CIRI researchers work to expose flaws in wireless emergency alert system to improve security

In 2018, residents of Hawaii were alerted through their phones about a ballistic missile headed towards the island through the Wireless Emergency Alert System (WEA) – an alert system created to disseminate emergency alerts to mobile devices. Although the alert was discovered to be committed by user-error, there was very little information about the vulnerability of the network externally.

Mobile networks play an important role in our nation’s communications systems, but these complex structures are vulnerable to attacks. The research team at Critical Infrastructure Resilience Institute (CIRI), a Department of Homeland Security Center of Excellence, recently concluded a project that explored the WEA system’s vulnerability by recreating a spoofing attack system to suggest potential solutions through gaining a better understanding of attack vectors.

Principal investigator Sangtae Ha, an assistant professor of computer science at the University of Colorado Boulder, was a part of a previous research team that discovered flaws in the WEA system that allowed for alerts to be spoofed from unauthenticated users.

Ha said, “Our recent research showed that it is possible for a physically proximate attacker to spoof Wireless Emergency Alerts, including Presidential Alerts, AMBER alerts, and other imminent threat alerts to cell phones within the range.”

This project, titled Empirical Security Analysis of the Wireless Emergency Alerts System, was conducted in direct response to the original research findings to explore and suggest possible solutions to the spoofing attacks.

“To evaluate the impact of the WEA spoofing attack in the real world, we develop a spoofing box using off-the-shelf SDR (Software Defined Radio)-based hardware and modified open-source LTE software, which can automatically search available LTE frequencies and launch the spoofing attack at those frequencies,” Ha added. “This turn-key attack device can help understand the security threat on WEA over the cellular system in practice.”

To defend against such attacks, Ha’s team explored three feasible mitigation solutions throughout the project: a client-driven approach, a network-aware approach, and an end-to-end digital signature. Of those three different approaches, the two that resulted in complete accuracy in detecting fake WEA messages in various network conditions were client-driven and end-to-end digital signatures.

The client-driven approach that the team tested required UEs (User Equipment or mobiles phones) to observe every control signaling message on the LTE of the UE. In the end-to-end digital signature approach, there would be a requirement of a digital signature to WEA messages. The UE would then use the public key it obtains from its SIM card to verify the signature of the received message. This approach would be the most appealing as the former approach would require rooting devices instead of the minimal modifications from cellular operators, OS vendors, and alert originators.

The research team has already engaged in communication with AT&T, Verizon, CISA, FirstNet, the FCC, and other federal entities and 5G groups to circulate their solution which may result in a smaller possibility that any emergency alert you may receive in the future is legitimate.