How Can The Presidential Alert Come Through A Cell Phone Not On A Registered Network

Research highlights

Securing the Wireless Emergency Alerts System

Past Jihoon Lee, Gyuhong Lee, Jinsung Lee, Youngbin Im, Max Hollingsworth, Eric Wustrow, Dirk Grunwald, Sangtae Ha
Communications of the ACM, Oct 2021, Vol. 64 No. 10, Pages 85-93
x.1145/3481042
Comments

smartphone shows Presidential Alert — Credit: CNN

Modern cell phones are required to receive and brandish alerts via the Wireless Emergency Alarm (WEA) program, under the mandate of the Warning, Alert, and Response Act of 2006. These alerts include AMBER alerts, severe weather alerts, and (unblockable) Presidential Alerts, intended to inform the public of imminent threats. Recently, a examination Presidential Alert was sent to all capable phones in the U.Southward., prompting concerns nearly how the underlying WEA protocol could exist misused or attacked. In this paper, we investigate the details of this organization and develop and demonstrate the showtime practical spoofing attack on Presidential Alerts, using commercially bachelor hardware and modified open source software. Our attack can be performed using a commercially available software-defined radio, and our modifications to the open source software libraries. We find that with only four malicious portable base of operations stations of a unmarried Watt of transmit power each, virtually all of a fifty,000-seat stadium can be attacked with a 90% success rate. The real impact of such an attack would, of grade, depend on the density of cellphones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic. Fixing this problem will crave a large collaborative attempt between carriers, authorities stakeholders, and cellphone manufacturers. To seed this effort, we as well advise three mitigation solutions to address this threat.

i. Introduction

The Wireless Emergency Alerts (WEA) program is a regime mandated service in commercialized cellular networks in the U.South. WEA was established past the Federal Communications Commission (FCC) in response to the Alert, Alert, and Response Act of 2006 to allow wireless cellular service providers to send geographically targeted emergency alerts to their subscribers. The Federal Emergency Management Agency (FEMA) is responsible for the implementation and administration of a major component of WEA.

This organization can send three types of alerts: Presidential Alerts issued by the president to all of the United states; Imminent Threat Alerts involving serious threats to life and belongings, often related to severe weather; and Bister Alerts regarding missing or abducted children. Considering the number of cellphone users and the nationwide coverage of cellular networks, WEA over Long-Term Evolution (LTE) was a natural step to heighten public safety immediately and finer. In fact, recent rapidly moving fires have caused emergency services to consider using WEA instead of relying on opt-in alerting systems.¹⁶

A handful of widely publicized events has led to public scrutiny over the potential misuse of the alarm system. On January 13, 2018, at that place was a geographically targeted warning issued in Hawaii. The message, warning of an inbound missile, is shown in Figure 1b. Although caused by human mistake, the impact on the residents of Hawaii was huge, as it led to panic and disruption throughout the state.²⁰ This event was followed on October 3, 2018, past the first national test of a mandatory Presidential Warning. The alarm, captured in Figure 1a, was sent to all capable phones in the U.S.¹⁹

Effigy 1. Snapshots of real WEA letters received by cellphones: (a) the commencement national test of the Presidential Alert performed on October 3, 2018 in the U.South., and (b) a imitation alert sent in Hawaii on January 13, 2018.

These recent high-contour alerts accept prompted united states to appraise the realizability and touch on of an alert spoofing attack. In this paper, nosotros demonstrate how to launch a Presidential Warning-spoofing set on and evaluate its effectiveness with respect to attack coverage and success rate.

To answer this question, we commencement past looking into the warning delivery method used by WEA. WEA sends alerts via the commercial mobile alert service (CMAS), which is the underlying commitment engineering standardized past the tertiary Generation Partnership Project (3GPP). These alerts are delivered via the LTE downlink within broadcast messages, called Organization Information Block (SIB) messages. A celltower (referred to every bit eNodeB) broadcasts the SIB to every cell phone (referred to as user equipment or UE) that is tuned to the control channels of that eNodeB. A UE obtains necessary access information, such as the network identifier and admission restrictions, from SIB letters, and uses it for the eNodeB selection procedure. Among the 26 different types of SIB messages, SIB12 contains the CMAS notification, which delivers the same warning messages to the UEs.

The eNodeB broadcasts SIB messages to the UE, independently from the mutual hallmark procedure that eventually occurs between them. Thus, all SIBs, such every bit CMAS, are intrinsically vulnerable to spoofing from a malicious eNodeB. More chiefly, even if the UE has completed its authentication and securely communicates with a trusted eNodeB, the UE is all the same exposed to the security threat acquired by the broadcasts from other, possibly malicious, eNodeBs. This is considering the UE periodically gathers SIB information from neighboring eNodeBs for potential eNodeB (re)choice and handover.

