Presidential Alerts that all modern cell phones in the United States are required to receive and display as part of the Wireless Emergency Alert (WEA) program can be spoofed, researchers have discovered.
Issued via the Integrated Public Alert and Warnings System (IPAWS) along with AMBER alerts and imminent threat alerts, the Presidential Alerts are intended to inform the public of imminent threats and cannot be blocked.
In a recently published whitepaper, a group of security researchers from the University of Colorado Boulder has demonstrated how Presidential Alerts could be targeted in spoofing attacks using commercially available hardware and modified open source software.
Specifically, the researchers were able to target the system using a commercially-available software defined radio, along with modifications to the open source NextEPC and srsLTE software libraries.
“We find that with only four malicious portable base stations of a single Watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90% success rate. The true impact of such an attack would of course depend on the density of cell phones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic,” the whitepaper reads.
WEA, the researchers explain, sends alerts via the commercial mobile alert service (CMAS) standard System Information Block (SIB) messages, the LTE downlink within broadcast messages. Cell towers broadcast the SIB to all cell phones tuned to its control channels.
With the cell tower broadcasting the SIB messages to the user device independently from the mutual authentication procedure between them, this means that all SIBs are vulnerable to spoofing from a malicious tower.
Even if the device and the tower have completed authentication and communicate securely, the former is still exposed to the security threat caused by the broadcasts from other, possibly malicious, towers, because the device periodically gathers SIB information from neighboring towers.
A CMAS spoofing attack, the research paper reveals, is easy to perform but challenging to defend in practice. The researchers were able to successfully conduct the attack on 9 smartphones from 5 manufacturers.
“Fixing this problem will require a large collaborative effort be-tween carriers, government stakeholders, and cell phone manufacturers. To seed this effort, we also discuss several defenses to address this threat in both the short and long term,” the paper reads.
The researchers also say they disclosed the findings to various pertinent partners (FEMA, FCC, DHS, NIST, 3GPP, and GSMA, along with AT&T, Verizon, T-Mobile, Sprint, U.S. Cellular, Samsung, Google, and Apple) in January 2019, before the public disclosure.