abusing 5g's warning and emergency systems - arxiv

You have been warnedAbusing 5Grsquos Warning and Emergency Systems

Evangelos BitsikasNew York University Abu Dhabi

Abu Dhabi UAEevangelosbitsikasnyuedu

Christina PopperNew York University Abu Dhabi

Abu Dhabi UAEchristinapoeppernyuedu

ABSTRACTThe Public Warning System (PWS) is an essential part of cellularnetworks and a countryrsquos civil protection Warnings can notifyusers of hazardous events (e g floods earthquakes) and crucialnational matters that require immediate attention PWS attacksdisseminating fake warnings or concealing precarious events canhave a serious impact causing fraud panic physical harm or un-rest to users within an affected area In this work we conduct thefirst comprehensive investigation of PWS security in 5G networksWe demonstrate five practical attacks that may impact the securityof 5G-based Commercial Mobile Alert System (CMAS) as well asEarthquake and Tsunami Warning System (ETWS) alerts Addi-tional to identifying the vulnerabilities we investigate two PWSspoofing and three PWS suppression attacks with or without aman-in-the-middle (MitM) attacker We discover that MitM-basedattacks have more severe impact than their non-MitM counterpartsOur PWS barring attack is an effective technique to eliminate le-gitimate warning messages We perform a rigorous analysis of theroaming aspect of the PWS incl its potentially secure version andreport the implications of our attacks on other emergency features(e g 911 SIP calls) We discuss possible countermeasures and notethat eradicating the attacks necessitates a scrupulous reevaluationof the PWS design and a secure implementation

KEYWORDS5G Public Warning System spoofing suppression MitM attacks

1 INTRODUCTIONAn integral part of cellular networks is the Public Warning System(PWS) which is responsible for alerting users about emergenciesand hazardous events Each country has its own PWS as a criticalcomponent of national and civil security In the US the FederalCommunication Commission (FCC) and the Federal EmergencyManagement Agency (FEMA) of the Homeland Security have ex-plored ways to enhance their alerting capabilities [31 35 48] whilethe EU has launched and keeps improving its own PWS based onthe European Telecommunications Standards Institute (ETSI) andEuropean Commission directives [1 27 28] In addition ETSI andthe Third Generation Partnership Project (3GPP) have been work-ing on the specifications of the enhanced Public Warning System(ePWS) [7] that is supposed to be compatible with all prior genera-tions and to improve the comprehension of warning notificationsWe provide more information on the adoption of the PWS in App A

In general the warning system utilizes paging messages to forcea User Equipment (UE) to enter the RRC-Connected state (in case

the UE is in Idle or Inactive state) Once active it can receive warn-ing messages that are transmitted via System Information Block(SIB) messages The SIB messages belong to the broadcast trans-missions that are mainly used to facilitate the initial connectionto the Radio Access Network (RAN) and Core Network and toassist the mobility and critical operations PWSrsquo principal way tonotify the user is through these cell broadcasts as alternative (e gSMS-based) ways are currently not prevalent and utilize differentnetwork procedures (e g are service-based)

Current PWS deployments realize the 3GPP standards but lacksecurity properties such as warning verification and integrity pro-tection [3 10 16] the associated security flaws began on the earlydesign of the PWS for legacy generations and remain broadly unre-solved to date In particular paging and SIB messages are unpro-tected False alarms were reported [34 54] and spam attacks forprofit [62] unveiled concerns about the stability and effectivenessof the current PWS Generally by spoofing and tampering withwarning messages an adversary can spread panic among a popula-tion in a targeted area to stimulate terrorist activities impede civilprotection by security agencies and profit through spam or fraudNot less perilous is the suppression of legitimate warning messageswhich would thwart message reception about an emergency in-cident for the users (e g natural disasters [53]) It is equivocal ifsecurity enhancements are going to supplement the PWS in thefuture A first academic notice of weaknesses of the public warningsystem was made by Lee et al [44] for LTE The authors evaluatedthe spoofing of Commercial Mobile Alert System (CMAS) messageswhile focusing exclusively on LTErsquos Presidential Alerts [44] pro-vides insights into exemplary existing weaknesses but does notsystematically explore the full potential of the attacker (e g thereis no consideration of a MitM attacker)

In our paper we demonstrate that the impact of attacks on PWSis significantly higher than portrayed so far In particular we discov-ered that a MitM attacker can have a large attacking window notbeing limited to 42 sec (with warning periodicity equal to 160 msec)and 262 transmissions as described in [44] In fact an attacker thatsuccessfully exploits the cell reselection and handover proceduresto set up a MitM can inflict further damage regardless of the Au-thentication and Key Agreement procedure (AKA) by extending theattacking period and hence the number of spoofed alerts Addition-ally we introduce and investigate an attack we call PWS BarringAttack that can efficiently cause warning suppression without therequirements of a redundant malicious attachment to a fake basestation The PWS barring attack can be used as a less intrusive andconvenient Denial-of-Service (DoS) attack by an attacker

We focus on 5G Standalone and non-Standalone systems whileexploring and experimentally validating the involved vulnerabilities

arX

iv2

207

0250

6v1

[cs

CR

] 6

Jul

202

2

ACM Conferencersquo22 2022 US Evangelos Bitsikas and Christina Popper

on commercial HWSW without being limited to open-source op-tions (e g srsLTE) and theoretical protocol evaluations We presenta thorough study of the PWS exploring two attacker setups andmultiple attacks (spoofing amp suppression variations) In our experi-ments we utilize all types of warning messages and observe thebehaviour of 5 smartphone devices from different manufacturers toassess the impact of each attack Due to the importance of roamingfor users located outside of their home network we additionallyanalyze PWS security in conjunction with roaming and delve intocountermeasures to mitigate the identified vulnerabilities

In short our major contributions are as follows(1) We are the first to investigate the security of the 5G PWS

system considering the latest defenses updates and 5G spec-ifications test all warning types defined by the 3GPP andused in real-life PWS Earthquake and Tsunami WarningSystem (ETWS) messages and the CMAS messages Through5G SA experimentation we present a comprehensive list ofinvolved vulnerabilities and security deficiencies that allowan attacker to exploit the 5G PWS

(2) We explore multiple attack vectors in depth (a) We performPWS spoofing and PWS suppression attacks based on twodifferent setups MitM based and non-MitM based We revealthat when the attacker adopts the MitM deployment theimpact is larger meaning the spoofing window is greaterthan in non-MitM situations (b) We present the PWS BarringAttack that can be used for effective warning suppressionWe discover that it is characterized by a greater impact andfeasibility than other suppression attacks

(3) We thoroughly analyze the combination of warning mes-sages with the roaming feature of cellular networks Givenpossible countermeasures against PWS attacks we examinethe effects of our attacks on the current roaming deploymentand potentially secure version of the PWS

In our investigations we also assess the impact of our attackson the user including effects on the SMS-based warnings and emer-gency calls We provide an extensive list of possible countermea-sures while pointing out advantages and drawbacks when imple-mented in the PWS

Responsible Disclosure Due to the significance of the emer-gency systems and their broad implications we reported our find-ings to GSMA the GSM Association (disclosure date Feb 7th 2022)GSMA has acknowledged them under the number CVD-2022-0054separately notified 3GPP and is about to issue an associated briefingpaper to share with its members We have been in active exchangewith GSMA for clarifications and brainstorming about countermea-sures We are also planning to inform other organizations (e gCISA FEMA and ENISA) about our results

2 BACKGROUNDIn this section we summarize the structure and functionality of thePWS on 5G network systems according to the specifications [3 10]

21 Network StructureThe network architecture is presented in Figure 1 It consists of thefollowing entities and functions

Figure 1 5G PWS Architecture

CBE (Cell Broadcast Entity) The CBErsquos responsibility is to prop-erly format the Cell Broadcast Service (CBS) messages and whennecessary divide the CBS message into a number of pages A fed-eral authority typically informs the CBE about the correspondingwarning messageCBCCBCF (Cell Broadcast CenterCell Broadcast Center Func-tion) Its main task is to modify or delete CBS messages allocateserial numbers while indicating the geographical scope of eachCBS message initiate broadcast by sending fixed length CBS mes-sages determine the set of cells to which a CBS message should bebroadcasted determine the time at which a CBS message shouldcommence or cease being broadcasted and determine the period atwhich the broadcast of the CBS message should be repeated EachCBCCBCF may be connected to several AMFs or PWS-IWFsPWS-IWF (Public Warning System Interworking Function) Thepurpose of this logical function is to translate messages (e g Write-Replace-Warning-Indication and Stop-Warning-Indication) fromN50 interface to SBc interface and vice versa Finally the PWS-IWFmay interface to one or multiple AMFs and one or multiple CBCsAMF (Authentication and Mobility Function) In PWS the AMF pro-vides reports and acknowledgements to the CBCCBCF regardingthe execution and forwarding of commands received from themand routes the warning messages (e g Write-Replace-Warning Re-quest) to the appropriate RAN nodes in the indicated Tracking AreaIn addition it reports the Broadcast Completed Area List the Broad-cast Cancelled Area List the PWS Restart Indication and the PWSFailure Indication received from RAN nodes to all CBCsCBCFs andPWS-IWFs that it interfaces withNG-RAN (Next Generation-Radio Access Network) It comprisesgNodeBs andor ng-eNodeBs which are the 5G related base stationsUpon reception of a command it executes the associated procedurefor the UEs in the target cells For instance a warning request willmake the RAN deliver the proper paging messages to all UEs andthen broadcast the SIBs as instructed In the case of cancellationthe RAN ceases the transmission of warning messages Finally theRAN reports to the AMF regarding the execution of each commandUE (User Equipment) It is the mobile terminal of a subscribed user(with a dedicated USIM) that utilizes legitimate network servicesoffered by a network provider

