Presidential warnings could be vulnerable to hackers

America’s presidential warnings about imminent threats has been identified as “easy” to spoof.

Researchers at the University of Colorado have demonstrated how the messaging system can be exploited to send fake warnings.

Set up in 2006, the US Wireless Emergency Alert is a mandated service to which “modern cell phones” are required to receive and display alerts. The alerts include severe warning alerts, AMBER alerts and Presidential alerts.

However scrutiny has been placed on the potential misuse of the alert system. In January 2018, an alert had been issued in Hawaii warning of an inbound missile. The alert was a result of human error however it resulted in panic and disruption throughout the state.

In October 2018, the first national test of a mandatory President Alert had been sent to all “capable phones” in the US.

Using four malicious base stations, a “commercially available software defined radio”, and modifications to open-source software – researchers were able to send a simulated alert to a 50,000-seat stadium with a 90% success rate.

“The true impact of such an attack would of course depend on the density of cell phones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic.

“Fixing this problem will require a large collaborative effort between carriers, government stakeholders, and cell phone manufacturers.”

The study discusses two potential defences:

“First, adding digital signatures to alerts, and second, client-side software solutions ignoring unsecured CMAS alerts and attempting to detect false alerts by fingerprinting characteristics of legitimate eNodeBs.

“We stress that neither of these defenses offer a magic solution, but instead hope they provide starting points for network operators and cell phone manufacturers to continue discussions.”

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.