Researchers managed to cover a 50,000 seat football stadium using only four malicious portable stations.
A group of security researchers from the University of Colorado Boulder has published a paper detailing the findings of their latest research revealing that LTE vulnerabilities can help attackers send out fake presidential alerts.
To do this, they only need commercial, software-defined radio system and modified open source NextEPC and srsLTE libraries. Anyone using the right software and equipment can send out fake presidential alerts with a 90% success rate.
Researchers managed to cover a 50,000 seat football stadium using only four malicious portable stations to reveal the loopholes in the LTE towers used to send out messages for the Wireless Emergency Alert System (WEA).
To conduct the attack, researchers got the base stations to replicate the LTE signal that a cell phone tower was sending out. Surprisingly, the fake presidential alerts appeared on both Android and iOS phones. However, they couldn’t hit the 50,000 people mark.
The WEA was tested for the first time by the Federal Emergency Management Agency (FEMA) in October 2018. The purpose behind the development of this system is to let the president communicate with the citizens quickly and easily during times of emergencies such as regarding matters of national security, digital threats and weather alerts.
The WEA system It is pretty much like Amber alerts but the difference is that presidential alerts cannot be disabled or blocked so the entire country will get them on their smartphones, televisions and every other communication platform.
In their paper, researchers noted that the actual impact of such an attack would depend on the cell phones density in the range. Malicious messages can, thus, be sent to any and every mobile phone/device that is present within the broadcasting cell tower’s range and just one malicious cell tower can effectively fool the system to send fake emergency alerts to all devices that come within its range.
“We find that with only four malicious portable base stations of a single watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90% success rate… fake alerts in crowded cities or stadiums could potentially result in cascades of panic,” researchers revealed.
The attack is possible because of the presence of multiple security flaws in the way LTE work. Such as, the alerts have to be sent out from a specific LTE channel, which can be exploited after identification to replace actual alert messages with malicious ones. Moreover, phones cannot identify if the alert is real or fake unless the alerts are assigned with digital signatures.
To test their claim, researchers developed their own malicious cell tower channel using the abovementioned open source software and hardware. The same combination of equipment and software was previously used in an experiment carried out at Folsom Field at the same university.
It must be noted that the attack wasn’t performed on a live crowd or on actual mobile phones but on isolated RF shield boxes, states researcher Eric Wustrow.
We cannot ignore the fact that a system designed to send out important alerts about emergencies is a sensitive one and it getting hijacked using simple equipment and open source software could lead to devastating consequences.
Moreover, since the alerts are unblockable texts from the US president, their abuse could create panic among the entire nation such as they might think that the country or the stadium is being attacked. Hence, researchers are of the opinion that this is a massive flaw that isn’t as easy to fix because this would require the collective collaboration of device makers, carriers, stakeholders and the government.