The architecture mainly supports the CBCF as the CBC andPWS-IWF are considered optional entities

22 The Paging ProcedureIn cellular networks UEs enter into an RRC-Idle state to preservebattery when there is no active service or any ongoing data trans-missions When there is an upcoming service (e g incoming call)to be delivered to a specific UE the AMF makes sure that the UE is

You have been warned Abusing 5Grsquos Warning and Emergency Systems ACM Conferencersquo22 2022 US

Figure 2 Warning procedure when the UE is RRC-Idle orInactive (Left) and when in RRC-Connected state (Right)

in an RRC-ActiveRRC-Connected state (if not already) By estab-lishing an RRC Connection and the necessary radio bearers of datatraffic a UE can have access to network services In order to getthis connection UEs need to monitor for paging messages whilein RRC-Idle or RRC-Inactive states at device-specific times and re-spond to the core network accordingly This procedure is calledPaging and it is also used in PWS to warn users about emergencies

In PWS ETWSCMAS capable UEs in RRC-Idle or RRC-Inactivestates monitor for indications about PWS notifications in theirown paging occasion every Discontinuous Reception (DRX) cyclewhereas in RRC-Connected state the System Information (SI) Mod-ification Period is used Figure 2 shows how the paging procedureworks Specifically for 5G SA the ETWSCMAS paging procedureutilizes only the payload of the Physical Downlink Control Chan-nel (PDCCH) with P-RNTI and a rsquoshort messagersquo in the DownlinkControl Information Format 1 0 Figure 10 in Appendix C presentsthe complete emergency flow on 5G SA

23 Broadcast and Warning MessagesIn PWS the Core Network receives the warning messages and itsconfigurations by the external entities The Write-Replace-WarningRequest contains all the necessary values to be considered by theAMF and sent to the RAN The RAN translates the Write-Replace-Warning Request to the SIB messages that will be broadcasted Fi-nally the RAN transmits paging messages to all associated cells withcause Emergency and repeatedly broadcasts the SIB(s) UEs monitorwarning indications in their own paging occasion for RRC-Idleand RRC-Inactive and in any paging occasion for RRC-ConnectedWarning types can be separated into two major groups ETWS andCMAS each having its own dedicated SIB Figures 15ndash17 (Appendix)show examples of SIB messages used during our experiments

ETWS is a PWS mechanism developed to meet the regulatoryrequirements for warning notifications related to earthquake andtsunami events An ETWS warning notification can either be aprimary notification (short notification) or a secondary notification(providing detailed information) The ETWS Primary Notificationwhich is broadcasted by using SIB 6 carries small data to be sentquickly to the network and to indicate the imminent occurrence ofearthquake and tsunami The ETWS Secondary Notification whichis broadcasted by using SIB 7 carries a large amount of data inorder to send text audio (to instruct what to do) graphical data

such as a map indicating the route from the present position to anevacuation site etc Furthermore the ETWS Primary Notificationhas higher priority than the Secondary Notification in case bothnotifications exist concurrently in a specific PLMN

CMAS is a PWS mechanism developed for the delivery of mul-tiple concurrent warning notifications These messages includeCMAS Presidential Level Alerts CMAS Child Abduction Emer-gency (e g AMBER) and Imminent Extreme or Severe Threats andPublic Safety SIB 8 is particularly assigned for CMAS messagesSome CMAS messages are always enabled (mandatory) in smart-phones (shown in Figure 11 for the Huawei P40 5G test phone)

Finally Figure 9 (Appendix) shows an example of a CMAS mes-sage and an ETWS message in our experimentationWarning Processing and Roaming PWS in roaming scenariosrequires a separate treatment as a vital part of telecommunica-tions When a user enters a Visited Public Land Mobile Network(VPLMN) possibly in another country the operator in the visitedcountry is responsible for delivering warning messages in case ofan emergency Considering that both the Home Public Land Mo-bile Network (HPLMN) and VPLMN have set up their own PWS(otherwise the lack of a PWS can endanger the user) in roamingcases a PWS-capable UE needs to fulfill the requirements of theVPLMNrsquos PWS service This means that any incompatibilities be-tween HPLMN and VPLMN should be eliminated

3 ADVERSARIAL SETUP ampWEAKNESSES31 Threat ModelThe attackerrsquos ultimate goal is to wreak havoc among a populationat maximum capacity by sending fake warning messages or sup-pressing legitimate warnings to conceal an emergency In our threatmodel we consider an active adversary who has full protocol knowl-edge and the radio abilities to install and operate a base station withsimilar capabilities as a legitimate one In particular the fake stationcan mimic a legitimate base station and thus force a victimrsquos deviceto connect to it by broadcasting spoofed Master Information Block(MIB) and System Information Block (SIB) messages in the victimrsquosfrequency We make the standard assumption that the attacker isable to capture the MIB SIB paging and PWS CBS messages byeavesdropping the public channels and craft malicious MIB SIBpaging and PWS CBS messages that can be broadcasted to the net-work users In addition we consider an attacker that can establish aMitM position between UEs and gNodeBs which in turn may allowhimher to eavesdrop drop modify and forward messages whilerespecting the cryptographic assumptions To carry out the attacksheshe may utilize any available free or commercial equipment andsetup multiple base stations Finally we assume that the adversarycannot have physical access to the USIM cards mobile devicesRAN or Core Network to obtain or alter sensitive information (e gcryptographic key material) and we consider side-channel attacksas well as signal jamming as out of scope

32 Setting Up the False Base StationFirst the adversary will perform a comprehensive investigation ofthe operator and cellular network in order to collect sufficient intel-ligence about the possible target areas and their configurations Thisis important since operators in various countries may configure the


Figure 3 Exploitation flow showing the connections be-tween individual vulnerabilities and associated attacksincl variations and prerequisites

RAN and PWS differently Specifically for cellular configurationsthe attacker will require the locations of the gNodeBs the CellIdentifier Tracking Area Identifier (TAI) which incorporates theMobile Country Code (MCC) Mobile Network Code (MNC) andTracking Area Code (TAC) Absolute Radio Frequency ChannelNumber (ARFCN) PRACH Root Sequence Index and the supportedservices for 5G Additionally it is important to capture the MIBand SIB messages of the gNodeBs in order to later replay themwith a signal strength higher than the legitimate base station inorder to attract the victim-UEs Once collected the attacker candecide which geographical area to impact and imitate the corre-sponding gNodeB in that area Using real configurations is moreadvantageous for the attacker since invalid ones such as wrongCell Identifiers may lead to easier detections and more networkerrors during a malicious handover or cell reselection Thereforethe attacker needs to imitate the behavior of a legitimate station asclosely as possible and respond to UEs in all the vital RRC and NASprocedures If necessary the attacker could also use more than onebase station to achieve higher coverage

Apart from the cellular configurations the attacker will studythe behavior of the PWS in that specific country This includes thetypes of messages that are usually broadcasted the periods of theyear that normal emergenciesincidents occur the most commonlyimpacted geographical locations the warning message structureand configurations (e g broadcasted text and periodicity) Conse-quently the attacker will be able to adapt appropriately and applyclose-to realistic warning configurations to avoid trivial detection

33 Frail Cellular Features and FlawsWe identify and experimentally validate multiple security flawsthat can be misused for PWS exploitation on the 5G SA domainPWS exploitation consists of making a UE maliciously attach to thefake base station (phase 1 malicious attachment) and the actualPWS attacks being conducted (phase 2) Flaw 1 is used for bothphases flaws 2 and 3 for the malicious attachment only and flaws4-6 are associated with the PWS attacks Figure 3 shows whichvulnerability contributes to each attack

