You have been warned: Abusing 5G's Warning and Emergency Systems

TL;DR

This paper investigates security vulnerabilities in 5G-based Public Warning Systems, demonstrating practical attacks that can cause misinformation or suppression of critical alerts, and discusses necessary countermeasures for safer emergency communications.

Contribution

It provides the first comprehensive analysis of PWS security in 5G, identifying vulnerabilities and demonstrating five practical attacks including spoofing and suppression methods.

Findings

MitM attacks have more severe impacts than non-MitM attacks.

PWS barring can effectively eliminate legitimate warnings.

Roaming aspects of PWS are vulnerable and impact other emergency features.

Abstract

The Public Warning System (PWS) is an essential part of cellular networks and a country's civil protection. Warnings can notify users of hazardous events (e.g., floods, earthquakes) and crucial national matters that require immediate attention. PWS attacks disseminating fake warnings or concealing precarious events can have a serious impact, causing fraud, panic, physical harm, or unrest to users within an affected area. In this work, we conduct the first comprehensive investigation of PWS security in 5G networks. We demonstrate five practical attacks that may impact the security of 5G-based Commercial Mobile Alert System (CMAS) as well as Earthquake and Tsunami Warning System (ETWS) alerts. Additional to identifying the vulnerabilities, we investigate two PWS spoofing and three PWS suppression attacks, with or without a man-in-the-middle (MitM) attacker. We discover that MitM-based attacks have more severe impact than their non-MitM counterparts. Our PWS barring attack is an effective technique to eliminate legitimate warning messages. We perform a rigorous analysis of the roaming aspect of the PWS, incl. its potentially secure version, and report the implications of our attacks on other emergency features (e.g., 911 SIP calls). We discuss possible countermeasures and note that eradicating the attacks necessitates a scrupulous reevaluation of the PWS design and a secure implementation.