Now, a new study raises a red flag around these alerts—namely, that such emergency alerts authorized by the President of the United States can, theoretically, be spoofed.

On 3 October 2018, cell phones across the United States received a text message labeled “Presidential Alert.” The message read: “THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.”

It was the first trial run for a new national alert system, developed by several U.S. government agencies as a way to warn as many people across the United States as possible if a disaster was imminent. 

Now, a new study by researchers at the University of Colorado Boulder raises a red flag around these alerts—namely, that such emergency alerts authorized by the President of the United States can, theoretically, be spoofed.

Colorado says that the team, including faculty from CU Engineering’s Department of Computer Science (CS), Department of Electrical, Computer and Energy Engineering (ECEE) and the Technology, Cybersecurity and Policy (TCP) program discovered a back door through which hackers might mimic those alerts, blasting fake messages to people in a confined area, such as a sports arena or a dense city block.

The researchers, who have already reported their results to U.S. Government officials, say that the goal of their study is to work with relevant authorities to prevent such an attack in the future.

“We think this is something the public should be aware of to encourage cell carriers and standards bodies to correct this problem,” said Eric Wustrow, a co-author of the study and an assistant professor in ECEE. “In the meantime, people should probably still trust the emergency alerts they see on their phones.”

The researchers reported their results at the 2019 International Conference on Mobile Systems, Applications and Services (MobiSys) in Seoul, South Korea, where their study won the award for “best paper.”

False alarm
Wustrow said that he and colleagues Sangtae Ha and Dirk Grunwald decided to pursue the project, in part, because of a real-life event.