(1) Insecure Broadcast Messages The MIB and SIB messagesthat are transmitted by legitimate base stations are used for UEattachment to the network and support of essential network opera-tions (e g synchronization handover cell reselection procedures)However these messages are not security-protected being devoidof encryption integrity-protection and authentication Thus anattacker can capture the MIB and SIB messages and transmit themimitating real base stations (and cell(s)) The UE accepts the mes-sages as there is no way to validate the source leading to maliciousattachments Specifically for SIB types 6 7 and 8 that are relatedto 5G PWS the UE receives the spoofed SIB-based warnings aftera potential fake paging process and displays them to the user asnormal as long as the UE is attached to the attacker We were ableto verify that this weakness still exists on 5G in Sections 41 and 5(2) UnverifiedMeasurements The UE is designed and instructedto monitor the network for the best possible signal quality and re-port its findings to the network This signal quality concerns theefficiency of the mobility management since UE relocation fromone cell to another becomes easier However any base station thatbroadcasts the MIB and SIB messages can make the UEs collectmeasurement data (i e RSRP RSRQ SINR) and a malicious basestation can trick them Moreover a UE collects malicious measure-ments without any verification As a consequence the UE may usethem to perform a cell reselection or handover [11 12] Typicallya Measurement Report is crafted and then sent to the RAN forevaluation The RAN will accept the included measurements in thereport without verification resulting in malicious handovers [20]even though the Measurement Report is security-protected Even-tually the UE relocates to the bogus base station which allows PWSmanipulation We illustrate this attack in Section 4(3) Insecure Signal Radio Bearer (SRB) Messages Apart fromthe potentially abused NAS messages such as attach reject andservice reject Signal Radio Bearer 0 (SRB0) messages are not re-quired to be sent securely according to the specifications [10] Inaddition the RRC Release of the Signal Radio Bearer 1 (SRB1) canbe transmitted and accepted without security protection Thus anattacker can abuse these messages in order to exploit network usersrsquoRRC connections The manipulation of these messages is apparentin past works on LTE [38 43] and 5G [20 40] We confirm them andmake them part of our PWS attacks Such unprotected messagestogether can boost attackerrsquos capabilities on traffic manipulation Inthe context of PWS exploitation the affected SRB messages can beused to expedite the malicious attachment to a false base station asthe attacker can use them to manipulate UErsquos traffic e g leadingto the establishment of a MitM relay to spoof or suppress alerts(4) Inconsistent storing of MIB messages MIB messages areused in order for the UEs to collect essential information aboutthe network and decode the SIB 1 messages which are needed forthe initial RAN connection A UE searches for these messages andonce it receives an MIB which is assigned to a specific cell of abase station it follows a predefined set of instructions that deter-mine if it must proceed with the connection or not Furthermorethe UE stores the MIB before this decision until the smartphonerebootsshuts down or enters into an airplane mode wiping out itstemporal memory We discovered that an attacker can take advan-tage of this mechanism to make the UE store malicious MIB valuesignoring the real MIBs while the UE remains functional because


the UE cannot accept new information about a certain cell withouteliminating the old (malicious) first We mainly use this inconsis-tency in our PWS barring attack where we make legitimate basestations look unavailable since a UE is forced to store incorrectMIB information affecting the reception of warning messages Weexplain this further in Section 43(5) Unprotected Paging Messages Paging messages lack cryp-tographic protection and thus are susceptible to spoofing andforgery [38 39] Even though security enhancements have beenconsidered and implemented [10 47] on 5G SA temporary identi-fier usage (5G-TMSI or I-RNTI) instead of permanent removal oflong-term permanent paging identifier robust randomization andfrequently refreshing the temporary identifiers the lack of integrity-protection and authentication render the aforementioned defensesinadequate for PWS cases Specifically we reveal through 5G exper-imentation that 5G suffers from the same security flaw as LTE [38]To be more exact the attacker can send fabricated PWS-based pag-ing messages when necessary along with the malicious SIB 6 7 or8 broadcast messages Furthermore paging messages are designedto include the 16-bit fixed P-RNTI value 65534 (0119909119865119865119865119864) [9 10] forall UEs in the targeted Tracking Area We verified that this featureis problematic as the attacker circumvents all the aforementionedcountermeasures and does not require any type of sniffing to collecttemporary identifiers for each UE in the area As a consequencethe attack becomes less convoluted to execute(6) No Acknowledgements in ETWSCMASDelivery The pag-ing procedure and SIB transmission mechanism lack acknowledge-ments from the corresponding UEs The UE only receives the alertsand afterwards displays the warning message to the user Howeverthe Core Network does not know if a particular or any UE in aTracking Area has received the warning message The UE receivesthe paging message in a paging occasion and the associated SIBmessages but does not respond back to the gNodeB (see Fig 2) Weverified through experimentation that this may instill implicationsin the PWS mechanism as an attacker can leverage this weakness tomake spoofing and suppression attacks less discernible to the oper-ator Finally since the core network may collect traces of successfulor failed warning distributions for evaluation and error correction(last step in App C) these procedures may not be accurate

4 EXPLOITING THE PWSWe now break down each attack variation and detail each executionAs a prerequisite we first give an overview of the initial maliciousattachment that is necessary for MitM and non-MitM setups

41 Malicious AttachmentThe first phase of the PWS spoofing and suppression attacks com-prises the malicious attachment of the victim UE to the attack equip-ment The attacker attracts UEs to connect to the false base stationby satisfying the signal threshold requirements while forcefullybreaking any connection with the legitimate network To accom-plish this the attacker sets up a false base station (Sec 32) Chancesof success are better if the replayed cell reselection priorityof SIB type 2 has the maximum value (i e 7)

To be specific the UE will get maliciously attached to the fakestation depending on the RRC states it is in when the attack starts

bull If the UE is in RRC-Idle state cell selection and reselectionhappen In the case of an RRC-Inactive state where theUE has a suspended connection it might be necessary totransition to the RRC-Idle state first with a connection releaseand then perform the procedure above

bull If the UE is in RRC-Connected state reports false maliciousmeasurements in the Measurement Report and passes thesignal strength threshold the handover procedure (Xn or N2)will happen The handover procedure is executed withoutany verification by the RAN Even though the handover mayeventually fail on a network once the UE receives the RRCConnection Reconfiguration it attaches to the malicious cell

Figures 4 and 5 demonstrate the interrupted communicationwhich corresponds to the detachment (step 1) and then the con-nection to the rogue base station In step 2 the attacker needs torespond to the victim with the proper SRB 0 and 1 messages Theprocess typically begins with an RRC Reestablishment Request(with cause handover Failure) or RRC Setup Request by the UEto recover the previous connection or start anew respectively Theattacker should respond with an RRC Reject in case of reestablish-ment as heshe cannot offer legitimate services and does not possessthe cryptographic keys This will turn the disrupted connection intoa fresh one compelling the UE to setup a new RRC connection Incase the UE sends the RRC Setup Request at the beginning insteadthe attacker should permit the RRC connection if possible It is alsoprobable that the UE sends a Service Request no matter the caseThe attacker needs to send back a Service Reject and then an RRCRelease for the same reasons as in reestablishment situations Even-tually the UE initiates an RRC connection again and then sends theNAS Attach Request to the attacker The attacker can either forwardthe request to the legitimate network along with the subsequenttraffic and setup a MitM relay or reject it continuously until the UEfully disconnects

42 Attacks based on MitMPWS suppression and spoofing attacks are possible in a MitM setupsee Figure 5 The MitM setup can be established through a cell(re)selection or a handover procedure similar to [20 40 55 56]

PWS Spoofing Attack Based on the attachment of the UE tothe false cell and given that the attacker has replayed the NASAttach Request to the real network with all the subsequent up- anddownlink traffic (step 3 in Fig 4) the attacker is in a MitM positionallowing them to exploit the PWS The actual exploitation unfoldswhen the attacker forges and transmits fake warning (CMAS ampETWS) messages for all paging occasions Since the UE believes itcommunicates with a legitimate base station it accepts all warn-ing messages without verification The UE is locked to this boguscell accepting warning messages only from it as long as it staysconnected even though the real cell may transmit other messagesFigure 4 shows that the attacker sends PWS-based paging mes-sages to keep the UE in RRC-Connected state along with the SIBbroadcasts with maximum periodicity (step 4a) As long as the UEremains locked without disruption it receives the malicious alerts

Nevertheless the spoofing duration119863119904119901119900119900 119891 (119872119894119905119872) which we de-fine as the time of the UE between starting the RRC Reestablishmentor RRC Setup of the malicious attachment after a potential RACH


Figure 4 Spoofing and Suppression Attacks on aMitM Setup

process until the total disconnection from the attacker is not staticsince the malicious connection may fail andor the UE may breakaway entering into a DoS state Fluctuations in the duration mayalso depend on the smartphone device (due to different basebandimplementations) and potentially disrupted services (Call SMSInternet Data etc) before the malicious attachment Once the UEdisconnects the attacker can no longer spoof warnings especiallyif the UE evades the attackerrsquos range Thus contrary to what is re-ported in [44 45] PWS spoofing is also possible through handoverexploitation when the attacker imitates a legitimate base stationand when a MitM is established

