America’s messaging system that sends presidential warnings about impending emergencies is “easy” to spoof, warn researchers.
Cyber-security experts from the University of Colorado have shown how to exploit the system to send fake alerts.
In one test, a spoof message was sent to every phone in a football stadium seating 50,000 people.
Abusing the exploit could provoke panic in large crowds, they said.
Set up in 2006, the US Wireless Emergency Alert (WEA) system has most often been used at a local level to warn about bad weather or find missing children.
But last year, when a national “presidential alert” was tested on the system, experts voiced fears about the possibility of it being hacked.
Now, eight University of Colorado researchers have demonstrated how to send spoof messages across a small area using portable mobile-phone base stations and some specially adapted software.
And their method exploited problems with the WEA protocol that defined how presidential alerts were created and sent.
Using just four low-power base stations would let attackers reach all the phones in a large stadium, they said.
“Fake alerts in crowded cities or stadiums could potentially result in cascades of panic,” wrote the researchers.
“The spoofing attack is easy to perform but is challenging to defend in practice.
“Fixing this problem will require a large collaborative effort between carriers, government stakeholders, and cell phone manufacturers.”
They team has contacted phonemakers, industry bodies and several federal agencies to warn them about what they have uncovered.