Nosotros plant via both experiment and simulation that a 90% success charge per unit can be reached in 4435 mⁱⁱ of a sixteen,859 m² building using a single malicious eNodeB of 0.i Watt ability, whereas in an outdoor stadium, 49,300 seats among the full 50,000 are hit with an attack, which itself has a 90% success rate using 4 malicious eNodeBs of 1 Watt ability.

In summary, we make post-obit major contributions:

Nosotros place security vulnerabilities of the WEA arrangement and explicate the detailed underlying mechanism stipulated by the LTE standard. We find that the CMAS spoofing attack is easy to perform but is challenging to defend in practice.
Nosotros present our threat analysis on the CMAS spoofing assail and implement an effective attack organisation using commercial off-the-shelf (COTS) software-defined radio (SDR) hardware and open-source LTE software.
Nosotros evaluate our attack system using both SDR-based hardware prototype and measurement-based simulation. Equally 1 of the hitting results, we demonstrate that 4 SDR-based malicious eNodeBs at 1 Watt of power can propagate their signal to 49,300 of the whole 50,000-seat football stadium. Of the 49,300 seats affected, 90% volition receive the CMAS message.
We present possible solutions to foreclose such a spoofing attack with a thorough analysis and feasibility test, which tin can open the door toward collaborative efforts between cellular operators, government stakeholders, and phone manufacturers.

1.1. Responsible disclosure

In January 2019, before public release, nosotros disclosed the discoveries and technical details of this alert spoofing attack to various pertinent parties. These parties include the government and standardization organizations FEMA, FCC, DHS, NIST, 3GPP, and GSMA; the cellular network service providers AT&T, Verizon, T-Mobile, Sprint, and U.Southward. Cellular; and the manufacturers Apple, Google, and Samsung.

Back to Elevation

2. Security Threats

The 3GPP standardization body began a project in 2006 to define the requirements of CMAS to deliver WEA messages in the LTE network, and the LTE CMAS network architecture is illustrated in Effigy ii. The resulting technical specification, initially released in 2009, describes the general criteria for the delivery of alerts, message formats, and functionality of CMAS-capable UEs.ⁱⁱ During an emergency, authorized public safe officials transport alert messages to Federal Alert Gateways. The participating mobile service providers then broadcast the alert to the UEs, who will automatically receive the alert if they are located in or travel to the targeted geographic expanse. The cell broadcast centre (CBC) is part of the service provider'due south core network and is connected to the Mobility Management Entity (MME), which maintains the location information of the UEs fastened to the network.³ The eNodeB is the last step in communicating the alert to the UEs over the air.

Figure ii. LTE CMAS network architecture.

UEs may choose to plough off the notification of imminent threat alerts and AMBER alerts amongst the 3 types of emergency alerts (i.e., presidential alerts, imminent threat alerts, and AMBER alerts). Even so, the 3GPP mandated that the reception of Presidential Alerts is obligatory. Thus, cell phones have no option to disable Presidential Alerts, as seen in Effigy three. Because it cannot be disabled, this paper focuses on spoofing Presidential Alerts with the injection of a fake CMAS message over the air from a rogue eNodeB.

Figure 3. Government alarm settings in mobile phones: (a) Android and (b) Apple's iPhones. Although Amber and emergency alerts can be manually disabled, users cannot disable or block Presidential Alerts from being received or displayed.

2.1. Identifying the vulnerability

An eNodeB broadcasts LTE arrangement information through the Master Information Block (MIB) and SIB. Specifically, when a LTE searches for an eNodeB, information technology searches for the eNodeB's physical cell identifier (PCI) within a dedicated synchronization aqueduct specified by the LTE standard.⁵ Later on finding the PCI, the LTE unscrambles the MIB, which contains essential data such every bit the system bandwidth, system frame number (SFN), and the antenna configuration, to decode the SIB Type 1 bulletin (SIB1). At that place are several SIB letters but just SIB1 has a fixed periodicity of 80 msec. Other SIB messages are dynamically scheduled by the eNodeB, and the scheduling information for other SIBs is encoded in the periodic SIB1.

3GPP specifies that the circulate of CMAS messages is over the air through SIB12.⁶ However, dissimilar point-to-bespeak messages in LTE, broadcasts of SIB messages are not protected past common cryptographic hallmark or confidentiality, considering the SIB contains essential information the UEs use to access the network earlier whatsoever session keys have been established. Once a CMAS message has been received, in that location is no verification method for the message content. If an aggressor can imitate eNodeB beliefs closely enough to broadcast faux CMAS messages, the UE will display them.

