This is Your President Speaking: Spoofing Alerts in 4G LTE Networks

Authors:
Gyuhong Lee

University of Colorado Boulder, Boulder, CO, USA

University of Colorado Boulder, Boulder, CO, USA
View Profile

,
Jihoon Lee

University of Colorado Boulder, Boulder, CO, USA

University of Colorado Boulder, Boulder, CO, USA
View Profile

,
Jinsung Lee

University of Colorado Boulder, Boulder, CO, USA

University of Colorado Boulder, Boulder, CO, USA
View Profile

,
Youngbin Im

University of Colorado Boulder, Boulder, CO, USA

University of Colorado Boulder, Boulder, CO, USA
View Profile

,
Max Hollingsworth

University of Colorado Boulder, Boulder, CO, USA

University of Colorado Boulder, Boulder, CO, USA
View Profile

,
Eric Wustrow

University of Colorado Boulder, Boulder, CO, USA

University of Colorado Boulder, Boulder, CO, USA
View Profile

,
Dirk Grunwald

University of Colorado Boulder, Boulder, CO, USA

University of Colorado Boulder, Boulder, CO, USA
View Profile

,
Sangtae Ha

University of Colorado Boulder, Boulder, CO, USA

University of Colorado Boulder, Boulder, CO, USA
View Profile

MobiSys '19: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and ServicesJune 2019Pages 404–416https://doi.org/10.1145/3307334.3326082

Published:12 June 2019Publication History

MobiSys '19: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services

Pages 404–416

ABSTRACT

Modern cell phones are required to receive and display alerts via the Wireless Emergency Alert (WEA) program, under the mandate of the Warning, Alert, and Response Act of 2006. These alerts include AMBER alerts, severe weather alerts, and (unblockable) Presidential Alerts, intended to inform the public of imminent threats. Recently, a test Presidential Alert was sent to all capable phones in the United States, prompting concerns about how the underlying WEA protocol could be misused or attacked. In this paper, we investigate the details of this system, and develop and demonstrate the first practical spoofing attack on Presidential Alerts, using both commercially available hardware as well as modified open source software. Our attack can be performed using a commercially-available software defined radio, and our modifications to the open source NextEPC and srsLTE software libraries. We find that with only four malicious portable base stations of a single Watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90% success rate. The true impact of such an attack would of course depend on the density of cell phones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic. Fixing this problem will require a large collaborative effort between carriers, government stakeholders, and cell phone manufacturers. To seed this effort, we also discuss several defenses to address this threat in both the short and long term.

