What if Hawaii Missile Message was a Hack?

Researchers show how easy it is to spoof an emergency alert to 50,000 phones at once. Imagine the panic in a packed sports arena.

Remember Hawaii 18 months ago? Many people’s phones received a super-scary missile warning (but not everyone, oddly). At the time we were told that it was a fat-finger “miscommunication.”

DevOps Connect:DevSecOps @ RSAC 2022

But what if it wasn’t? What if it were North Korean hackers? In today’s SB Blogwatch, 99 red balloons go by.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: fever dream.


What, WEA Worry?

What’s the craic, Zack? Mister Whittaker reports, “LTE flaws let hackers ‘easily’ spoof presidential alerts”:

 Using off-the-shelf equipment and open-source software, a working exploit made it possible to send a simulated alert to every phone in a 50,000-seat football stadium with little effort, with the potential of causing “cascades of panic,” said researchers. … Making matters worse, there’s no way for devices to verify the authenticity of received alerts.

Although no system is completely secure, many of the issues over the years have been as a result of human error. … Last year amid tensions between the U.S. and North Korea, an erroneous alert warned residents of Hawaii of an inbound ballistic missile threat.

Speak peace unto Nation, Aunty Beeb—“Presidential warnings ‘easy’ to spoof”:

 Set up in 2006, the US Wireless Emergency Alert (WEA) system has most often been used at a local level to warn about bad weather or find missing children. But last year, when a national “presidential alert” was tested on the system, experts voiced fears about the possibility of it being hacked.

Eight University of Colorado researchers have demonstrated how to send spoof messages. … Their method exploited problems with the WEA protocol. … They team has contacted phonemakers, industry bodies and several federal agencies to warn them about what they have uncovered.

So far, so MSM.  But Tom Nardi digs deeper, into “consumer-grade SDR”:

 What if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio? … Given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it.

The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. … The first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones [which is] not very difficult in an enclosed space.

Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.

Don’t give the bad guys any ideas. Too late; here’s Karl Bode—“alerts warning of a terrorist attack, nuclear bomb, or other disaster”:

 The potential for sowing chaos and spreading fear in confined areas like sports stadiums should be fairly obvious. 50,000 users suddenly being warned of a potential attack by nerve gas, for example, would clearly result in some obvious public safety issues.

Do what? Da doo ron Ron Gibson—“Emergency Alert System Can Be Hijacked”: [You’re fired—Ed.]

 In January 2018, an emergency alert sent to local phones informed Hawaii residents of an impending nuclear ballistic missile attack, triggering some understandable panic. [It] prompted researchers at the University of Colorado Boulder to ask the question: How easy would it be to exploit the nation’s emergency alert systems, wreaking havoc on the American public?

What they found isn’t particularly comforting. [It] wasn’t all that difficult.

So HD Young worries for the researchers:

 Punishment incoming. … These researchers are gonna suffer for revealing this.

No good dead goes unpunished. Cue government hostility in 3… 2… 1…

But Ken Hansen is suitably cynical:

 The coverage area of such an “attack” is measured in hundreds of yards. And since each carrier has their own nearly random PRL list to determine which towers/carriers a given phone may or may use, the ability to “attack” an arbitrary number of devices—all with different PRL priorities—is a significantly non-trivial exercise.

This is right up there with the “threat” posed by passive RFID chips being read from a great distance to track you, steal your identity, whatever. … The best range you can get from a high-power reader is measured in feet.

Easy does it. vacuous_comment evokes a mythical Chinese curse:

 Build the rig, set up downward pointing antennas, cruise around, cause chaos.

I am thinking you are going to get caught anyway but if you are going to do this to cause chaos in for a penny in for a pound.

There is also the question of doing this as part of a hybrid warfare or terrorist attack. Imagine getting some patsy to do this on election day somewhere critical?

We live in interesting times.

And alahmnat invokes Alan Moore and David Lloyd:

 I was thinking V for Vendetta. Specifically the phone conversation the communications director has with the [Prime Minister] while V is broadcasting his message on the emergency override channel.

Meanwhile, are you thinking what jgilbs is thinking?

 I had just assumed this is what happened with that Hawaii missile alert last year. Figured it was [North Korea] ****ing with us. US pinned it on … an accident to prevent anyone from knowing we were successfully hacked.

And Finally:

Fever dream


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Tulsi Gabbard via QUEST Telecom (cc:by)

Richi Jennings

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 370 posts and counting.See all posts by richi