Remember when all hell broke loose in Hawaii because someone accidentally issued an emergency alert for an emergency that didn't exist? That was a clerical error. What if someone did it on purpose to cause panic and fear, say on the day of the elections in 2020?
Yes, it could happen. The U.S. Emergency Alert System can (and probably will) be hijacked and weaponized by bad guys, security researchers demonstrated at a technology conference in Korea this week.
Karl Bode at Vice News reports that a pirate cell tower makes it easy to send fake emergency alerts warning of a terrorist attack, nuclear bomb, or other non-existent disaster.
Their study was shared this week at the 2019 International Conference on Mobile Systems, Applications and Services (MobiSys) in Seoul, South Korea, and shows how simple it is to spoof the Wireless Emergency Alert (WEA) program to dupe cellular users.
To prove it, researchers built a mini "pirate" cell tower using easily-available hardware and open source software. Using isolated RF shield boxes to mitigate any real-world harm, they then simulated attacks in the 50,000 seat Folsom Field at the University. 90 percent of the time, the researchers say they were able to pass bogus alerts on to cell phones within range.
The WEA system is currently co-managed by both the FCC and FEMA. The system is used to send cell phone users everything from AMBER child abduction alerts to severe weather warnings and—as was first tested last October—Presidential Alerts.
Given these broadcasts' importance, they're blasted over a specific cellular LTE channel to maximize reception in geographically targeted areas. But researchers found that it wasn't particularly difficult or expensive to hijack this process and send out the bogus messages.
The transmission of these messages from the government to the cellular tower is secure. It's the transmission from the cellular tower to the end user that's open to manipulation and interference, the researchers found. The vulnerability potentially impacts not just US LTE networks, but LTE networks from Europe to South Korea.
Eric Wustrow, a co-author of the study and an assistant professor in Electrical, Computer and Energy Engineering, told Motherboard such an attack would be relatively inexpensive to fund, fairly simple to conceal, and difficult to defend against in real time.
"We were able to do this attack with commercially-available software defined radios for about $1000," he said. "The size of our SDR is about the size of a typical wifi router."