BOULDER, Colo. (CBS4) – A new CU Boulder study says presidential emergency alerts could be spoofed and sent to cell phones en masse.
A research team found a back door that hackers could use to mimic the push alerts that cell phones get in case of a national emergency. In October, phones across America received an alert reading “THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.” Government agencies created the system as a way to warn as many people as possible across the country that a disaster or other national emergency was imminent.
The CU-led team, featuring faculty from the Departments of Computer Science, Electrical, Computer, and Energy Engineering, and the Technology, Cybersecurity, and Policy programs, found that hackers could blast fake messages to people in a confined area like a sports arena or dense city block. The researchers have presented their findings to the U.S. Government and will work to prevent hackers from spoofing the system in the future.
“We think this is something the public should be aware of to encourage cell carriers and standards bodies to correct this problem,” Eric Wustrow, a co-author of the study, said in a CU Boulder press release. “In the meantime, people should probably still trust the emergency alerts they see on their phones.”
Wustrow said he and two colleagues were prompted to study the likelihood of a hack after the false alert that warned millions of Hawaiians of an incoming ballistic missile attack on the island.
“Sending the emergency alert from the government to the cell towers is reasonably secure,” co-author Sangtae Ha said. “But there are huge vulnerabilities between the cell tower and the users.”
Ha explained that because the government wants alerts to reach as many phones as possible, it takes a broad approach to sending messages to towers, which then sends the message to each individual phones. The loophole, Ha said, is a hackers’ ability to create their own black market cell tower using commercially-available wireless transmitters.
The team is working to come up with a way to close the loophole and prevent such an attack.