A UE's vulnerability to a fake CMAS alert depends on whether it is in an active or idle state, illustrated in Effigy 4. To affect the most UEs, an aggressor must consider different approaches for each state. Here we discuss idle UEs and active UEs separately:

Figure four. The Idle/Active life cycle of a UE. The land of the UE continues counterclockwise around the nautical chart. CMAS spoofing is possible although the UE performs an eNodeB search, prior to successful authentication with a trusted eNodeB.

Idle mode UEs. Reference Signal Received Power (RSRP) is the power of an eNodeB-specific reference betoken recognized by the UE, typically used to make an eNodeB selection and handover conclusion. Usually, whenever a UE in idle fashion performs eNodeB selection (or reselection), it volition associate with the eNodeB having the highest RSRP. If the RSRP of a malicious eNodeB is the strongest, the UE decodes the SIBs transmitted by the malicious eNodeB. The attacker does not need to take any user data (such as security keys), which would exist stored in the network operator'southward database. Without having such user data, the UE will somewhen pass up the authentication procedure with the malicious eNodeB. Nevertheless, it can receive a CMAS message transmitted by the malicious eNodeB during this process.

Active fashion UEs. When a UE is in active mode, information technology securely communicates with the serving eNodeB. If it finds another eNodeB with a higher ability level than the existing serving eNodeB, a handover procedure can exist triggered. The serving eNodeB and so makes a handover determination based on the received measurement study. All the same, if the serving MME does not identify the target eNodeB, the handover will eventually fail. Therefore, fifty-fifty if acquired by a malicious eNodeB, the handover procedure does not make a UE vulnerable to the CMAS spoofing assault. As a consequence, the assailant first needs to disconnect the UE from its serving eNodeB. After the UE is released from the serving eNodeB, it volition immediately try to attach to the strongest eNodeB. After that, it tin be attacked in the same way equally idle mode UEs described in the department higher up. One manner to disconnect the agile UE from its serving eNodeB is to incur Radio Link Failures (RLFs) by jamming LTE signals.¹⁵ Simply, without whatever special jamming technique, a malicious eNodeB tin can jam the communication betwixt a UE and its serving eNodeB by merely transmitting at a much higher power than the serving eNodeB.

two.2. CMAS reception and trustworthiness

We have identified 3 possible cases that determine whether the CMAS is received and is trustworthy in Table 1. Each case depends on where the UE is currently in the idle/active life cycle, illustrated in Figure four.

Effigy 5. The Presidential Alert Spoofer scans for an eNodeB, gathers operator data, and sends a simulated Presidential Alert to both idle and active UEs. The UEs may be FDD or TDD. This setup consists of one SDR device, one COTS LTE eNodeB, and ii laptops.

Tabular array ane. Cases for CMAS reception and trustworthiness.

Simply put, if a UE is not listening to frequency channels on which the eNodeB is transmitting the CMAS bulletin, the CMAS message will not be received by the UE. This is illustrated as the blue portion in Effigy 4. It may seem obvious, merely a necessary condition for the UE to receive a CMAS message is that information technology needs to be tuned to the synchronization channels of the eNodeB that is transmitting the CMAS message.

Secure CMAS. In the green expanse of Figure 4, the UE attaches to an eNodeB and is safely in the agile country. To practise this, the UE must be equipped with a valid Service Identity Module (SIM) card that is registered to the operator'southward network. Case 1 is the general scenario for phones receiving standard service from their provider. Because common hallmark between the UE and the network has been successfully made, the UE tin can trust that the eNodeB is not malicious. The CMAS reception is successful as nosotros would look, and we know that this CMAS message is trustworthy.

Unsecured CMAS. In the cherry area of Figure 4, the UE is declining or has already failed to attach when the eNodeB transmits the CMAS message. The UE will all the same receive the CMAS bulletin; this is the crux of the vulnerability. To demonstrate this, we deleted the SIM data from the Evolved Packet Core (EPC) so that the user authentication would be unsuccessful. The UE is now in the unsecured range between the idle and agile states due to the hallmark failure. Even though the UE fails to reach the agile land, we observe that the CMAS bulletin is still successfully received. This is considering one time the UE completes decoding the CMAS bulletin in SIB12, it delivers the contents to the application layer to be shown to the user. Surprisingly, this is possible even after the authentication process has finally failed. Instance 2 tin can lead the potential threat that whatever malicious eNodeB tin can deliver fake CMAS letters although the UE is in betwixt the eNodeB search and hallmark procedures. Finally, in Case iii, the UE roams to an eNodeB, which sends a CMAS bulletin. To demonstrate this, we removed the SIM carte from the UE. No authentication is possible, simply the UE can make emergency calls such as 911. Even in this situation, we verified that the UE even so receives the CMAS message, which is potentially malicious.

