Emergency Presidential Alerts can be spoofed, researchers warn

Spurred by the panic-inducing fake alarm about an inbound ballistic missile received by Hawaii residents in January 2018, a group of researchers from University of Colorado Boulder wanted to check whether attackers could spoof Presidential Alerts, which are delivered to all capable phones in the United States via the Wireless Emergency Alert (WEA) program.

As it turns out, it’s possible, although quite a lot of effort is required to target just a small subset of the populace.

Attack impact

The Wireless Emergency Alerts (WEA) program is a US government-mandated service that requires wireless cellular service providers to send geographically-targeted emergency alerts to their subscribers.

These include AMBER alerts (regarding missing childres), severe weather alerts, and (unblockable) Presidential Alerts.

By exploiting security vulnerabilities in the WEA system and by using a commercially-available software defined radio, modified open source NextEPC and srsLTE software libraries and four malicious portable base stations of 1 Watt power, the researchers demonstrated that they can deliver a spoofed alert to almost all occupants of a 50,000-seat stadium.

“The true impact of such an attack would of course depend on the density of cell phones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic,” the researchers noted in their paper.

As they explained it, they performed the attack by injecting a fake CMAS (commercial mobile alert service) message at the wireless stage from a rogue base station.

The malicious station first sent a paging signal with a CMAS indication to wake up all user mobile phones in idle mode, and then broadcast the spoofed alert message via a specialized (SIB12) message over the air.

Fixing this problem will require a collaborative effort

The researchers disclosed their research and the technical details of this attack to government and standardization organizations (FEMA, FCC, DHS, NIST, 3GPP, and GSMA), US cellular network service providers (AT&T, Verizon, T-Mobile, Sprint, and U.S.Cellular) and Samsung, Google, and Apple (manufacturers of some of the “vulnerable” mobile phones).

“Fixing this problem will require a large collaborative effort between carriers, government stakeholders, and cell phone manufacturers,” the pointed out, and laid two potential defenses (although they concede that they might be just a starting point for final, robust solutions):

• Digitally signed alerts
• Software solutions (on the mobile phones) that would ignore unsecured CMAS alerts attempt to detect false alerts by fingerprinting characteristics of legitimate base stations.

The researchers’ attack works on 4G LTE networks, but it will also work on 5G networks.

“According to the 5G RRC (Radio Resource Control) standard, SIB12 is likely to be deployed in 5G systems, so CMAS spoofing will be one of the critical security threats well into the future,” the researchers pointed out.