PWS Warning Suppression Suppressing genuine warningmessages is possible through detachment from legitimate base sta-tions and then malevolently connecting to a false base station Inthis case the UE is locked to the attackerrsquos station overlookinglegitimate services In Figure 4 the UE is not receiving the pagingand warning-based SIB messages when attached to the false cell(step 4b) The network believes that warnings have been deliveredsuccessfully however the lack of acknowledgements and untrig-gered PWS Failure Indication makes the attack less detectable Theattacker can continue relaying traffic as normal and even spoof atthe same time with the legitimate network The suppression contin-ues until the UE disconnects from the attacker and connects to thereal network appropriately The disconnection may occur due toconnection failures or explicitly by the attacker (e g through NASDetach Request) Our experimentation showed that the UE cannotrecover unless airplane mode or rebooting is used when the UEenters into a DoS state Therefore legitimate warning notificationscannot be received and displayed to the user at that time

Thereupon we can estimate the aggregated Suppression Durationfor a specific UE-victim as

119863119904119906119901119901 (119872119894119905119872) asymp 119863119904119901119900119900 119891 (119872119894119905119872) + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (1)

where the 119863119904119901119900119900 119891 (119872119894119905119872) is the spoofing time in a MitM setup tillthe UE disconnects the 119905119903119890119888119904119906119901119894 is the recovery time of the UEdevice with a specific SUPI and 119905119903119886119888ℎ119903119886119899 is the time it takes for theUE to find the legitimate RAN and complete a RACH procedurewhile beginning the RRC message exchange

43 Attacks Without MitMThe attacker does not need to perform any message relay but canrespond to the UE until the connection breaks [44 58] Specifi-cally after multiple attachment attempts fail the UE abandons themalicious attachment and becomes deregistered

PWS Spoofing Attack Similar to MitM cases the spoofingtakes place once the UE connects to the bogus cell This can happeneither through a handover procedure or a cell (re)selection that willmake the UE send the RRC and NAS messages (Sec 41) When

Figure 5 Spoofing and Suppression Attacks on a non-MitMSetup

the UE transmits the NAS Attach Request the attacker repeatedlyresponds with a NAS Attach Reject (step 2 in Fig 5) The UE triesseveral times to establish a connection without any fruitful outcomeOn the attackerrsquos side the spoofing takes place starting from theRRC Reestablishment or RRC Setup as in the previous scenarioMoreover the spoofing continues throughout the entire attachmentprocess (step 2) with maximum transmission since once again theUE accepts all CMAS and ETWS warning messages sent by theattacker without validation Eventually once the UE stops pursuingthe attachment it disconnects and the attacker ceases the attack(step 4) The UE enters into a DoS state until it recovers

The spoofing duration119863119904119901119900119900 119891 (119860119905119905119886119888ℎ) starts from the RRC Reest-ablishment or RRC Setup as in the MitM setup but ends with the lastAttach Reject of the attacker which forces the UE to disconnect Thismeans that the duration is shorter compared to the 119863119904119901119900119900 119891 (119872119894119905119872)because it depends on UErsquos tolerance on failed attachments (typi-cally 5 times) Even though the spoofing duration is reduced con-siderably this type of attack is less complicated since it does notnecessitate the traffic to be relayed to the real network Thereforethe trade-off here is less complexity for less attacking impact

PWSWarning Suppression Suppression in this scenario hap-pens throughout the malicious attachment as the UE does not havea connection with the legitimate network in order to receive pag-ing and warning notifications (step 3b in Figure 5) Similar to theMitM cases the lack of acknowledgements and security-relatedindications in the PWS can make the attack less detectable Oncethe UE receives the last NAS Attach Reject it totally disconnectsand will be unable to receive warning notifications even if the ma-licious attachment ceases (step 4) Recovering will require the userto reboot the device or utilize the airplane mode Hence once againthe suppression duration can be approximated as follows

119863119904119906119901119901 (119860119905119905119886119888ℎ) asymp 119863119904119901119900119900 119891 (119860119905119905119886119888ℎ) + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (2)

where the119863119904119901119900119900 119891 (119860119905119905119886119888ℎ) is the spoofing time in a non-MitM setupas a simple malicious attachment until the UE disconnects

PWS Barring Attack This type of attack is an independentcase that does not demand a malicious attachment and a MitMsetup The goal is to disallow any connection to a legitimate basestation thus suppressing the warning messages that are destined fora specific cellTracking Area The barring attack takes advantage of5G access control MIBSIB storage mechanism and lack of MIBSIBsecurity and manipulates the MIB and SIB type 1 messages Oncethe adversary commences the transmissions the UEs receive themalicious broadcast messages and decide not to connect to thelegitimate base station as shown in Figure 6

Like in the previous attacks the attacker will need to configurethe base station as the legitimate one therefore capturing the MIB


Figure 6 Our Barring Attack for Warning Suppression

Power On

Searchfor a cell

Decodethe MIB

Stop theprocess

Is the cellbarred

DecodeSIB1

Proceedwith the

connectionyes

no

Figure 7 Access Control Process and Cell Connection

and SIB broadcasts is necessary Nevertheless the key element ofthis attack is the modification of three parameters instead of justreplaying the captured messages (1) Set cell barred of MIB torsquobarredrsquo (2) intra freq reselection of MIB to rsquonotAllowedrsquo and(3) cell reserved for operator use of SIB 1 to rsquoreservedrsquo Typi-cally these fields are used for maintenance private access and otheroperational purposes by the operator We choose to modify SIB 1as well in order to bolster the efficiency of our attack even thoughthe MIB is sufficient on 5G SA We found that other fields suchas the cell reselection priority in SIB 2 are not necessary toabuse as the UE processes the MIB and SIB 1 first

In 5G the cell barred parameter allows early detection of thecellrsquos status without requiring the UE to receive and decode theSIB 1 If the MIB indicates that a cell is barred then the UE willalso check the intra freq reselection parameter a flag of lsquono-tAllowedrsquo indicates that the UE is not permitted to reselect anothercell on the same frequency The UE typically has to wait 300 sec-onds before re-checking this MIB to determine whether or not thiscell remains rsquobarredrsquo Consequently this allows early suppressionof the warning messages On the contrary in LTE both abovefields are located in SIB 1 instead which follows the MIB Finallycell reserved for operator use could be broadcasted with avalue of lsquoreservedrsquo Then a UE with an Access Identity of 11 (PLMNUse) or an Access Identity of 15 (PLMN Staff) is allowed to usethe cell for selection and reselection only while a UE with AccessIdentity 0 (no configuration) 1 (Multimedia Priority Service) 2 (Mis-sion Critical Service) 12 (Security Services) 13 (Public Utilities)or 14 (Emergency Services) treats the cell as lsquobarredrsquo prohibitingselection and reselection

Furthermore as indicated by the inconsistent storing of MIB mes-sages (flaw 4 in Sec 33) broadcast reception and storing processescan be erroneous Typically the UE stores the first MIB instance as

it follows a predetermined set of instructions Consequently it mayignore other instances and reject legitimate MIBs thus never decod-ing the legitimate SIB 1 in order to connect to the correspondingreal cell This set of instructions is presented in Figure 7 clarifyingthat in case of a malicious MIB the UE will never proceed to SIB1 decoding altogether If the UE has no saved information of thetargeted cell and no connection has been established (at least acompleted RACH) it is highly possible that it will accept and pro-cess the malicious MIB and SIB transmissions Additionally even ifthe legitimate base station transmits its own versions of broadcastmessages simultaneously the UE will overlook them and complywith the bogus ones if the false base stationrsquos signal strength isdominant The attack cannot succeed though if the UE has alreadyattached to the cell since the attacker does not have a way to deletethe stored information within the UE directly possibly only throughother attacks (e g DoS with detachments) that can force reset priorto launching the barring attack

Given the cell gains of the legitimate station 119892119894 and of the ma-licious station 119892prime

119894 where 119892119894 119892

prime119894isin [minus120119889119861 0119889119861] their difference

120575119894 can be calculated 120575119894 = |119892119894 minus 119892prime119894| In our experimental setup we

discovered that the attack succeeds (120572 = 1) when 120575119894 ge 10119889119861 andfails for any other condition in our setup

120572 =

1 if 120575119894 ge 10119889119861

0 otherwise(3)

Signal strength is enough to ensure that the message will be receivedby the victim without dealing with the order of message receptionor broadcast periodicity rendering the attack even more trivialto perform In real-life scenarios the signal strength needs to beadapted accordingly

This kind of suppression disrupts cell selection reselection andhandover procedures as the UEs will consider the affected cell asunavailableblacklisted leading to DoS and handoverreselectionfailures Most importantly the UE is unable to receive warningmessages since attachment to the network is not feasible It will beable to have normal services again when the attacker ceases themalicious transmissions or the UE escapes the attackerrsquos range toconnect to another available cell This means that the barring attackstarts from the decision that a cell is barred during the access controlprocedure until the attack stops or the UE evades the attackerrsquoscoverage In other words the Suppression Duration 119863119904119906119901119901 (119861119886119903119903 ) is

119863119904119906119901119901 (119861119886119903119903 ) asymp 119905119887119886119903119903 + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (4)

where 119905119887119886119903119903 is the time from the barring decision until the start ofthe disconnection

