Cell Broadcast - Considering Authenticity

2023-05-02

Note: There has been an update on the topic of this post.

Cell Broadcast is a technology that allows anyone with functional access to cell infrastructure to send information to everyone within reach of said infrastructure. Usually the people with access would be the operators (physically) and any entity that has been given legal power to instruct the operator to send out Cell Broadcast Messages (CBM). This makes Cell Broadcast attractive as an emergency warning system. A message might be sent out to inform people in a specific area of an identified threat and give hints for further action. This is what EU-Alert does.

There is a set format for CBM. This includes a serial number encoding the message type and sequence number as well as room for textual information. Legislation such as EU-Alert can make specific message identifiers mandatory to receive and act upon. This acting upon, in the case of EU-Alert, includes playing a loud, unique sound and inerupting the current use of the device to display the message. So when your phone receives an EU-Alert message it will display it, even if you were doing something else with it.

Recently I got to research Cell Broadcast and present the technology for a university course. One thing I noticed I highlighted is the absense of any mechanism to verify the source of a Cell Broadcast message. The message identifier might include information about the origin, but someone sending a CBM can technically set the identifier freely. This means that anyone with access to the cell infrastructure, can make your go brrr and the phone has no idea whether the source is legitimate. In the following discussion it was mentioned that this allows bad actors who gain access to or build their own cell infrastructure to perform a type of inverse DDOS. One person using minimal infrastructure can render a huge number of devices inoperable by sending frequent CBMs. Every CBM will result in a loud noise and disruption of current use and require specific acknowledgment to make go away.

Is this an issue? Yes. Is it truly bad? Potentially. However, similar exploits would also be possible with other emergency warning infrastructure. Imagine someone gaining access to siren controls and making conversation practically impossible. Or abusing some email list to send huge amounts of spam mail to all recipients.

In the end, just like the authors of the specifications for Cell Broadcast and EU-Alert mention, no emergency warning system should exist in a vacuum. None will reach everyone. None will have 100% reliability. Cell Broadcast is an additional tool that might proof valuable.