ABSTRACT
Modern cell phones are required to receive and display alerts via the Wireless Emergency Alert (WEA) program, under the mandate of the Warning, Alert, and Response Act of 2006. These alerts include AMBER alerts, severe weather alerts, and (unblockable) Presidential Alerts, intended to inform the public of imminent threats. Recently, a test Presidential Alert was sent to all capable phones in the United States, prompting concerns about how the underlying WEA protocol could be misused or attacked. In this paper, we investigate the details of this system, and develop and demonstrate the first practical spoofing attack on Presidential Alerts, using both commercially available hardware as well as modified open source software. Our attack can be performed using a commercially-available software defined radio, and our modifications to the open source NextEPC and srsLTE software libraries. We find that with only four malicious portable base stations of a single Watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90% success rate. The true impact of such an attack would of course depend on the density of cell phones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic. Fixing this problem will require a large collaborative effort between carriers, government stakeholders, and cell phone manufacturers. To seed this effort, we also discuss several defenses to address this threat in both the short and long term.
- 3GPP TR 33.969. 2014. Technical Specification Group Services and System Aspects; Study on Security aspects of Public Warning System (PWS) (Release 15) . http://www.3gpp.org/DynaReport/33969.htm . (2014).Google Scholar
- 3GPP TS 23.038. 2018. Technical Specification Group Core Network and Terminals; Alphabets and language-specific information (Release 15) . http://www.3gpp.org/dynareport/23038.htm . (2018).Google Scholar
- 3GPP TS 23.041. 2018. Technical Specification Group Core Network and Terminals; Technical realization of Cell Broadcast Service (CBS) (Release 15) . http://www.3gpp.org/dynareport/23041.htm . (2018).Google Scholar
- 3GPP TS 23.401. 2018. Technical Specification Group Services and System Aspects; General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access (Release 15) . http://www.3gpp.org/dynareport/23401.htm . (2018).Google Scholar
- 3GPP TS 29.168. 2018. Technical Specification Group Core Network and Terminals; Cell Broadcast Centre interfaces with the Evolved Packet Core (Release 15) . http://www.3gpp.org/dynareport/29168.htm . (2018).Google Scholar
- 3GPP TS 33.401. 2018. Technical Specification Group Services and System Aspects; Security architecture (Release 15) . http://www.3gpp.org/dynareport/33401.htm . (2018).Google Scholar
- 3GPP TS 36.211. 2018. Technical Specification Group Radio Access Network; Physical channels and modulation (Release 12) . http://www.3gpp.org/dynareport/36211.htm . (2018).Google Scholar
- 3GPP TS 36.331. 2018. Technical Specification Group Radio Access Network; Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC) (Release 15) . http://www.3gpp.org/dynareport/36331.htm . (2018).Google Scholar
- 3GPP TS 36.413. 2018. Technical Specification Group Radio Access Network; S1 Application Protocol (S1AP) (Release 15) . http://www.3gpp.org/dynareport/36413.htm . (2018).Google Scholar
- 3GPP TS 38.331. 2018. Technical Specification Group Radio Access Network; NR; Radio Resource Control (RRC) (Release 15) . http://www.3gpp.org/dynareport/38331.htm . (2018).Google Scholar
- 5G Americas. 2018. Public Warning Systems in the Americas . (2018). https://goo.gl/yZ4R4L.Google Scholar
- I. Ahmad, T. Kumar, M. Liyanage, J. Okwuibe, M. Ylianttila, and A. Gurtov. 2018. Overview of 5G Security Challenges and Solutions . IEEE Communications Standards Magazine, Vol. 2, 1 (March 2018), 36--43.Google ScholarCross Ref
- David Basin, Jannik Dreier, Lucca Hirschi, Savsa Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). Google ScholarDigital Library
- Daniel J Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 2012. High-speed high-security signatures. Journal of Cryptographic Engineering, Vol. 2, 2 (2012), 77--89.Google ScholarCross Ref