References

3GPP TR 33.969. 2014. Technical Specification Group Services and System Aspects; Study on Security aspects of Public Warning System (PWS) (Release 15) . http://www.3gpp.org/DynaReport/33969.htm . (2014).Google Scholar
3GPP TS 23.038. 2018. Technical Specification Group Core Network and Terminals; Alphabets and language-specific information (Release 15) . http://www.3gpp.org/dynareport/23038.htm . (2018).Google Scholar
3GPP TS 23.041. 2018. Technical Specification Group Core Network and Terminals; Technical realization of Cell Broadcast Service (CBS) (Release 15) . http://www.3gpp.org/dynareport/23041.htm . (2018).Google Scholar
3GPP TS 23.401. 2018. Technical Specification Group Services and System Aspects; General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access (Release 15) . http://www.3gpp.org/dynareport/23401.htm . (2018).Google Scholar
3GPP TS 29.168. 2018. Technical Specification Group Core Network and Terminals; Cell Broadcast Centre interfaces with the Evolved Packet Core (Release 15) . http://www.3gpp.org/dynareport/29168.htm . (2018).Google Scholar
3GPP TS 33.401. 2018. Technical Specification Group Services and System Aspects; Security architecture (Release 15) . http://www.3gpp.org/dynareport/33401.htm . (2018).Google Scholar
3GPP TS 36.211. 2018. Technical Specification Group Radio Access Network; Physical channels and modulation (Release 12) . http://www.3gpp.org/dynareport/36211.htm . (2018).Google Scholar
3GPP TS 36.331. 2018. Technical Specification Group Radio Access Network; Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC) (Release 15) . http://www.3gpp.org/dynareport/36331.htm . (2018).Google Scholar
3GPP TS 36.413. 2018. Technical Specification Group Radio Access Network; S1 Application Protocol (S1AP) (Release 15) . http://www.3gpp.org/dynareport/36413.htm . (2018).Google Scholar
3GPP TS 38.331. 2018. Technical Specification Group Radio Access Network; NR; Radio Resource Control (RRC) (Release 15) . http://www.3gpp.org/dynareport/38331.htm . (2018).Google Scholar
5G Americas. 2018. Public Warning Systems in the Americas . (2018). https://goo.gl/yZ4R4L.Google Scholar
I. Ahmad, T. Kumar, M. Liyanage, J. Okwuibe, M. Ylianttila, and A. Gurtov. 2018. Overview of 5G Security Challenges and Solutions . IEEE Communications Standards Magazine, Vol. 2, 1 (March 2018), 36--43.Google ScholarCross Ref
David Basin, Jannik Dreier, Lucca Hirschi, Savsa Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). Google ScholarDigital Library
Daniel J Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 2012. High-speed high-security signatures. Journal of Cryptographic Engineering, Vol. 2, 2 (2012), 77--89.Google ScholarCross Ref
Dan Boneh, Ben Lynn, and Hovav Shacham. 2001. Short signatures from the Weil pairing. In Proceedings of International Conference on the Theory and Application of Cryptology and Information Security. Springer, 514--532. Google ScholarDigital Library
Nicola Bui and Joerg Widmer. 2016. OWL: a Reliable Online Watcher for LTE Control Channel Measurements. In ACM All Things Cellular (MobiCom Workshop) . Google ScholarDigital Library
CellMapper. 2018. Cellular Coverage and Tower Map . https://www.cellmapper.net/. (2018).Google Scholar
Xiaomeng Chen, Abhilash Jindal, Ning Ding, Yu Charlie Hu, Maruti Gupta, and Rath Vannithamby. 2015. Smartphone Background Activities in the Wild: Origin, Energy Drain, and Optimization. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (MobiCom '15).Google ScholarDigital Library
Haotian Deng, Weicheng Wang, and Chunyi Peng. 2018. CEIVE: Combating Caller ID Spoofing on 4G Mobile Phones Via Callee-Only Inference and Verification. In Proceedings of the 24th Annual International Conference on Mobile Computing and Networking (MobiCom '18). Google ScholarDigital Library
Ettus Research. 2018. USRP B210 . https://www.ettus.com/product/details/UB210-KIT . (2018).Google Scholar
Federal Communications Commission (FCC). 2016. Wireless Emergency Alerts; Amendments to Rules Regarding the Emergency Alert System . https://www.gpo.gov/fdsys/pkg/FR-2016--11-01/pdf/2016--26120.pdf . (2016).Google Scholar
Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Emre Acer, Elisabeth Morant, and Sunny Consolvo. 2016. Rethinking Connection Security Indicators. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS'16). Google ScholarDigital Library
Andrea Goldsmith. 2005. Wireless Communications .Cambridge University Press. Google Scholar
Ismael Gomez-Miguelez, Andres Garcia-Saavedra, Paul D. Sutton, Pablo Serrano, Cristina Cano, and Douglas J. Leith. 2016. srsLTE: An Open-Source Platform for LTE Evolution and Experimentation. In ACM WiNTECH (MobiCom Workshop) . Google ScholarDigital Library
Junxian Huang, Feng Qian, Alexandre Gerber, Z. Morley Mao, Subhabrata Sen, and Oliver Spatscheck. 2012. A Close Examination of Performance and Power Characteristics of 4G LTE Networks. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys '12). Google ScholarDigital Library
Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Proceedings of the Network and Distributed System Security Symposium (NDSS '18).Google ScholarCross Ref
Juni. 2017. Enterprise Small Cell JL620 . http://www.juniglobal.com/product/jl-620fdd-jlt-621tdd/. (2017).Google Scholar
Hongil Kim, Dongkwan Kim, Minhee Kwon, Hyungseok Han, Yeongjin Jang, Dongsu Han, Taesoo Kim, and Yongdae Kim. 2015. Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). Google ScholarDigital Library
Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In 40th IEEE Symposium on Security and Privacy .Google Scholar
M. Labib, V. Marojevic, J. H. Reed, and A. I. Zaghloul. 2017. Enhancing the Robustness of LTE Systems: Analysis and Evolution of the Cell Selection Process. IEEE Communications Magazine, Vol. 55, 2 (February 2017), 208--215. Google ScholarDigital Library
Jihoon Lee, Jinsung Lee, Youngbin Im, Sandesh Dhawaskar Sathyanarayana, Parisa Rahimzadeh, Xiaoxi Zhang, Max Hollingsworth, Carlee Joe-Wong, Dirk Grunwald, and Sangtae Ha. 2019. CASTLE over the Air: DistributedScheduling for Cellular Data Transmissions. In The 17th Annual InternationalConference on Mobile Systems, Applications, and Services (MobiSys '19).Google Scholar
Chi-Yu Li, Guan-Hua Tu, Chunyi Peng, Zengwen Yuan, Yuanjie Li, Songwu Lu, and Xinbing Wang. 2015. Insecurity of Voice Solution VoLTE in LTE Mobile Networks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). Google ScholarDigital Library
Yuanjie Li, Chunyi Peng, Zengwen Yuan, Jiayao Li, Haotian Deng, and Tao Wang. 2016. Mobileinsight: Extracting and Analyzing Cellular Network Information on Smartphones. In Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking (MobiCom '16). Google ScholarDigital Library
M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H. Reed. 2016. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation . IEEE Communications Magazine, Vol. 54, 4 (April 2016), 54--61. Google ScholarDigital Library
Collin Mulliner, Nico Golde, and Jean-Pierre Seifert. 2011. SMS of death: from analyzing to attacking mobile phones on a large scale. In Proceedings of the 20th USENIX conference on Security . Google ScholarDigital Library
National Public Radio. 2018. Officials Assess Response To Camp Fire In Northern California . https://goo.gl/iF12Vo . (2018).Google Scholar
NextEPC Inc. 2019. Open source implementation of LTE EPC . https://www.nextepc.com/. (2019).Google Scholar
Nsnam. 2018. NS-3: A discrete-event network simulator for internet systems . https://www.nsnam.org . (2018).Google Scholar
Nuand. 2018. bladeRF 2.0 micro xA4 . https://www.nuand.com/product/bladerf-xa4/. (2018).Google Scholar
A. Shaik, J. Seifert, R. Borgaonkar, N. Asokan, and V. Niemi. 2016. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In 23nd Annual Network and Distributed System Security Symposium, NDSS .Google Scholar
StatCounter. 2019. Mobile Operating System Market Share Worldwide . http://gs.statcounter.com/os-market-share/mobile/worldwid . (2019).Google Scholar
The Washington Post. 2018. Cellphone users nationwide just received a 'Presidential Alert.' Here's what to know. https://goo.gl/KRfDjf . (2018).Google Scholar
Michael Tsai. 2011. Path-loss and Shadowing (Large-scale Fading) . https://goo.gl/QD7wwn . (2011).Google Scholar
Guan-Hua Tu, Chi-Yu Li, Chunyi Peng, Yuanjie Li, and Songwu Lu. 2016. New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16).Google ScholarDigital Library
U.S. Department of Homeland Security (DHS). 2015. Wireless Emergency Alerts (WEA) CMSP Cybersecurity Guidelines . https://goo.gl/X9X3cY . (2015).Google Scholar
U.S. Department of Homeland Security (DHS). 2016. Geo-Targeting Performance of Wireless Emergency Alerts in Imminent Threat Scenarios . https://goo.gl/41s3CE . (2016).Google Scholar
U.S. Federal Emergency Management Agency (FEMA). 2016. IPAWS Architecture . https://www.fema.gov/media-library/assets/documents/113642 . (2016).Google Scholar
Fabian van den Broek, Roel Verdult, and Joeri de Ruiter. 2015. Defeating IMSI Catchers. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). Google ScholarDigital Library
Wikipedia. 2018. Hawaii false missile alert . https://goo.gl/oD9ofx . (2018).Google Scholar
Xiufeng Xie, Xinyu Zhang, and Shilin Zhu. 2017. Accelerating Mobile Web Loading Using Cellular Link Information. In Proceedings of ACM MobiSys .Google ScholarDigital Library
Hemin Yang, Anpeng Huang, Ruipeng Gao, Tammy Chang, and Linzhen Xie. 2014. Interference Self-Coordination: A Proposal to Enhance Reliability of System-Level Information in OFDM-Based Mobile Networks via PCI Planning . IEEE Transactions on Wireless Communications, Vol. 13, 4 (April 2014), 1874--1887.Google ScholarCross Ref

