PUBLISHED: | UPDATED:

A study conducted by University of Colorado Boulder researchers recently discovered a way in which potential hackers could send inauthentic notifications through the National Wireless Emergency Alert System, which includes AMBER alerts, presidential alerts, and various threat alerts.

The new so-called ‘Presidential Alert’ system was developed by various U.S. government agencies and debuted on October 3, 2018, sending a test text message to cell phones across the nation. The alerts are designed to notify a vast amount of people in the event of imminent disasters.

The credibility of these presidential alerts is being questioned due to their newfound susceptibility to hackers. Faculty from the CU Engineering’s Department of Computer Science, Department of Electrical, Computer and Energy Engineering, and the Technology, Cybersecurity and Policy program looked into the legitimacy of these messages after millions of Hawaiians received an alarming emergency alert in January 2018 that claimed the state was under an incoming ballistic missile threat. The message, sent as a mistake, prompted CU’s researchers to take the first step toward preventing such confusion and panic.

“It was the reaction to the Hawaii incident that made us understand that this was pretty significant,” said Dirk Grunwald, a professor of computer science at CU and co-author of the study. “We are imagining fear-inducing messages sent by hackers that introduce panic and create disruption.”

A screen shot from a mobile phone shows an alert text message sent to all Hawaiian citizens on Jan. 13, 2018.. Hawaii officials swiftly confirmed the warning of an incoming ballistic missile was a “false alarm,” but not before the ominous message unnerved residents and stirred confusion across the state.

The government, eager to notify as many people as possible in any case of danger, broadcasts emergency alerts to every device in the range of a cell tower. Because of this broad approach, this communication becomes particularly vulnerable between cell towers and cell phones.

Through their research, the CU team discovered that hackers can create small cell towers, costing about $1,000 each, and send that message to the right channel in order to send copycat messages that mimic the presidential alert texts.

According to Eric Wustrow, co-author and an assistant professor in ECEE, no hacker-designed alerts have been sent out — yet. The researchers are eager to protect the public’s safety before it can become a fear-inducing reality.

CU’s team discovered that physically-proximate hackers are able and likely to feign these alerts to confined areas such as city blocks or sport arenas. Through a multitude of approved lab-environment simulations, faculty and researchers found that hackers could be extremely successful in infiltrating similarly populated areas, one example being Folsom Field.

Wustrow said that, in the findings of these tests, “the attacker would be successful,” and could reach about 90 percent of the targeted population.

“Even if only 39,000 actually receive the alert, there will be panic,” said Grunwald. “If it’s in an enclosed location, the reciprocation could be disastrous.”

The team’s discoveries have since been communicated to U.S. government officials, cell phone carriers, cell phone manufacturers, and the Cellular Telecommunications Industry Association in an effort to see steps taken toward collaborating on a solution that differentiates genuine alert messages from untrustworthy ones.

“One way that we can prevent confusion is if we change these messages to having a signature or authentication attached to the legitimate messages,” Wustrow said. “We are hoping that the public pressure helps people to take this issue seriously before it becomes a real problem.”

blog comments powered by Disqus