It is ridiculously easy to send fake threats through the emergency alert system
Everything is terrible.
Man, it has not been a good week for mobile phone security. Whether it’s the ongoing plague of robocalls or the “massive espionage campaign” hackers are carrying out on our call records, our cell phones are seemingly becoming more weaponized by the day (and that’s not even counting the horn-shaped bone spurs they’re apparently giving us).
As it turns out, even the system we rely on in cases of emergency can be used against us.
Speaking at the International Conference on Mobile Systems, Applications and Services in Seoul, South Korea, a team of researchers from the University of Boulder revealed how easy (and cheap) it was to hijack the WEA (wireless emergency alerts) system.
“We were able to do this attack with commercially-available software defined radios for about $1000,” said Eric Wustrow, a co-author of the study and an assistant professor in Electrical, Computer and Energy Engineering.
What is a wireless emergency alert system?
Wireless emergency alerts are typically used to warn cell phone users in a given area of everything from an AMBER alert to a weather warning. The system controlling them is currently operated by both the FCC and FEMA and uses geographic targeting to blast the alert over an LTE channel.
While the transmissions from the government agencies to the cell towers are secure, it’s the subsequent transmission from the tower to the user that is vulnerable to an attack. Vice offers a rundown of how the researchers were able to hijack the communication at this stage:
To prove it, researchers built a mini “pirate” cell tower using easily-available hardware and open source software. Using isolated RF shield boxes to mitigate any real-world harm, they then simulated attacks in the 50,000 seat Folsom Field at the University. 90 percent of the time, the researchers say they were able to pass bogus alerts on to cell phones within range.
The study comes in response to a January 2018 emergency alert that erroneously informed Hawaii residents of an impending nuclear ballistic missile attack. One could easily see the type of mass panic a hacker could cause by sending a false message to a sports stadium or subway station, which is why Wustrow is so adamant about finding a solution.
Until then, I have only one piece of advice: BURY YOUR PHONES IN SAND AND TAKE TO THE SEA!
- Classical music is slowly being eradicated from streaming music platforms
- Faulty audio surveillance systems with ‘aggression detectors’ are being sold to schools
- The FTC is finally cracking down on those scummy robocallers
- Spotify is demanding refunds from the artists it “overpaid” in 2018