As shown in Cases 2 and 3, CMAS spoofing can exist done although the UE performs an eNodeB search before successful authentication with a trusted eNodeB. These results are verified using 1 ten JL620 COTS LTE small cell (no modification), 1 ten open-source NextEPC (modified with the CBC),¹⁷ and nine unlike commercial LTE phones (Apple iPhone viii, Ten, and XS; Google Pixel one; Huawei Nexus 6P; Motorola G5 Plus and G6; Samsung Galaxy S7 Edge and S8). Considering that the majority of UEs in cellular networks are in the idle state¹⁰ and UEs often transition from the active to idle state due to an inactivity timer (effectually x s¹³), nigh all UEs are susceptible to this assail.

3. Proof-of-Concept Attacks

In this section, we present the details of our Presidential Warning Spoofer organisation and draw how information technology works. Our organisation can be congenital with either an SDR device or a COTS eNodeB, and the list of hardware and software systems we used is summarized in Tabular array 2.

Table 2. HW and SW systems used for implementation.

Attack grooming. Our Presidential Warning Spoofer must first identify the existing eNodeBs in a given licensed frequency band. Each eNodeB tin be uniquely identified at a given geographical position by the pair of "Due east-UTRA Absolute Radio Frequency Channel Number (EARFCN)" and "Physical Prison cell ID (PCI)." For each EARFCN, our Spoofer finds the eNodeB, and associated PCI, of which the RSRP is the strongest. In one case the existing eNodeBs are listed, the Public Land Mobile Network (PLMN) data of each eNodeB is collected. Every LTE network has its PLMN, a iii-digit country code, and two or three digits to identify the provider. The PLMN is periodically broadcast by the eNodeB in the SIB1 message, making it possible to collect all of the appreciable PLMNs inside the receiving range passively. To launch an attack, our Presidential Alert Spoofer uses the aforementioned PLMN equally an existing eNodeB such that the UEs will select our Spoofer during an eNodeB search.

Attack execution with an SDR device. We implemented the Spoofer using a USRP B210 and BladeRF to set on Frequency Sectionalisation Duplex (FDD) systems. With an SDR, we tin can change the manual frequency easily to target every cellular band. We added SIB12 support to the open-source eNodeB software¹² and could transmit a CMAS bulletin every 160 msec.

Assault execution with a COTS eNodeB. We use a COTS eNodeB (Juni JLT-621) to target Time Division Duplex (TDD) systems. Our modification of NextEPC provides an interface to inject a user-defined Presidential Alert that broadcasts each 2d. With this configuration, a victim UE may receive the SIB12 every 2nd from the COTS eNodeB. Any commercial LTE FDD/TDD eNodeB hardware can perform this set on, which may play a central role if an assaulter wants to command multiple malicious eNodeBs in a coordinated manner.

Effigy half dozen. Receiving multiple faux Presidential Alerts using a Samsung Galaxy S8(left) and an Apple tree iPhone 10(right).

Attack verification. In our lab environment, we verified that the faux Presidential Alarm sent by our SDR-based Spoofer was successfully shown in the FDD phones of AT&T, T-Mobile, and Verizon. With a TDD Sprint telephone, we verified that our COTS eNodeB-based Spoofer likewise works successfully. All the experiments are carried out with proper RF shielding.

Affected devices and implications. From discussions of the SIB12 vulnerability in §2.ane, it became clear that the lack of hallmark was a design option past 3GPP, rather than an oversight. This blueprint provides the all-time possible coverage for legitimate emergency alerts, but the trade-off leaves every telephone vulnerable to spoofed alerts. Consequently, all modem chipsets that fully comply with the 3GPP standards testify the same behavior: the fake Presidential Alert is received without authentication. One time the LTE modem of the UE receives the fake warning, the operating system will display the alarm to the user. Because our attack verification tests included many Android and iOS phones, we conclude that most (presumably all) LTE phones will be affected by the assault, regardless of the telephone's vendor or model. Moreover, much of the LTE public warning organization is inherited from 2G/3G and continues in 5G; a similar attack is also possible in 5G.

4. Evaluation

Effigy seven illustrates our experimental testbed setup, which consists of an EPC and eNodeB for a conventional LTE organization, a malicious eNodeB for spoofing, and cell phones for victim UEs. A signal attenuator receives the circulate signals from ii sources and delivers the combined point to a LTE in a shielded box. Nosotros congenital an LTE test network with an EPC and eNodeB, named SecureNet, which assumes the office of the user'due south original network. On the other hand, the malicious eNodeB, function of the Presidential Warning Spoofer, is installed solely without any LTE core back up. By using the signal attenuator, the bespeak power received at the LTE can exist precisely controlled for various practical scenarios.