5 EXPERIMENTATIONWe conducted a thorough practical evaluation of the presentedattack on a set of smartphones

51 Experimental SetupOur setup comprises an Amarisoft Callbox Classic (equipped withSDRs) [17] with the 5G Core Network and the gNodeB represent-ing the legitimate network (Figure 8) Additionally we have aLenovo Thinkpad T580 laptop with Ubuntu 2004 and an EttusB210 USRP [26] for the malicious base station (with an approximate


Figure 8 Our Experimental Setup

Table 1 Device Specifications and Results PWS Spoofing(Spoof) and Suppression (Supp) succeeded on all devicesDevice Chipset OS Model Release PWS

Spoof SuppHuawei Huawei Android ELS-NX9 2020 P40 Pro 5G Kirin 990 5G 10Nokia Snapdragon Android TA-1243 2020 83 5G 765G 5G 10One Plus MediaTek Android DN2101 2021 Nord 2 5G Dimensity 11

1200 5GApple Qualcomm iOS MGDX3AAA 2020 iPhone 12 mini X55 modem 141Samsung Snapdragon Android SM-N976Q 2018 Note 10 5G 845 10

cost of 2keuro) In our setup we utilized the Amarisoft software for all5G cases with a Core Network and a single gNodeB In addition weused numerous smartphone devices that were 5G and PWS-capablewith an Anritsu SIM card Table 1 shows the specific devices thatwe employed for 5G SA and NSA testing More details about theexact cellular network configurations are presented in Appendix DWe used the cell gain command with a maximum value of zeroto trigger malicious attachments and handovers between cells

For the MitM setup (Section 42) our goal was to keep the victimattached to the rogue base station by responding to it normally with-out the need for further exploitation (e g RRC and NAS messagemodifications) Unfortunately due to the black-box and commercialnature of Amarisoft software we could not establish a full-scaleMitM as it would require minor architectural modifications that areusual for an attackerrsquos setup as in [55 56] This was not an issue forour attacks though as we sufficiently used another identical AMF(reachable but not controlled by the attacker) in order to respondto the victim-UE accordingly

Regarding the warning broadcasts for their execution we usedpws write iexcllocal identifieriquest and for their cancellation weused pws kill iexcllocal identifieriquest Figures 15-17 show exam-ples of the SIB warning structures that we used The messageIdentifier field in SIB 6 7 and 8 respectively shows the 16-bitvalue in hexadecimal that has to be included in each message ForETWS we used the ID 1102 For CMAS messages we used the IDrange from 1112 to 111119861 (HEX) where 1112 is dedicated to Presi-dential alerts 1113 to 111119860 to Extreme and Severe alerts and 111119861to Amber Alerts In our experiments the serial number of warningmessages was between 01199093000 and 01199095000 The associated paging

Table 2 Results for each attack We evaluate each attackon a [Low Medium High]-scale according to our experi-ments and real-life adaptations including their approximateattacking durations in seconds For the PWS barring attackthere is no specific lower and upper bound

PWS Attack Complexity Impact Attack Duration (s)

Spoofing (MitM) High High 119863119904119901119900119900 119891 (119872119894119905119872) ge 55Spoofing (non-MitM) Medium Medium 119863119904119901119900119900 119891 (119860119905119905119886119888ℎ) le 43Suppression by DoS High Medium 119863119904119906119901119901 (119872119894119905119872) ge 58(MitM)

Suppression by DoS Medium Low 119863119904119906119901119901 (119860119905119905119886119888ℎ) le 46(non-MitM)

Suppression by barring Low High 119863119904119906119901119901 (119861119886119903119903 ) isin Q+

messages that were generated are presented by Figure 12 Appen-dix E provides more details about our warning structure FinallyFigures 18 and 14 show the warning flow between the legitimatenetwork entities for several attempts and a part of its physical layertransmissions respectively in our setup

Ethical Considerations The experiments were carried out ina confined lab testing environment without affecting legitimateservices and real operators To cancel any interference we ensuredthat the experimentation range remained within 10 meters and weconfigured the setup with our own network and warning valuesdissimilar to legitimate local networks and users Other smartphonedevices (wo SIM) that were attached on real commercial operatorswere not affected during our experiments

52 Experimental ResultsPWS attacks are applicable to all users regardless of owning a SIMcard since real-world access to the emergency services is typicallyunrestricted In Table 2 we present the attack variations and anempirical rating in terms of complexity and impact For the impactwe primarily consider the maximum attacking duration of eachvariation whereas for complexity we take into account the setuprequirements the traffic (re)direction of the attack the necessarysignal strength and the preparation steps before the attack (e gbroadcast messages modifications RRC and NAS capabilities etc)

Even though the impact of MitM-based attacks is higher due toa potentially long spoofing duration the complexity also increasesas the attacker needs a robust system able to establish and handlethe UE connection with a legitimate cell an arduous task in real-life scenarios In our experiments we were able to maintain atleast a 119863119904119901119900119900 119891 (119872119894119905119872) ge 55 sec which is longer than the durationin non-MitM cases (asymp 40 minus 43 sec) allowing a 119863119904119906119901119901 (119872119894119905119872) gt

119863119904119906119901119901 (119860119905119905119886119888ℎ) as well The approximate duration in non-MitMcases could also depend on the emm cause of rejections (e g UEidentity cannot be derived by the network or Implicitlydetached) and the manufacturer Oppositely attacks that do notrely on MitM setups are less complex since they only respond toUEs without consuming resources to manage and redirect trafficNonetheless the impact is significantly reduced in these cases sincethe UE ceases the malicious attachment after a few attachmentattempts Finally the PWS barring attack achieves high impactwith low complexity due to its trivial setup lack of traffic handlingand large attacking duration In our setup we noticed that for 100


Table 3 Used spoofing configurations and techniques Weclassify them into sufficient and maximum impacts

PWS Spoofing conf amp tech Sufficient Impact Maximum ImpactSI Periodicity 16 frames 512 framesRepetition Period 10 131 071Number of Broadcasts 10 000 times 65 535 timesConcurrent Warnings no yesMessage ID Permutations no yesSerial No Permutations no yesMax Segment Length 32 bytes 32 bytes

success rate the barring attack requires less signal amplification120575119894 ge 10119889119861 than malicious MitM and non-MitM attachments 120575119894 ge30119889119861 (PWS barring can achieve approximately 90 success rate for5119889119861)

Table 3 presents our tested PWS configurations that could beused to magnify spoofing Although the sufficient impact categorycan achieve successful spoofing the maximum impact is more reli-able in preserving a high-rate dissemination of alerts and in reach-ing more UEs Finally Appendix B offers extra details on the impactImpact on IMS Emergency Calls In our work we noticed thatsuppression can cause severe implications against the IMS Emer-gency Call Support disallowing the user from using VoNR emer-gency calls (e g 911 using SIP) on a 5G-capable PLMN whenattached to the false cell Since the UE is maliciously attachedor suppressed through barring IMS messages (i e Register Sub-scribe Notify and PRACK) [14] along with RRC Reconfigurationand Session Modification messages are unattainable thus call prepa-ration will not occur This is possible even without the use ofims-EmergencySupport5GC as false in SIB type 1 by the attackerIn fact for barring attacks the attacker can accomplish this withoutany further change in the configurations In addition it is not un-common for a UE to request an emergency VoLTE fallback throughthe Service Request for Emergency and allow LTE to handle the voicecall For instance Figure 13 shows an SIP PRACK attempt by theUE after an EPS fallback due to our attack on 5G cells Howevereven this mechanism can be impacted as the attacker can continuethe DoS and potentially operate another false LTE cell for furtherexploitation To further intensify the attacks an adversary couldalso operate multiple rogue base stations supporting different gen-erations (e g 4G 3G and 2G) and multiple frequency bands Incase the UE attempts a fallback mechanism to previous radio accesstechnologies the adversary may still be able to attack the user Asa result the user may not have access to any emergency features

6 COUNTERMEASURESWe next discuss possible countermeasures aiming to detect or pre-vent the presented attacksPartial PKI-basedCountermeasure 3GPPrsquos study on 2G-4G [16]is encouraging the adoption of a Public Key Infrastructure (PKI) forsigning and verifying the SIB messages responsible for deliveringalerts in HPLMN and VPLMN The UE will be provided with a publickey in order to validate the signed warning messages the UE willneed to be updated whenever the key or algorithm configurationschange SIB transmissions as illustrated in Figure 2 will be signed bythe networkrsquos private key 3GPP has proposed several techniques to

address secure key provision on 2G 3G and 4G (but not 5G) i e im-plicitly installed CA certificates on UE over-the-air key distributionvia Protocol Data Unit (APDU) commands [5 6 15 16] distributionthrough the General Bootstrapping Architecture (GBA) [13 16]and through NAS Security Mode Command NAS Attach Acceptand NAS Tracking Area Update (TAU)

