Have you ever been in a public place when an emergency alert is issued? Everyone's phone starts buzzing at the same time and there's a brief moment where a feeling of concern blankets the whole room. Imagine that same situation but instead of a room of people, it's an entire stadium full people, all receiving a troubling alert at the same time — and on top of that, the alert isn't true. Fake emergency alert texts are a recipe for the worst human instincts to kick in, and that's the exact scenario that researchers at the University of Colorado Boulder created.
In a paper published this month, the researchers detail a method they discovered to exploit a vulnerability in LTE networks and deliver spoofed Wireless Emergency Alert (WEA) messages — the system used to send out AMBER alerts, extreme weather warnings, and presidential alerts. Using a simulation, the team of experts was able to create a scenario in which a fake alert was sent to a football stadium packed with 50,000 people. In the simulation, 90 percent of phones successfully received the phony emergency message.
To understand how the attack works, it's important to first know how the WEA system is designed to work. During an emergency, messages can be sent by a variety of agencies at both the local and federal level. Those messages have to be authenticated by officials and sent through the Federal Emergency Management Agency's (FEMA) Integrated Public Alert and Warning System (IPAWS), where it is handed off to wireless carriers. Those carriers then push the alerts to mobile devices in affected areas through cell towers.
The problem that researchers discovered was that it's possible to fool devices by sending out an emergency message from a bootleg cell tower using commercially available wireless transmitters. Phones regularly seek for cell towers with a strong signal, and by creating a tower with a strong signal and placing it near a densely populated area, the researchers were able to convince thousands of devices to connect to their fake network. Once a phone is connected, it attempts to verify the authenticity of the tower by sending messages to it. If the phone doesn't receive a response after sending five messages, it will drop the connection entirely — but that leaves about a 45-second window during which the phone is locked onto the fake tower. During that time, the researchers pushed the phony alert, which the phones read and displayed as real.
According to the researchers, the vulnerability in networks stems from the Commercial Mobile Alert System (CMAS) standard used to deliver WEA messages. Because there doesn't appear to be a requirement for a network to be authenticated before it can send messages using the standard, it's possible for attackers to send these false messages during the brief window during which a device is connected and communicated with the unsecured network. Wireless networks in the U.S., Europe, and South Korea all utilize a CMAS-style standard, meaning they are potentially vulnerable to this type of attack.
It's not hard to imagine how quickly a situation could go very badly if this type of attack was carried out. The researchers even laid out a situation in which it could happen: malicious actors set up a fake cell tower outside a stadium or other heavily trafficked area, connect to as many phones as possible and push a panic-inducing message to as many phones as they can. It's likely that chaos would ensue. Good information may end up hard to come by in this situation, as well. While phones ditch the fake network and return to authentic ones, it's pretty common for cell networks to struggle under the stress of tons of heavily concentrated traffic. A lack of real information to counter the fake message would only further the panic.
For better or worse, we've already gotten a pretty good idea of what happens when people are on the receiving end of false alerts. Last year, officials in Hawaii accidentally sent out a message that was received by basically every cellphone in the state. That message warned: "BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.” The false alarm left people in a state of panic and peril for 38 whole minutes until it was corrected. A study conducted by the Centers for Disease Control and Prevention (CDC) found that residents of the state spent much of that time searching for more information, preparing for the worst, and experiencing significant amounts of "shock, fear, panic, or terror.” Those emotions overtaking thousands of people at the same time in a condensed area seems like a tragedy waiting to happen.
Hopefully this vulnerability won't be around long enough to test people's impulses during a perceived emergency. The researchers responsible for discovering the exploit have reported it to the government and have presented a number of methods that may be useful in thwarting an attack. It will be up to the government and telecom industry to quickly implement a fix. Better to deal with the issue as a real emergency now than have to handle the result of a fake emergency later.