Figure seven. The testbed setup for evaluating the attack success rate. The transmission power levels of the SecureNet eNodeB and the Presidential Alert Spoofer can be controlled independently.

4.ane. Success rate

Let α be the RSRP difference between the SecureNet eNodeB and Presidential Alert Spoofer for an idle UE (i.e., α = RSRP_{Secure Net} – N - RSRP_Spoofer ) and β be the RSRP difference for an active UE. Then nosotros evaluate the Presidential Warning Spoofer's success rate as a office of α (or β). We first adhere the UE to SecureNet. For the idle UE case, nosotros wait for the UE to enter the idle mode due to inactivity. The Spoofer broadcasts each new Presidential Warning bulletin, and so nosotros tin determine whether each Presidential Alert is successfully received and at what power configuration of α or β. We conducted 20 experimental trials for each value of α (or β) ranging from 0 to -25 dB.

The Spoofer may elect to use a dissimilar PCI than that of the serving eNodeB, appearing to be a new eNodeB. Or, the Spoofer may use the aforementioned PCI, looking to be the existing eNodeB and interfering with the existing eNodeB's PHY-layer control channel information.²² This decision has different impacts on the operation of the spoofing attack, depending on the UE state (idle or agile).

Effigy 8 shows the empirical cumulative distribution function (CDF) of successful receptions of fake alerts as a function of Q for idle UEs. When the Spoofer uses a dissimilar PCI and the received signal strength from the Spoofer is higher than that from SecureNet (α < 0), the idle UE volition consider the Spoofer as a new serving eNodeB. Our experimental results verify this expectation; l% of idle UEs can receive a fake message even at α = -1, and more than ninety% of idle UEs can receive a fake message when α ≤ -vi.

Figure eight. The CDF as a function of α for only idle UEs. Because eNodeB reselection happens when idle UEs wake up, the spoofing attack performs better when using a dissimilar PCI.

Notwithstanding, if the same PCI is used, the set on performance is significantly degraded. Because the PCI is used to generate cell-specific reference signals,⁵ using the same PCI value will crusade channel estimation errors at the UE due to collisions from the two transmitters. This, in turn, leads to more decoding errors when receiving the SIBs. As a event, using the aforementioned PCI requires much higher attack power as no UE is affected when a is greater than -12 dB. With α ≤ -17, 90% of idle UEs tin can nonetheless be attacked.

Effigy nine shows the CDF of successful fake message receptions as a function of β (i.e., forcing disconnect) for active UEs. When the Spoofer uses a unlike PCI, and the received signal strength from the Spoofer is higher than that from the SecureNet eNodeB, the agile UE will showtime to consider the Spoofer equally a target eNodeB for a handover, every bit described in §2.2. Considering SecureNet does not place the Spoofer, a handover cannot exist performed. Instead, nosotros observed an RLF would occur when β ≤ -10, which eventually leads to the reception of a simulated alert. About 90% of active UEs can receive a faux message when β ≤ -20, assuming that a different PCI value is used for the Spoofer. Unlike the idle UE case, using the same PCI value results in higher decoding errors (and more than RLFs) at a receiver. Thus, it shows better attack performance; xc% of receptions are successful with β ≤ -13.

Figure 9. The CDF as a part of β for but active UEs. Using the same PCI leads to more than decoding errors observed by the UE. This results in a slightly more constructive attack.

four.two. Practical scenarios: indoor and outdoor

As we do not utilise the Spoofer outside of a shield box, we cannot directly mensurate its effect on a large number of people. To evaluate the attack coverage according to its success rate, nosotros use actual RSRP measurements in indoor and outdoor environments.

Indoor attack. We placed our malicious eNodeB within a campus building and measured the RSRP of a dummy LTE signal (containing no CMAS bulletin) in the EBS band with 0.ane Watt transmit ability. Nosotros also measured the RSRP of a nearby AT&T eNodeB, every bit shown in Figure 10a. The RSRP does not attenuate consistently due to various obstacles, just mostly, the RSRP tends to decrease as the distance from the AT&T eNodeB increases. We compared the 2 RSRPs throughout the edifice and indicated the attack coverage using measurements obtained from §4.ane, as depicted in Figure 10b. Every bit a result, in a building with a full area of about 16,859 mⁱⁱ, for idle UEs, the coverage for a xc% success rate was near 4435 m², whereas for active UEs, the coverage for a xc% success rate was about 2955 k².