However the implementation of such a system faces mainte-nance and operational hurdles It requires adoption by all HPLMNVPLMN and UE If the UE is designed to verify messages with otherkey and algorithm parameters than VPLMNrsquos the VPLMN publickey is not available there is no efficient way to distribute the publickey to the UE or the VPLMN does not support verification thenthis will result in failures and broken security Key distributionmay encounter issues as well For instance an explicit TAU doesnot exist in 5G to be used for key delivery and implicitly installedcertificates from a Certificate Authority (CA) may induce issueswith the sharing CAs among operators in various countries intro-ducing new national threats Moreover this mechanism may beinappropriate for security altogether Since only SIB 6 7 and 8 areprotected the attacker can still abuse the other broadcast messages(e g MIB and SIB 1) and further security flaws from Section 33remain unmitigated In fact the barring attack and the maliciousattachment persist with their associated impact Spoofing can beavoided only if the UE is configured to deny any unauthenticatedmessages and the PLMN always signs the messages correctly

Table 4 presents the effectiveness of this defensive mechanismwhile taking into account our attacks This includes verificationsupport by the network (signing the messages with the private keyfirst column in Table 4) and verification support by the UE (applyingthe networkrsquos public key to verify the messages second columnin Table 4) For each combination of the first two columns Table 4specifies the feasibility of spoofing suppression and rejection oflegitimate messages which leads to user exposure The first rowportrays the current PWS implementation which is susceptible tospoofing and suppression but false rejection is not possible sincethe UE accepts all messages even if the PLMN does not supportPWS completely When the UE does not support verification ofthe warning messages (i e rows 1 amp 3) spoofing is possible sinceverification never takes effect allowing all messages In contrastspoofing is not feasible if the UE is strictly verifying all messages(i e rows 2 amp 4) However when the PLMN does not support theverification scheme or there is no compatibility false rejection oflegitimate messages can occur (i e row 2) On top suppression isnot prevented impacting verified and unverified warning messagesFull PKI-based Countermeasures Instead of protecting onlywarning-based SIB messages by a partial PKI-based countermea-sure (with all the described disadvantages) a more viable solutionmay be full PKI-protection for all MIB and SIB messages as alsomentioned in [8] This will deprive the attacker the capability ofimitating a legitimate base station from the beginning Howeverthe performance overhead for the certificates distribution mainte-nance revocation architectural redesigns post-quantum solutionsand legacy device support have not been evaluated on real 5Gnetworks to better comprehend this PKIrsquos benefits and drawbacks

On top of that current optimised verification proposals forSIB 1 only [41 60] are not adequate as the PWS barring attackcould still be feasible because of the exposed MIB Additionally the


PWS Defensive Measure Attack Success

Security Signature Spoo- Sup- FalseSupport Verification fing pression Rejection

Yes Yes No No Yes Yes Yes Yes No No Yes No

Table 4 Security results for PWS verification The first rowrepresents the current implementation of PWS that has nosecurity verification In all cases the UE needs to have thecapability to process and display warning messages (USIMstructure [15]) The analysis applies to both HPLMN andVPLMNRoaming cases

cell barred and intra freq reselection have moved from SIB1 to MIB on 5G architecture indicating the importance of a holisticdefensive mechanism for MIBs and SIBs likewiseFull RRCNAS protection Another preventive approach is theadoption of mandatory encryption and integrity-protection for allmessages in particular the unprotected RRC and NAS messages(also mentioned in Sec 33) in the control-plane traffic Such animplementation prevents message manipulations and eliminatesmalicious attachments However SigOver [66] and SigUnder [46]techniques could still impact the network as they do not requireUE attachment Past literature has repeatedly proposed RRC andNAS protection experimenting on LTE [38 40 43 51 51] but 5Gspecification and implementations do not meet such requirementsMonitoring and Attack Detection One orthogonal approachto preventive measures is via measurement collection reportingand monitoring Enriched measurement reports [8 20] with extrasecurity fields (e g MIBSIB hashes or locations of base stations)could be as suitable candidate

In the case of PWS UEs having received warning messages couldsend hash digests of the received messages back to the core net-work via enriched measurement reports that aggregates them Evenif only some of the UEs would support such a functionality thenetwork could verify the legitimacy of alerts and make users awareof fake messages Operators could also operate a public web pagewhich users could use to cross-check the legitimacy of warningalerts a short url link could be part of all legitimate warning mes-sages Authorities could be informed too about attacking incidentsalong with the cell locations included in the measurement reports

7 RELATEDWORKSecurity of Broadcast and PagingMessages One of the earliestindications of broadcast security flaws and paging were investigatedby Hussain et al [38 40] however the studies mainly focused onLTE and there was no exploration of PWS exploitation The SigOverattack [66] focuses on physical-layer overshadowing which allowsan adversary to abuse SIB and paging messages on LTE by inject-ing a crafted subframe that exactly overshadows the legitimateone This approach can be efficient due to its low requirements(i e low power consumption unaffected by UE states and lowsetup complexity) and stealthiness In our case we were able toachieve 100 success rate for the PWS barring attack with just

10119889119861 and 30119889119861 for spoofing which is less than the 40119889119861 require-ment specified by SigOver while maximizing the spoofing capacity(Table 3) and duration1 In addition [46] proposes the SigUnderattack performing significant improvements on physical-layer over-shadowing attacks which are capable of disallowing cell access andreselection With proper adaptations we believe that such tech-niques could be used against the PWS as well Susceptibility of thepaging messages in general has also been demonstrated in terms ofprivacy and DoS [30 39 57] On the defense side Ericssonrsquos studyon paging [47] and paging protections [61] by Ankush et al haveproposed countermeasures attempting to hinder paging attacksSecurity of the Emergency Systems 3GPP [16] maintains a con-ceptual study on PWS where security deficiencies and suggestedcountermeasures are discussed Nevertheless this study is limited interms of experimentation accurate attack definition evaluated im-pact and lacks 5G security assessment Furthermore Lee et al [44]has provided notable results on CMAS spoofing and attackerrsquos rangeon LTE but the investigation remains limited to specific cases toone generation and to one attacker setup As a consequence anaccurate presentation of all attackerrsquos capabilities is missing as inthis work we have unearthed multiple attacks network setup casesand warning messages on 5G Finally work has been conducted toassess emergency call resilience against DoSDDoS [18 32 36]5G Security Studies The resilience of 5G AKA procedure wasexplored by Basin et al [19] and Borgaonkar et al [21] reveal-ing potential security defects Bitsikas et al [20] demonstrated theexploitation of the handover procedure on 5G and LTE allowingan attacker to perform a MitM or DoS attack Chlosta et al [24]and Haque et al [33] exploited the Subscription Concealed Iden-tifier (SUCI) identifier and Permanent Equipment Identifier (PEI)respectively Security issues on 5G RRC and NAS messages wereinvestigated [37 40] but actual experimentation is needed with a5G SA setup to fully explore the security flawsLTE Flaws and Misconfigurations Security in the control planetraffic has been explored [22 38 43 51 59] revealing major vulnera-bilities while some remain unmitigated until the new 5G standardsMoreover Rupprecht et al [55 56] has identified layer two vul-nerabilities leading to user plane exploitation and MitM attackswhile network misconfigurations on LTE have been confirmed [23]showing that implementation is as important as the specifications

8 CONCLUSIONIn this work we explored the security of the 5G warning systemWe have identified the underlying vulnerabilities revealing that thePWS is exposed to suppression and spoofing attacks with detri-mental results to the safety of the users while deploying differentattacker setups Specifically the PWS barring attack is a perilousthreat to a cellular environment since it does not demand exces-sive skills equipment capabilities and configurations Furthermorewe assessed the impact of the aforementioned attacks in roamingcases and when PWS performs warning verification Finally wediscussed several countermeasures that could be deployed to makethe PWS more resilient against adversaries

1We used one false base station during our experiments Nonetheless the attacker maydeploy several stations and perform other supplementary attacks in conjunction withours to bolster the attackrsquos efficiency (e g force cell search) and affect more users


REFERENCES[1] 3GPP 2019 Emergency Communications (EMTEL) European Public Warning

System (EU-ALERT) using the Cell Broadcast Service Version 131[2] 3GPP 2020 5G Security architecture and procedures for 5G System Version 1630[3] 3GPP 2020 Digital cellular telecommunications system (Phase 2+) (GSM) Universal

Mobile Telecommunications System (UMTS) LTE 5G Technical realization of CellBroadcast Service (CBS) Version 1640

[4] 3GPP 2020 Digital cellular telecommunications system (Phase 2+) (GSM) UniversalMobile Telecommunications System (UMTS) LTE 5G Technical realization of theShort Message Service (SMS) Version 1600

[5] 3GPP 2020 Digital cellular telecommunications system (Phase 2+) (GSM) UniversalMobile Telecommunications System (UMTS) LTE Remote APDU Structure for(U)SIM Toolkit applications Version 1600

[6] 3GPP 2020 Digital cellular telecommunications system (Phase 2+) (GSM) UniversalMobile Telecommunications System (UMTS) LTE Secured packet structure for(Universal) Subscriber Identity Module (U)SIM Toolkit applications Version 1600

[7] 3GPP 2020 Digital cellular telecommunications system (Phase 2+) (GSM) Uni-versal Mobile Telecommunications System (UMTS) Public Warning System (PWS)requirements Version 1640

