A group of researchers at the University of Colorado Boulder
released a paper that details how Presidential Alerts can be faked.
Our attack can be performed using a commercially-available software defined radio, and our modifications to the open source NextEPC and srsLTE software libraries. We find that with only four malicious portable base stations of a single Watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90% success rate. The true impact of such an attack would of course depend on the density of cell phones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic.
The attack is possible thanks to multiple vulnerabilities in how LTE works.
- alerts come from a specific LTE channel, so malicious alerts can be sent out once that channel is identified
- phones have no way of knowing if an alert is genuine or not
Adding digital signatures to alerts could potentially solve the latter problem, but the task would require device manufacturers, carriers, and government agencies to work together.