The Real-World Dilemma of Security and Privacy by Design

Security remains hard.  

Technical Perspective: The Real-World Dilemma of Security and Privacy by Design  By Ahmad-Reza Sadeghi     Communications of the ACM, October 2021, Vol. 64 No. 10, Page 84 10.1145/3481040

The Roman historian Tacitus (55 A.D.–120 A.D.) once said "the desire for safety stands against every great and noble enterprise."

In the digital era, providing security and privacy is a noble enterprise, and the entanglement between security and safety systems is increasing. The growing digitization of smart devices has already become an integral part of our daily lives, providing access to vast number of mobile services. Indeed, many people are glued to their smart devices. Hence, it seems almost natural to use them in the context of critical emergency and disaster alerts from life-threatening weather to pandemic diseases. However, despite all the convenience they offer, smart devices expose us to many security and privacy threats.

The following paper investigates real-world attacks on the current implementation of Wireless Emergency Alerts (WEA), which constitutes different emergency categories like AMBER Alerts in child-abduction cases, or alerts issued by the U.S. president.

The 3rd Generation Partnership Project (3GPP) standardization body, consisting of seven telecommunications standard development organizations, has specified and released a standard to deliver WEA messages over Commercial Mobile Alert Service (CMAS) in LTE networks. According to the authors, 3GPP made a design choice to provide the best possible coverage for legitimate emergency alerts, regardless of the availability of working SIM cards required for setting up a secure channel to a network base station. However, this realization leaves every phone vulnerable to spoof alerts. Consequently, all modem chipsets that fully comply with the 3GPP standard show the same behavior, that is, fake Presidential Alerts (and other types of alerts) are received without authentication.

The paper applies the art of engineering and demonstrates as well as extensively evaluates a real-world base station spoofing attack (that is, disguising a rogue base station as genuine). Basically, the attacker sets up its own rogue base station in the vicinity of the victim(s).

The rogue base station will most probably have a better signal strength than benign stations to the victims' devices, leading the victim's device to try to connect to the rogue station. While the phone has failed or is just failing to connect to a (malicious) fake base station, the CMAS message will still be received by the device because the standardized protocol allows it. The attack was simulated in a sports arena by utilizing 4x1Watt malicious base stations located outside four corners of the stadium with 90% success rate (coverage of 49,300 from 50,000 seats). This sounds cool and creepy.  ... '