The attack has a success rate of 90%.
What you need to know
- The University of Colorado Boulder discovered a vulnerability with presidential alerts.
- Using LTE, the alerts can be easily spoofed and sent out to thousands of people.
- The test was performed successfully 9 out of 10 times.
Last October, the Federal Emergency Management Agency sent out the nation’s first “presidential alert.” Using the same alert system that delivers AMBER and weather alerts to your phone, the presidential alert allows the acting President of the United States to send messages to U.S. citizens in the event of a disaster or emergency.
Unfortunately, at least according to a study done by the University of Colorado Boulder, the system isn’t nearly as secure as it probably should be.
Using nothing more than readily available hardware and open-source software, the team at the university was able to send a spoofed presidential alert to every single phone in a football stadium consisting of 50,000 seats. The spoofed message was successfully sent out nine out of the ten times it was attempted.
Commenting on its findings, the University of Colorado Boulder said:
The true impact of such an attack would of course depend on the density of cell phones in range; fake alerts in crowded cities or stadiums could potentially result in cascades of panic. Fixing this problem will require a large collaborative effort between carriers, government stakeholders, and cell phone manufacturers.
It’s said that digital signatures could be added to the alerts, making it “far more difficult to send spoofed messages”, but that it isn’t a “magical solution.”