[8] 3GPP 2020 Technical Specification Group Services and System Aspects Study on5G Security Enhancement against False Base Stations (FBS) (Release 17) Version0121

[9] 3GPP 2021 5G NR Medium Access Control (MAC) protocol specification Version1650

[10] 3GPP 2021 5G NR Radio Resource Control (RRC) Protocol specification Version1631

[11] 3GPP 2021 5G NR User Equipment (UE) procedures in idle mode and in RRCInactive state Version 1640

[12] 3GPP 2021 5G Procedures for the 5G System (5GS) Version 1680[13] 3GPP 2021 Digital cellular telecommunications system (Phase 2+) (GSM) Univer-

sal Mobile Telecommunications System (UMTS) LTE 5G Generic AuthenticationArchitecture (GAA) Generic Bootstrapping Architecture (GBA) Version 1640

[14] 3GPP 2021 Digital cellular telecommunications system (Phase 2+) (GSM) UniversalMobile Telecommunications System (UMTS) LTE IP Multimedia Subsystem (IMS)Stage 2 Version 1660

[15] 3GPP 2021 Universal Mobile Telecommunications System (UMTS) LTE 5G Char-acteristics of the Universal Subscriber Identity Module (USIM) application Version1660

[16] 3GPP 2022 Digital cellular telecommunications system (Phase 2+) (GSM) UniversalMobile Telecommunications System (UMTS) LTE Study on security aspects of PublicWarning System (PWS) Version 1700

[17] Amarisoft 2020 Amarisoft Callbox Classic rdquohttpswwwamarisoftcomproductstest-measurementsamari-lte-callboxrdquo

[18] Andreea Ancuta Onofrei Yacine Rebahi and Thomas Magedanz 2010 PreventingDistributed Denial-of-Service Attacks on the IMS Emergency Services Supportthrough Adaptive Firewall Pinholing International Journal of Next-GenerationNetworks 2 1 (Mar 2010) 1ndash17 httpsdoiorg105121ijngn20102101

[19] David Basin Jannik Dreier Lucca Hirschi Sasa Radomirovic Ralf Sasse andVincent Stettler 2018 A Formal Analysis of 5G Authentication In Proceedingsof the 2018 ACM SIGSAC Conference on Computer and Communications Security(Toronto Canada) (CCS rsquo18) Association for Computing Machinery New YorkNY USA 1383ndash1396 httpsdoiorg10114532437343243846

[20] Evangelos Bitsikas and Christina Popper 2021 Donrsquot Hand It Over Vul-nerabilities in the Handover Procedure of Cellular Telecommunications InAnnual Computer Security Applications Conference (Virtual Event USA) (AC-SAC) Association for Computing Machinery New York NY USA 900ndash915httpsdoiorg10114534858323485914

[21] Ravishankar Borgaonkar Lucca Hirschi Shinjo Park and Altaf Shaik 2019 NewPrivacy Threat on 3G 4G and Upcoming 5G AKA Protocols Proc Priv EnhancingTechnol 2019 3 (2019) 108ndash127 httpsdoiorg102478popets-2019-0039

[22] Yi Chen Yepeng Yao XiaoFeng Wang Dandan Xu Chang Yue Xiaozhong LiuKai Chen Haixu Tang and Baoxu Liu 2021 Bookworm Game AutomaticDiscovery of LTE Vulnerabilities Through Documentation Analysis In 42nd IEEESymposium on Security and Privacy SP 2021 San Francisco CA USA 24-27 May2021 IEEE 1197ndash1214 httpsdoiorg101109SP40001202100104

[23] Merlin Chlosta David Rupprecht Thorsten Holz and Christina Popper 2019LTE Security Disabled Misconfiguration in Commercial Networks In Proceedingsof the 12th Conference on Security and Privacy in Wireless and Mobile Networks(Miami Florida) (WiSec rsquo19) Association for Computing Machinery New YorkNY USA 261ndash266 httpsdoiorg10114533175493324927

[24] Merlin Chlosta David Rupprecht Christina Popper and Thorsten Holz 20215G SUCI-Catchers Still Catching Them All In Proceedings of the 14th ACMConference on Security and Privacy in Wireless and Mobile Networks (Abu DhabiUnited Arab Emirates) (WiSec rsquo21) Association for Computing Machinery NewYork NY USA 359ndash364 httpsdoiorg10114534483003467826

[25] One2Many Company 2020 Cell Broadcast and National Public Warning rdquohttpswwwone2manyeucell-broadcast-and-national-public-rdquo

[26] Ettus Research 2020 USRP B210 SDR Kit - Dual Channel Transceiver (70MHz -6GHz) rdquohttpswwwettuscomall-productsub210-kitrdquo

[27] European Commission 2021 Early Warning and Information Systems rdquohttpseceuropaeuechowhatcivil-protectionearly-warning- information-systems enrdquo

[28] European Emergency Number Association 2019 Public Warning Systems-Update rdquohttpseenaorgwp-contentuploads2019 03 30 PWS Document FINAL Compressedpdfrdquo

[29] everbridge 2022 Public Warning httpswwweverbridgecomproductspublic-warning

[30] Kaiming Fang and Guanhua Yan 2020 Paging Storm Attacks against 4GLTE Net-works from Regional Android Botnets Rationale Practicality and ImplicationsIn Proceedings of the 13th ACM Conference on Security and Privacy in Wireless andMobile Networks (Linz Austria) (WiSec rsquo20) Association for Computing Machin-ery New York NY USA 295ndash305 httpsdoiorg10114533953513399347

[31] Federal Communications Commission 2021 Wireless emergency alerts rdquohttpswwwfccgovpublic-safety-and-homeland-securitypolicy-and-licensing-divisionalertinggeneralwirelessrdquo

[32] Mordechai Guri Yisroel Mirsky and Yuval Elovici 2017 9-1-1 DDoS AttacksAnalysis and Mitigation 2017 IEEE European Symposium on Security and Privacy(EuroSampP) (2017) 218ndash232

[33] Abida Haque Varun Madathil Bradley Reaves and Alessandra Scafuro 2021Anonymous Device Authorization for Cellular Networks In Proceedings of the14th ACMConference on Security and Privacy inWireless andMobile Networks (AbuDhabi United Arab Emirates) (WiSec rsquo21) Association for Computing MachineryNew York NY USA 25ndash36 httpsdoiorg10114534483003468285

[34] Chris Herhalt 2020 Mistaken Pickering Ont nuclear alert sparked panic emailsshow CTV News (2020) rdquohttpstorontoctvnewscamistaken-pickering-ont-nuclear-alert-sparked-panic-emails-show-15237473rdquo

[35] Homeland Security 2013 Best Practices in Wireless Emergency Alerts rdquohttpswwwdhsgovsitesdefaultfilespublicationsWirelessEmergencyAlertsBestPractices 0pdfrdquo

[36] Kaiyu Hou You Li Yinbo Yu Yan Chen and Hai Zhou 2021 Discovering Emer-gency Call Pitfalls for Cellular Networks with Formal Methods In Proceedingsof the 19th Annual International Conference on Mobile Systems Applications andServices (Virtual Event Wisconsin) (MobiSys rsquo21) Association for Computing Ma-chinery New York NY USA 296ndash309 httpsdoiorg10114534588643466625

[37] Xinxin Hu Caixia Liu Shuxin Liu Wei You Yingle Li and Yu Zhao 2019 ASystematic Analysis Method for 5G Non-Access Stratum Signalling Security IEEEAccess 7 (2019) 125424ndash125441

[38] Syed Rafiul Hussain Omar Chowdhury Shagufta Mehnaz and Elisa Bertino2018 LTEInspector A Systematic Approach for Adversarial Testing of 4G LTEIn 25th Annual Network and Distributed System Security Symposium NDSS 2018San Diego California USA February 18-21 2018 The Internet Society

[39] Syed Rafiul Hussain Mitziu Echeverria Omar Chowdhury Ninghui Li and ElisaBertino 2019 Privacy Attacks to the 4G and 5G Cellular Paging Protocols UsingSide Channel Information In 26th Annual Network and Distributed System SecuritySymposium NDSS 2019 San Diego California USA February 24-27 2019 TheInternet Society

[40] Syed Rafiul Hussain Mitziu Echeverria Imtiaz Karim Omar Chowdhury andElisa Bertino 2019 5GReasoner A Property-Directed Security and PrivacyAnalysis Framework for 5G Cellular Network Protocol In Proceedings of the 2019ACM SIGSAC Conference on Computer and Communications Security (LondonUnited Kingdom) (CCS rsquo19) Association for Computing Machinery New YorkNY USA 669ndash684 httpsdoiorg10114533195353354263

[41] Syed Rafiul Hussain Mitziu Echeverria Ankush Singla Omar Chowdhury andElisa Bertino 2019 Insecure Connection Bootstrapping in Cellular NetworksThe Root of All Evil In Proceedings of the 12th Conference on Security and Privacyin Wireless and Mobile Networks (Miami Florida) (WiSec rsquo19) Association forComputing Machinery New York NY USA 1ndash11 httpsdoiorg10114533175493323402