Figure 10. The indoor attack simulation: (a) the satellite epitome of the Applied science Center at the University of Colorado Boulder shows the nearest AT&T eNodeB. The graph shows the indoor RSRP distribution of that eNodeB. (b) The assail coverage for idle and active UEs are shown when a 1 ten 0.i Watt malicious eNodeB is used.

Outdoor set on. Without admission to outdoor LTE equipment, nosotros simulate the RSRPs of the spoofing eNodeB and the AT&T eNodeB with the NS-three v3.29 network simulator.^xviii For the scenario, nosotros presume a football game where a big number of people are gathered in a restricted region. A group of attackers sends fake alerts to the spectators inside the football stadium. We measured the RSRP of an actual AT&T eNodeB effectually the perimeter of our campus' football stadium, as shown in Effigy 11. We used the simulator to estimate the RSRPs at the centers of each section in the stadium (Figure 11a). We simulated the spoofers in four corners around the stadium, well-nigh only notwithstanding exterior of the ticketed surface area. Effigy 11b shows which malicious eNodeB with a 1 Watt transmit power attacked each section. Nosotros find that all sections, except ane, are attacked by the malicious eNodeBs. This means that 49,300 among the total 50,000 seats will exist hit with the assault, which itself has a xc% success rate, given that all UEs are in the idle state.

Figure 11. The outdoor attack simulation: (a) the satellite image of Folsom Field at the University of Colorado Boulder shows the location of the AT&T eNodeB. The stadium graph represents the RSRP distribution of the eNodeB measured at the eye of each section, (b) When iv x ane Watt malicious eNodeBs are located outside the four corners of the stadium, the imitation attack coverage hits all but ane section. This means that 49,300 among the total 50,000 seats are hit with the set on, which itself has a xc% success charge per unit.

Back to Tiptop

5. Mitigation Solutions

Defending confronting CMAS spoofing attacks requires careful consideration of several challenges. First, updates to the CMAS architecture could require expensive changes by prison cell telephone manufacturers, operating arrangement developers, authorities bodies, and cellular carriers. Coordinating such an effort would be difficult due to the fragmented nature of the network. Furthermore, updates must still support outdated devices, both on the user (UE) and infrastructure (eNodeB) side, equally it could take years to replace old equipment. Also, any comprehensive defence must consider the trade-off betwixt security and availability: if users cannot receive valid alerts due to sophisticated protections, it may be more chancy than the case if we connected to utilise the existing (but vulnerable) system.

With these challenges in heed, nosotros advise three mitigation solutions: first, a client-side software solution ignoring unsecured CMAS alerts; 2d, a network-aware solution attempting to observe faux alerts by modeling characteristics of legitimate eNodeBs; and third, adding digital signatures to alerts.

5.1. Customer-driven approach

A client-driven approach should provide an ability for a UE to decide whether a received CMAS message is trustworthy. Information technology requires the information from LTE's control plane, which is responsible for essential operations such equally network attaches, security control, authentication, setting upwardly of bearers, and mobility direction. To mitigate the CMAS spoofing attack, nosotros utilize Radio Resources Control (RRC) and Non-Access Stratum (NAS) layer data from the LTE control plane. We tin can bank check whether the UE has a valid connexion or not from the RRC control data and the UE's land transition with MME from the NAS control information.

Monitoring RRC and NAS on a UE is currently catchy because LTE command plane protocols are handled by the LTE baseband chipset and firmware and so that accessing such information through the existing Operating Organization (eastward.yard., Android, iOS) is non fully supported. In our implementation, we installed a cellular debugging tool on Android to retrieve the country information of RRC and NAS.¹⁴

Effigy 12 shows the RRC and NAS state transition in a standard scenario where the UE receives a Secure CMAS message from a legitimate eNodeB. When information technology receives an Unsecure CMAS message, we will see a dissimilar country transition. For instance, when a UE is in active mode, the attack starts with a sudden radio link failure, as nosotros explained in §two. Information technology incurs the RRC land modify from "CONNECTED" to "IDLE," and the country goes back to "Continued" when a CMAS is received. After that, the NAS state will soon modify into "EMM-REGISTERED.NO-Prison cell-Bachelor."

Figure 12. UE state transition for Secure CMAS reception.

As a result, we propose a spoofing detection algorithm every bit a client-driven approach. First, it needs to accept the ability to access a short history of RRC and NAS country transition. And so, whenever a CMAS message is received, it should be checked by our algorithm before displaying information technology to a user. The algorithm finds whatever suspicious activity by evaluating RRC and NAS state transition, assuming that unsecured connections may evangelize fake broadcast messages. Finally, it shows:

Figure thirteen. The customer-driven approach evaluates the security of the broadcast radio channel by monitoring UE'southward RRC and NAS state transitions when a CMAS message is received. a fake CMAS message with a warning, as shown in Figure 13.