Index Terms

This is Your President Speaking: Spoofing Alerts in 4G LTE Networks
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks
      1. Spoofing attacks
  2. Network security
    1. Mobile and wireless security

Recommendations

This is Your President Speaking: Spoofing Alerts in 4G LTE Networks (demo)
MobiSys '19: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services

4G LTE networks across the world (e.g., United States, Europe, and South Korea) use the same mechanism to broadcast emergency alerts. These alerts include AMBER, severe weather alerts, and the (unblockable) Presidential Alert in the US. We demonstrate ...
Read More
Analysis of Modern Attacks with Detection and Prevention Techniques
CYBERC '13: Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery

This paper focuses the analysis of the latest attacks in the recent years. In the last few years, as the use of Internet become common, the attacks on the Internet have also been increased so rapidly. Many types of malwares, Trojan horses and viruses ...
Read More
An intrusion detection and prevention system for IMS and VoIP services

The Voice Over IP (VoIP) environments and the most contemporary ones such as the IP Multimedia Subsystem (IMS) are deployed in order to provide cheap and at the same time high quality services to their users. Video calls, conferences, and applications ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MobiSys '19: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services
June 2019
736 pages
ISBN:9781450366618
DOI:10.1145/3307334
General Chairs:
Junehwa Song
KAIST, South Korea
,
Minkyong Kim
Samsung Electronics
,
Program Chairs:
Nicholas D. Lane
University of Oxford & Samsung AI
,
Rajesh K. Balan
Singapore Management University
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 June 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
cmas
lte
presidential alert
security
spoofing
wea
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate274of1,679submissions,16%
Upcoming Conference
MOBISYS '24

Sponsor:

sigmobile

The 22nd Annual International Conference on Mobile Systems, Applications and Services

June 3 - 7, 2024

Minato-ku, Tokyo , Japan
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 17
  Total Citations
  View Citations
- 8,727
  Total Downloads
- Downloads (Last 12 months)1,182
- Downloads (Last 6 weeks)89
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

This is Your President Speaking: Spoofing Alerts in 4G LTE Networks

MobiSys '19: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services

ABSTRACT

References

Cited By

Index Terms

Recommendations

This is Your President Speaking: Spoofing Alerts in 4G LTE Networks (demo)

Analysis of Modern Attacks with Detection and Prevention Techniques

An intrusion detection and prevention system for IMS and VoIP services