The Roman historian Tacitus (55 A.D.–120 A.D.) once said "the desire for safety stands against every great and noble enterprise."
In the digital era, providing security and privacy is a noble enterprise, and the entanglement between security and safety systems is increasing. The growing digitization of smart devices has already become an integral part of our daily lives, providing access to vast number of mobile services. Indeed, many people are glued to their smart devices. Hence, it seems almost natural to use them in the context of critical emergency and disaster alerts from life-threatening weather to pandemic diseases. However, despite all the convenience they offer, smart devices expose us to many security and privacy threats.
The following paper investigates real-world attacks on the current implementation of Wireless Emergency Alerts (WEA), which constitutes different emergency categories like AMBER Alerts in child-abduction cases, or alerts issued by the U.S. president.
The 3rd Generation Partnership Project (3GPP) standardization body, consisting of seven telecommunications standard development organizations, has specified and released a standard to deliver WEA messages over Commercial Mobile Alert Service (CMAS) in LTE networks. According to the authors, 3GPP made a design choice to provide the best possible coverage for legitimate emergency alerts, regardless of the availability of working SIM cards required for setting up a secure channel to a network base station. However, this realization leaves every phone vulnerable to spoof alerts. Consequently, all modem chipsets that fully comply with the 3GPP standard show the same behavior, that is, fake Presidential Alerts (and other types of alerts) are received without authentication.
The paper applies the art of engineering and demonstrates as well as extensively evaluates a real-world base station spoofing attack (that is, disguising a rogue base station as genuine). Basically, the attacker sets up its own rogue base station in the vicinity of the victim(s).
The rogue base station will most probably have a better signal strength than benign stations to the victims' devices, leading the victim's device to try to connect to the rogue station. While the phone has failed or is just failing to connect to a (malicious) fake base station, the CMAS message will still be received by the device because the standardized protocol allows it. The attack was simulated in a sports arena by utilizing 4x1Watt malicious base stations located outside four corners of the stadium with 90% success rate (coverage of 49,300 from 50,000 seats). This sounds cool and creepy.
Critics may question the originality of the attack and the adversary's motivation. In fact, a system with no or poorly designed security can certainly be compromised sooner or later. Moreover, faking a bomb threat may have a similar impact as using four fake base stations close to a stadium. However, security researchers typically conduct rigorous risk analysis, weighing each potential threat and their impact and interdependencies. For instance, nation state adversaries have the motivation and the capacity to probe and disrupt a national alert system to create chaos and panic.
From a more general perspective, security researchers and practitioners are often faced with trade-offs between security, privacy, and safety that depend on various constraints such as regulations, risk priority analysis, or migration of legacy systems. There are challenging interdisciplinary questions from technological to legal and societal aspects to be considered when designing digital systems and public safety systems, which shows the multifaceted nature and importance of cybersecurity.
Certainly, it is possible to design an alert system with a reasonable level of security and high coverage. The authors propose multiple countermeasures: end-to-end digital signature on the message; pre-shared cryptographic keys on the phone for authorized entities to issue alerts (for example, the U.S. President, law enforcement); ignoring all alert-specific messages before the mobile device successfully authenticates the network; leveraging configuration information sent by the base station to determine a fingerprint; or using the device's received signal strength (RSS) to determine if the connected base station is a feasible distance away.
These solutions have their own pros and cons and can work successfully under further assumptions, such as the existence of a public-key infrastructure, or that only devices shipped with the corresponding cryptographic keys can receive these messages, or they require a specific app running in the background on the device.
In summary, this research demonstrates it is non-trivial to design and develop a public safety system that provides security and/or privacy guarantees with high coverage of legacy systems. We can already witness this problem in the context of digital tracing apps deployed to support manual tracing of COVID-19 infection chains. Hence, it is vital that system specifications and standardizations are accompanied with a thorough threat analysis—because of their long-term impact, the compromises we make today may have fatal consequences tomorrow.
The moral of the story is that security and privacy by design are noble enterprises and are crucial in a world becoming increasingly more dependent on "intelligent" digital technologies where security and safety functions are highly intertwined.
To view the accompanying paper, visit doi.acm.org/10.1145/3481042
The Digital Library is published by the Association for Computing Machinery. Copyright © 2021 ACM, Inc.
No entries found