- Dan Boneh, Ben Lynn, and Hovav Shacham. 2001. Short signatures from the Weil pairing. In Proceedings of International Conference on the Theory and Application of Cryptology and Information Security. Springer, 514--532. Google ScholarDigital Library
- Nicola Bui and Joerg Widmer. 2016. OWL: a Reliable Online Watcher for LTE Control Channel Measurements. In ACM All Things Cellular (MobiCom Workshop) . Google ScholarDigital Library
- CellMapper. 2018. Cellular Coverage and Tower Map . https://www.cellmapper.net/. (2018).Google Scholar
- Xiaomeng Chen, Abhilash Jindal, Ning Ding, Yu Charlie Hu, Maruti Gupta, and Rath Vannithamby. 2015. Smartphone Background Activities in the Wild: Origin, Energy Drain, and Optimization. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (MobiCom '15).Google ScholarDigital Library
- Haotian Deng, Weicheng Wang, and Chunyi Peng. 2018. CEIVE: Combating Caller ID Spoofing on 4G Mobile Phones Via Callee-Only Inference and Verification. In Proceedings of the 24th Annual International Conference on Mobile Computing and Networking (MobiCom '18). Google ScholarDigital Library
- Ettus Research. 2018. USRP B210 . https://www.ettus.com/product/details/UB210-KIT . (2018).Google Scholar
- Federal Communications Commission (FCC). 2016. Wireless Emergency Alerts; Amendments to Rules Regarding the Emergency Alert System . https://www.gpo.gov/fdsys/pkg/FR-2016--11-01/pdf/2016--26120.pdf . (2016).Google Scholar
- Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Emre Acer, Elisabeth Morant, and Sunny Consolvo. 2016. Rethinking Connection Security Indicators. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS'16). Google ScholarDigital Library
- Andrea Goldsmith. 2005. Wireless Communications .Cambridge University Press. Google Scholar
- Ismael Gomez-Miguelez, Andres Garcia-Saavedra, Paul D. Sutton, Pablo Serrano, Cristina Cano, and Douglas J. Leith. 2016. srsLTE: An Open-Source Platform for LTE Evolution and Experimentation. In ACM WiNTECH (MobiCom Workshop) . Google ScholarDigital Library
- Junxian Huang, Feng Qian, Alexandre Gerber, Z. Morley Mao, Subhabrata Sen, and Oliver Spatscheck. 2012. A Close Examination of Performance and Power Characteristics of 4G LTE Networks. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys '12). Google ScholarDigital Library
- Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Proceedings of the Network and Distributed System Security Symposium (NDSS '18).Google ScholarCross Ref
- Juni. 2017. Enterprise Small Cell JL620 . http://www.juniglobal.com/product/jl-620fdd-jlt-621tdd/. (2017).Google Scholar
- Hongil Kim, Dongkwan Kim, Minhee Kwon, Hyungseok Han, Yeongjin Jang, Dongsu Han, Taesoo Kim, and Yongdae Kim. 2015. Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). Google ScholarDigital Library
- Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In 40th IEEE Symposium on Security and Privacy .Google Scholar
- M. Labib, V. Marojevic, J. H. Reed, and A. I. Zaghloul. 2017. Enhancing the Robustness of LTE Systems: Analysis and Evolution of the Cell Selection Process. IEEE Communications Magazine, Vol. 55, 2 (February 2017), 208--215. Google ScholarDigital Library
- Jihoon Lee, Jinsung Lee, Youngbin Im, Sandesh Dhawaskar Sathyanarayana, Parisa Rahimzadeh, Xiaoxi Zhang, Max Hollingsworth, Carlee Joe-Wong, Dirk Grunwald, and Sangtae Ha. 2019. CASTLE over the Air: DistributedScheduling for Cellular Data Transmissions. In The 17th Annual InternationalConference on Mobile Systems, Applications, and Services (MobiSys '19).Google Scholar
- Chi-Yu Li, Guan-Hua Tu, Chunyi Peng, Zengwen Yuan, Yuanjie Li, Songwu Lu, and Xinbing Wang. 2015. Insecurity of Voice Solution VoLTE in LTE Mobile Networks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). Google ScholarDigital Library
- Yuanjie Li, Chunyi Peng, Zengwen Yuan, Jiayao Li, Haotian Deng, and Tao Wang. 2016. Mobileinsight: Extracting and Analyzing Cellular Network Information on Smartphones. In Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking (MobiCom '16). Google ScholarDigital Library