5.2. Network-aware approach

A network-aware approach can leverage the received indicate force (RSS) at the UE to make up one's mind if the eNodeB from which the UE received the CMAS message is within a feasible altitude. Using a widely used path-loss model,¹¹ we can estimate the distance to the eNodeB using the RSS value. And then compare this with the location provided by an Cyberspace database⁹ to decide whether the alert could take come up from a trusted eNodeB.

The performance of this technique could be profoundly improved past applying a machine learning (ML) equally shown in Figure fourteen. In our pattern, we railroad train legitimate cells using basic cell information, neighbor relations, and signal quality measurements associated with the location. Such information may be nerveless and shared past network operators or crowdsourcing.²¹ In our paradigm, a UE retrieves an ML model associated with its serving and surrounding cells of its location to classify the validity of the attached eNodeB upon reception of a CMAS message.

Effigy 14. The network provides a motorcar learning (ML)-based model which characterizes legitimate eNodeBs, and therefore UE can decide whether the warning could accept come from a trusted eNodeB or not.

5.3. Digital signature approach

We also consider digitally signing SIB12 messages to prevent spoofed letters, as discussed past 3GPP.^one Although it is conceptually simple, adding signatures is hard considering operators and devices must agree on the key or keys that will be used to sign and validate messages.

For key management, we leverage suggestions from 3GPP discussions,¹ which suggest using ane) the Non-Admission Stratum (NAS) to send authenticated messages to the device, or 2) Over-The-Air (OTA) UE SIM card provisioning. Because NAS provides bulletin integrity between the eNodeB and UE (mediated by pre-shared keys in the UE SIM card), messages received in this way cannot be spoofed by a (physically) nearby antagonist. However, sending alerts over this channel would limit their reception but to devices that had established a NAS session. Instead, we recommend using this authenticated channel to send and update a public key that a device should trust. This key should correspond to the private key held by a network operator's Cell Circulate Center (CBC), which is authorized to broadcast such alerts. Alternatively, the public key distribution can be done using OTA direction,⁴ which is a well-established technique for updating information on the Universal Integrated Excursion Card (UICC).

To verify this scheme's feasibility, we first stored a public key in a SIM menu, assuming that a network operator volition provision it. So we implement the ed25519 digital signature for the Presidential Warning⁷ to sign a iv-byte time stamp along with the CMAS warning message (68 bytes overhead in total). Once a signed message is received, the alert message tin exist displayed afterward verifying its signature, every bit shown in Figure 15. As a result, the UE is not affected by the spoofing attack because it only accepts signed letters.

Effigy 15. Secure CMAS delivery is guaranteed by calculation a signature to alerts. Every bit of May 2019, the FCC mandated to support warning letters upwards to 360 characters; adding a 64-byte digital signature now becomes applicative for the existing and hereafter wireless emergency warning systems.

half dozen. Determination

In this newspaper, we take identified the WEA security vulnerabilities over commercial LTE networks and plant that a spoofing assault with false alerts can be fabricated very easily. Specifically, we presented our threat analysis on the spoofing attack and implemented an effective attack organisation using COTS SDR hardware and open up-source LTE software. Our extensive experimentation confirmed that the CMAS spoofing attack could succeed in all tested smartphones in the top iv cellular carriers in the U.S. Further, nosotros have proposed potential defenses, from which nosotros believe that completely fixing this problem will crave a large collaborative effort betwixt carriers, government stakeholders, and cellphone manufacturers.

Dorsum to Top

References

ane. 3GPP TR 33.969. Technical Specification Group Services and Organisation Aspects; Study on security aspects of public warning system (PWS) (Release xv), 2018. http://www.3gpp.org/DynaReport/33969.htm.

2. 3GPP TS 23.041. Technical Specification Group Core Network and Terminals; Technical realization of Jail cell Broadcast Service (CBS) (Release 15), 2018. http://www.3gpp.org/dynareport/23041.htm.

three. 3GPP TS 29.168. Technical Specification Grouping Core Network and Terminals; Prison cell Broadcast Centre interfaces with the evolved package core (Release 15), 2018. http://www.3gpp.org/dynareport/29168.htm.

iv. 3GPP TS 31.115. Technical Specification Grouping Core Network and Terminals; Secured parcel structure for (Universal) subscriber identity module (U)SIM toolkit applications (Release 15), 2019. http://www.3gpp.org/dynareport/31115.htm.

5. 3GPPx TS 36.211. Technical Specification Group Radio Access Network; Physical channels and modulation (Release 15), 2018. http://www.3gpp.org/dynareport/36211.htm.

