Have you heard of the Wireless Emergency Alert system? The WEA system is designed to broadcast alert messages by the president to the US population in case of a nationwide emergency. The system can also broadcast the so-called weather AMBER alerts. And it can be exploited, researchers say.
The system uses LTE (4G) networks, which unfortunately can be exploited in a malicious way to spread misinformation, say researchers at University of Colorado Boulder in a paper titled “This is Your President Speaking:Spoofing Alerts in 4G LTE Networks”.
Modern cell phones are required to receive and display alerts via the Wireless Emergency Alert (WEA) program, under the mandate of the Warning, Alert, and Response Act of 2006. These alerts include AMBER alerts, severe weather alerts, and (unblockable) Presidential Alerts, intended to inform the public of imminent threats. Recently, a test Presidential Alert was sent to all capable phones in the United States, prompting concerns about how the underlying WEA protocol could be misused or attacked.
The first practical spoofing attack on Presidential Alerts
The researchers investigated the details of the WEA system, and demonstrated “the first practical spoofing attack on Presidential Alerts”. To do so, they used commercially available hardware and modified open source software. In other words, the experts identified several security vulnerabilities of WEA over commercial LTE networks, discovering that a spoofing attack with fake alerts can be carried out very easily.
The attack they crafted can be carried out by utilizing a commercially available software defined radio, and their modifications to the open-source NextEPC and srsLTE libraries. The researchers say that four malicious portable base stations of only one Watt of transmit power are enough to “attack” a 50,000-seat stadium with a 90% success rate.
Of course, the real impact of the attack is related to the density of cell phones in range, meaning that fake alerts sent out in big cities could cause large-scale panic. Addressing this issue would require “a large collaborative effort between carries, government stakeholders, and cell phone manufacturers.”
It turns out that fake alerts can be transmitted via the WEA system as soon as the specific LTE channel it uses to broadcast them is located and identified. Furthermore, cell phones are not capable of verifying the authenticity of an alert which makes the impact of a fake alert difficult to comprehend.
Potential defenses against the spoofing attacks available
The researchers provided two potential defenses against these attacks. The first suggestion is adding digital signatures to alerts to prove authenticity, while the second one involves the adoption of secure commercial mobile alert service (CMAS) to improve LTE.
However, both suggestions are challenging in certain ways. For one, the adoption of digital signatures requires both operators and device manufacturers to agree the keys which will sign and validate the messages. This means handling signatures from unknown keys and requiring signatures to be compliant with the practical constraints of the network. So, a solution would be to implement digital signatures only when it comes to presidential alerts.
On the other hand, the CMAS service would need to be implemented at LTE modem firmware level, or it would require an update to the device OS. The drawback here would be the limited access of trustworthy CMAS messages. Nonetheless, both solutions could significantly decrease the risk of spoofing attacks.
It is noteworthy that this is not the first time security researchers identify security vulnerabilities within LTE. In July 2018, it was reported thatLTE could be compromised in three attacks where an attacker collects meta- information about the user’s traffic, among other things. More specifically, three attack vectors were identified where the confidentiality and privacy of LTE communication was at stake.