Jihoon Lee
Abstract
Modern cell phones are required to receive and display alerts via the Wireless Emergency Alert (WEA) program, under the mandate of the Warning, Alert, and Response Act of 2006. These alerts include AMBER alerts, severe weather alerts, and (unblockable) Presidential Alerts, intended to inform the public of imminent threats. Recently, a test Presidential Alert was sent to all capable phones in the U.S., prompting concerns about how the underlying WEA protocol could be misused or attacked. In this paper, we investigate the details of this system and develop and demonstrate the first practical spoofing attack on Presidential Alerts, using commercially available hardware and modified open source software. Our attack can be performed using a commercially available software-defined radio, and our modifications to the open source software libraries. We find that with only four malicious portable base stations of a single Watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90% success rate. The real impact of such an attack would, of course, depend on the density of cellphones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic. Fixing this problem will require a large collaborative effort between carriers, government stakeholders, and cellphone manufacturers. To seed this effort, we also propose three mitigation solutions to address this threat.
- 3GPP TR 33.969. Technical Specification Group Services and System Aspects; Study on security aspects of public warning system (PWS) (Release 15), 2018. http://www.3gpp.org/DynaReport/33969.htm.Google Scholar
- 3GPP TS 23.041. Technical Specification Group Core Network and Terminals; Technical realization of Cell Broadcast Service (CBS) (Release 15), 2018. http://www.3gpp.org/dynareport/23041.htm.Google Scholar
- 3GPP TS 29.168. Technical Specification Group Core Network and Terminals; Cell Broadcast Centre interfaces with the evolved packet core (Release 15), 2018. http://www.3gpp.org/dynareport/29168.htm.Google Scholar
- 3GPP TS 31.115. Technical Specification Group Core Network and Terminals; Secured packet structure for (Universal) subscriber identity module (U)SIM toolkit applications (Release 15), 2019. http://www.3gpp.org/dynareport/31115.htm.Google Scholar
- 3GPPx TS 36.211. Technical Specification Group Radio Access Network; Physical channels and modulation (Release 15), 2018. http://www.3gpp.org/dynareport/36211.htm.Google Scholar
- 3GPP TS 36.331. Technical Specification Group Radio Access Network; Evolved universal terrestrial radio access (E-UTRA); radio resource control (RRC) (Release 15), 2018. http://www.3gpp.org/dynareport/36331.htm.Google Scholar
- Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y. Highspeed high-security signatures. J. Cryptographic Eng 2, 2 (2012), 77--89.Google ScholarCross Ref
- Bui, N., Widmer, J. OWL: a reliable online watcher for LTE control channel measurements. In ACM All Things Cellular (MobiCom Workshop) (November 2016).Google Scholar
- CellMapper. Cellular coverage and tower map, 2018. https://www.cellmapper.net.Google Scholar
- Chen, X., Jindal, A., Ding, N., Hu, Y.C., Gupta, M., Vannithamby, R. Smartphone background activities in the wild: origin, energy drain, and optimization. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (2015), MobiCom'15, Paris, France.Google ScholarDigital Library
- Goldsmith, A. Wireless Communications. Cambridge University Press, Cambridge, England, August 2005.Google ScholarCross Ref
- Gomez-Miguelez, I., Garcia-Saavedra, A., Sutton, P.D., Serrano, P., Cano, C., Leith, D.J. srsLTE: an open-source platform for LTE evolution and experimentation. In ACM WiNTECH (MobiCom, Workshop) (October 2016).Google Scholar
- Huang, J., Qian, F., Gerber, A., Mao, Z.M., Sen, S., Spatscheck, O. A close examination of performance and power characteristics of 4G LTE networks. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (2012), MobiSys'12, Low Wood Bay, Lake District, UK.Google ScholarDigital Library
- Li, Y., Peng, C., Yuan, Z., Li, J., Deng, H., Wang, T. Mobileinsight: extracting and analyzing cellular network information on smartphones. In Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking (2016), MobiCom'16, New York City, New York, USA.Google ScholarDigital Library
- Lichtman, M., Jover, R.P., Labib, M., Rao, R., Marojevic, V., Reed, J.H. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Commun. Mag. 54, 4 (April 2016), 54--61.Google ScholarDigital Library
- National Public Radio. Officials assess response to camp fire in northern california, 2018. https://goo.gl/iF12Vo.Google Scholar
- NextEPC Inc. Open source implementation of LTE EPC, 2019. https://www.nextepc.com/.Google Scholar
- Nsnam. NS-3: a discrete-event network simulator for internet systems, 2018. https://www.nsnam.org.Google Scholar
- The Washington Post. Cellphone users nationwide just received a 'Presidential Alert.' Here's what to know, 2018. https://goo.gl/KRfDjf.Google Scholar
- Wikipedia. Hawaii false missile alert, 2018. https://goo.gl/oD9ofx.Google Scholar
- Yang, D., Xue, G., Fang, X., Tang, J. Crowdsourcing to smartphones: incentive mechanism design for mobile phone sensing. In The 18th Annual International Conference on Mobile Computing and Networking (August 2012), MobiCom'12, Istanbul, Turkey.Google ScholarDigital Library
- Yang, H., Huang, A., Gao, R., Chang, T., Xie, L. Interference self-coordination: a proposal to enhance reliability of system-level information in OFDM-based mobile networks via PCI planning. IEEE Trans. Wirel. Commun. 13, 4 (April 2014), 1874--1887.Google ScholarCross Ref
Index Terms
- Securing the wireless emergency alerts system
Recommendations
Techniques and tools for analyzing intrusion alerts
Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be ...
Comments