- M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H. Reed. 2016. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation . IEEE Communications Magazine, Vol. 54, 4 (April 2016), 54--61. Google ScholarDigital Library
- Collin Mulliner, Nico Golde, and Jean-Pierre Seifert. 2011. SMS of death: from analyzing to attacking mobile phones on a large scale. In Proceedings of the 20th USENIX conference on Security . Google ScholarDigital Library
- National Public Radio. 2018. Officials Assess Response To Camp Fire In Northern California . https://goo.gl/iF12Vo . (2018).Google Scholar
- NextEPC Inc. 2019. Open source implementation of LTE EPC . https://www.nextepc.com/. (2019).Google Scholar
- Nsnam. 2018. NS-3: A discrete-event network simulator for internet systems . https://www.nsnam.org . (2018).Google Scholar
- Nuand. 2018. bladeRF 2.0 micro xA4 . https://www.nuand.com/product/bladerf-xa4/. (2018).Google Scholar
- A. Shaik, J. Seifert, R. Borgaonkar, N. Asokan, and V. Niemi. 2016. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In 23nd Annual Network and Distributed System Security Symposium, NDSS .Google Scholar
- StatCounter. 2019. Mobile Operating System Market Share Worldwide . http://gs.statcounter.com/os-market-share/mobile/worldwid . (2019).Google Scholar
- The Washington Post. 2018. Cellphone users nationwide just received a 'Presidential Alert.' Here's what to know. https://goo.gl/KRfDjf . (2018).Google Scholar
- Michael Tsai. 2011. Path-loss and Shadowing (Large-scale Fading) . https://goo.gl/QD7wwn . (2011).Google Scholar
- Guan-Hua Tu, Chi-Yu Li, Chunyi Peng, Yuanjie Li, and Songwu Lu. 2016. New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16).Google ScholarDigital Library
- U.S. Department of Homeland Security (DHS). 2015. Wireless Emergency Alerts (WEA) CMSP Cybersecurity Guidelines . https://goo.gl/X9X3cY . (2015).Google Scholar
- U.S. Department of Homeland Security (DHS). 2016. Geo-Targeting Performance of Wireless Emergency Alerts in Imminent Threat Scenarios . https://goo.gl/41s3CE . (2016).Google Scholar
- U.S. Federal Emergency Management Agency (FEMA). 2016. IPAWS Architecture . https://www.fema.gov/media-library/assets/documents/113642 . (2016).Google Scholar
- Fabian van den Broek, Roel Verdult, and Joeri de Ruiter. 2015. Defeating IMSI Catchers. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). Google ScholarDigital Library
- Wikipedia. 2018. Hawaii false missile alert . https://goo.gl/oD9ofx . (2018).Google Scholar
- Xiufeng Xie, Xinyu Zhang, and Shilin Zhu. 2017. Accelerating Mobile Web Loading Using Cellular Link Information. In Proceedings of ACM MobiSys .Google ScholarDigital Library
- Hemin Yang, Anpeng Huang, Ruipeng Gao, Tammy Chang, and Linzhen Xie. 2014. Interference Self-Coordination: A Proposal to Enhance Reliability of System-Level Information in OFDM-Based Mobile Networks via PCI Planning . IEEE Transactions on Wireless Communications, Vol. 13, 4 (April 2014), 1874--1887.Google ScholarCross Ref
Index Terms
- This is Your President Speaking: Spoofing Alerts in 4G LTE Networks
Recommendations
This is Your President Speaking: Spoofing Alerts in 4G LTE Networks (demo)
MobiSys '19: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services4G LTE networks across the world (e.g., United States, Europe, and South Korea) use the same mechanism to broadcast emergency alerts. These alerts include AMBER, severe weather alerts, and the (unblockable) Presidential Alert in the US. We demonstrate ...
Analysis of Modern Attacks with Detection and Prevention Techniques
CYBERC '13: Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge DiscoveryThis paper focuses the analysis of the latest attacks in the recent years. In the last few years, as the use of Internet become common, the attacks on the Internet have also been increased so rapidly. Many types of malwares, Trojan horses and viruses ...
An intrusion detection and prevention system for IMS and VoIP services
The Voice Over IP (VoIP) environments and the most contemporary ones such as the IP Multimedia Subsystem (IMS) are deployed in order to provide cheap and at the same time high quality services to their users. Video calls, conferences, and applications ...
Comments