6. 3GPP TS 36.331. Technical Specification Group Radio Access Network; Evolved universal terrestrial radio access (E-UTRA); radio resource control (RRC) (Release 15), 2018. http://www.3gpp.org/dynareport/36331.htm.

vii. Bernstein, D.J., Duif, Northward., Lange, T., Schwabe, P., Yang, B.-Y. Highspeed high-security signatures. J. Cryptographic Eng 2, 2 (2012), 77–89.

8. Bui, N., Widmer, J. OWL: a reliable online watcher for LTE control aqueduct measurements. In ACM All Things Cellular (MobiCom Workshop) (November 2016).

ix. CellMapper. Cellular coverage and tower map, 2018. https://www.cellmapper.internet.

x. Chen, X., Jindal, A., Ding, Due north., Hu, Y.C., Gupta, M., Vannithamby, R. Smartphone groundwork activities in the wild: origin, free energy drain, and optimization. In Proceedings of the 21^st Almanac International Conference on Mobile Calculating and Networking (2015), MobiCom'xv, Paris, France.

eleven. Goldsmith, A. Wireless Communications. Cambridge University Press, Cambridge, England, August 2005.

12. Gomez-Miguelez, I., Garcia-Saavedra, A., Sutton, P.D., Serrano, P., Cano, C., Leith, D.J. srsLTE: an open up-source platform for LTE development and experimentation. In ACM WiNTECH (MobiCom, Workshop) (Oct 2016).

xiii. Huang, J., Qian, F., Gerber, A., Mao, Z.1000., Sen, S., Spatscheck, O. A shut test of operation and power characteristics of 4G LTE networks. In Proceedings of the 10^th International Conference on Mobile Systems, Applications, and Services (2012), MobiSys'12, Depression Wood Bay, Lake District, Great britain.

xiv. Li, Y., Peng, C., Yuan, Z., Li, J., Deng, H., Wang, T. Mobileinsight: extracting and analyzing cellular network information on smartphones. In Proceedings of the 22^nd Annual International Briefing on Mobile Computing and Networking (2016), MobiCom'16, New York Urban center, New York, Usa.

xv. Lichtman, G., Jover, R.P., Labib, M., Rao, R., Marojevic, V., Reed, J.H. LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Commun. Mag. 54, 4 (Apr 2016), 54–61.

xvi. National Public Radio. Officials assess response to army camp fire in northern california, 2018. https://goo.gl/iF12Vo.

17. NextEPC Inc. Open source implementation of LTE EPC, 2019. https://world wide web.nextepc.com/.

18. Nsnam. NS-3: a detached-issue network simulator for cyberspace systems, 2018. https://world wide web.nsnam.org.

nineteen. The Washington Post. Cellphone users nationwide just received a 'Presidential Alarm.' Here's what to know, 2018. https://goo.gl/KRfDjf.

xx. Wikipedia. Hawaii fake missile warning, 2018. https://goo.gl/oD9ofx.

21. Yang, D., Xue, G., Fang, X., Tang, J. Crowdsourcing to smartphones: incentive mechanism pattern for mobile phone sensing. In The 18^th Annual International Conference on Mobile Computing and Networking (Baronial 2012), MobiCom'12, Istanbul, Turkey.

22. Yang, H., Huang, A., Gao, R., Chang, T., Xie, L. Interference cocky-coordination: a proposal to enhance reliability of organization-level information in OFDM-based mobile networks via PCI planning. IEEE Trans. Wirel. Commun. 13, 4 (April 2014), 1874–1887.

Authors

Jihoon Lee (jihoon.lee-1@colorado.edu), University of Colorado Boulder, Colorado, USA.

Jinsung Lee (jinsung.lee@colorado.edu), University of Colorado Bedrock, Colorado, USA.

Max Hollingsworth (max.hollingsworth@colorado.edu), Academy of Colorado Boulder, Colorado, USA.

Eric Wustrow (ewust@colorado.edu), University of Colorado Boulder, Colorado, USA.

Dirk Grunwald (dirk.grunwald@colorado.edu), University of Colorado Boulder, Colorado, USA.

Sangtae Ha (sangtae.ha@colorado.edu), Academy of Colorado Boulder, Colorado, USA.

Gyuhong Lee (caixy@mnd.go.kr), Korea Army University, Yeongcheon, South Korea.

Youngbin Im (ybim@unist.air conditioning.kr), UNIST, Republic of korea.

Jinsung Lee is the corresponding author.

Footnotes

The original version of this paper is entitled "This is Your President Speaking: Spoofing Alerts in 4G LTE Networks" and was published in Proceedings of the 17^th ACM International Conference on Mobile Systems, Applications and Services, 2019.

No entries institute