[42] Hongil Kim Dongkwan Kim Minhee Kwon Hyungseok Han Yeongjin JangDongsu Han Taesoo Kim and Yongdae Kim 2015 Breaking and Fixing VoLTEExploiting Hidden Data Channels and Mis-Implementations In Proceedings ofthe 22nd ACM SIGSAC Conference on Computer and Communications Security(Denver Colorado USA) (CCS rsquo15) Association for Computing Machinery NewYork NY USA 328ndash339 httpsdoiorg10114528101032813718

[43] Hongil Kim Jiho Lee Eunkyu Lee and Yongdae Kim 2019 Touching the Un-touchables Dynamic Security Analysis of the LTE Control Plane In 2019 IEEESymposium on Security and Privacy SP 2019 San Francisco CA USA May 19-232019 IEEE 1153ndash1168 httpsdoiorg101109SP201900038

[44] Gyuhong Lee Jihoon Lee Jinsung Lee Youngbin Im Max Hollingsworth EricWustrow Dirk Grunwald and Sangtae Ha 2019 This is Your President SpeakingSpoofing Alerts in 4G LTE Networks In Proceedings of the 17th Annual Interna-tional Conference on Mobile Systems Applications and Services (Seoul Republicof Korea) (MobiSys rsquo19) Association for Computing Machinery New York NYUSA 404ndash416 httpsdoiorg10114533073343326082


[45] Jihoon Lee Gyuhong Lee Jinsung Lee Youngbin Im Max Hollingsworth EricWustrow Dirk Grunwald and Sangtae Ha 2021 Securing the Wireless Emer-gency Alerts System Commun ACM 64 10 (Sept 2021) 85ndash93 httpsdoiorg1011453481042

[46] Norbert Ludant and Guevara Noubir 2021 SigUnder A Stealthy 5G Low PowerAttack and Defenses In Proceedings of the 14th ACM Conference on Security andPrivacy in Wireless and Mobile Networks (Abu Dhabi United Arab Emirates)(WiSec rsquo21) Association for Computing Machinery New York NY USA 250ndash260httpsdoiorg10114534483003467817

[47] Prajwol Kumar Nakarmi Oscar Ohlsson and Peter Hedman 2019 Fighting IMSIcatchers A look at 5G cellular paging privacy Ericsson httpswwwericssoncomenblog20195fighting-imsi-catchers-5g-cellular-paging-privacy

[48] National Academies of Sciences Engineering and Medicine 2018 EmergencyAlert and Warning Systems Current Knowledge and Future Research DirectionsThe National Academies Press Washington DC httpsdoiorg101722624935

[49] United Nations 2022 Early Warning System httpswwwunorgenclimatechangeclimate-solutionsearly-warning-systems

[50] World Meteorological Organization 2022 Early Warning systems must protecteveryone within five years httpspublicwmointenmediapress-releaseE2808Bearly-warning-systems-must-protect-everyone-within-five-years

[51] CheolJun Park Sangwook Bae BeomSeok Oh Jiho Lee Eunkyu Lee Insu Yun andYongdae Kim 2022 DoLTEst In-depth Downlink Negative Testing Framework forLTE Devices In 31st USENIX Security Symposium (USENIX Security 22) USENIXAssociation Boston MA

[52] European parliament and council of the European Union 2018 DIRECTIVE(EU) 20181972 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of11 December 2018 establishing the European Electronic Communications CodeOfficial Journal of the European Union (2018) rdquohttpseur-lexeuropaeulegal-contentENTXTHTMLuri=CELEX32018L1972ampfrom=ENrdquo

[53] Hannah Ritchie and Max Roser 2014 Natural Disasters Our World in Data(2014) rdquohttpsourworldindataorgnatural-disastersrdquo

[54] Jolyn Rosa 2018 Ballistic missile warning sent in error by Hawaii authoritiesReuters (2018) rdquohttpswwwreuterscomarticleus-usa-missiles-falsealarm-idUSKBN1F20U1rdquo

[55] David Rupprecht Katharina Kohls Thorsten Holz and Christina Popper 2019Breaking LTE on Layer Two In IEEE Symposium on Security amp Privacy (SP) IEEE

[56] David Rupprecht Katharina Kohls Thorsten Holz and Christina Popper 2020IMP4GT IMPersonation Attacks in 4G NeTworks In ISOC Network and Dis-tributed System Security Symposium (NDSS) ISOC

[57] Altaf Shaik Ravishankar Borgaonkar N Asokan Valtteri Niemi and Jean-PierreSeifert 2016 Practical attacks against privacy and availability in 4GLTE mobilecommunication systems In 23rd Annual Network and Distributed System SecuritySymposium (NDSS 2016) Internet Society United States httpsdoiorg1014722ndss201623236

[58] Altaf Shaik Ravishankar Borgaonkar Shinjo Park and Jean-Pierre Seifert 2018On the Impact of Rogue Base Stations in 4GLTE Self Organizing Networks InProceedings of the 11th ACM Conference on Security amp Privacy in Wireless andMobile Networks (Stockholm Sweden) (WiSec rsquo18) Association for ComputingMachinery New York NY USA 75ndash86 httpsdoiorg10114532124803212497

[59] Altaf Shaik Ravishankar Borgaonkar Shinjo Park and Jean-Pierre Seifert 2019New Vulnerabilities in 4G and 5G Cellular Access Network Protocols ExposingDevice Capabilities In Proceedings of the 12th Conference on Security and Privacyin Wireless and Mobile Networks (Miami Florida) (WiSec rsquo19) Association forComputing Machinery New York NY USA 221ndash231 httpsdoiorg10114533175493319728

[60] Ankush Singla Rouzbeh Behnia Syed Rafiul Hussain Attila Yavuz and ElisaBertino 2021 Look Before You Leap Secure Connection Bootstrapping for 5GNetworks to Defend Against Fake Base-Stations In Proceedings of the 2021 ACMAsia Conference on Computer and Communications Security (Virtual Event HongKong) (ASIA CCS rsquo21) Association for Computing Machinery New York NYUSA 501ndash515 httpsdoiorg10114534332103453082

[61] Ankush Singla Syed Rafiul Hussain Omar Chowdhury Elisa Bertino andNinghui Li 2020 Protecting the 4G and 5G Cellular Paging Protocols against Se-curity and Privacy Attacks Proc Priv Enhancing Technol 2020 1 (2020) 126ndash142httpsdoiorg102478popets-2020-0008

[62] CNN Philippines Staff 2021 Bongbong Marcos Issuing rsquoemergency alertsrsquo bringsno advantage to me CNN News (2021) rdquohttpswwwcnnphnews2021107Bongbong-Marcos-emergency-alerthtmlrdquo

[63] Patrick Traynor 2012 Characterizing the Security Implications of Third-PartyEmergency Alert Systems over Cellular Text Messaging Services IEEE Transac-tions on Mobile Computing 11 6 (jun 2012) 983ndash994 httpsdoiorg101109TMC2011120

[64] Guan-Hua Tu Chi-Yu Li Chunyi Peng Yuanjie Li and Songwu Lu 2016 NewSecurity Threats Caused by IMS-Based SMS Service in 4G LTE Networks InProceedings of the 2016 ACM SIGSAC Conference on Computer and CommunicationsSecurity (Vienna Austria) (CCS rsquo16) Association for Computing Machinery NewYork NY USA 1118ndash1130 httpsdoiorg10114529767492978393


[66] Hojoon Yang Sangwook Bae Mincheol Son Hongil Kim Song Min Kim andYongdae Kim 2019 Hiding in Plain Signal Physical Signal OvershadowingAttack on LTE In 28th USENIX Security Symposium (USENIX Security 19) USENIXAssociation Santa Clara CA 55ndash72

A ADOPTION OF THE PWSDeployment of PWS systems is widely increasing since 2009 [25]As per 11 Dec 2018 [52] all EU member states are obliged to have apublic warning system in place by 21 June 2022 (including the Eu-ropean Economic Area Agreement countries) to protect EU citizensAt least one form of PWS has already been implemented in the US(CMAS) Canada (WPAS) Chile and Peru (LAT-ALERT) UAE (UAE-Alert) China South Korea (KPAS) India (ITEWC) Japan SingaporeSaudi Arabia Oman the Philippines Indonesia Sri Lanka NewZealand Australia Taiwan Mexico Russia and Turkey while oth-ers are planning to implement and activate one soon (e g UnitedKingdom) In general countries that are susceptible to extremeevents (e g weather and climate) are strongly in favor of such asystem for public safety [29] Furthermore the United Nations en-courages adoption of warning systems due to the influx of climateevents [49 50]

(a) CMAS message (b) ETWS message

Figure 9 Warnings on OnePlus Nord 2 5G

B FURTHER DISCUSSIONIs it a relevant threat if an attacker sends forged warning messages toan individual user or a small group of users or only to a large crowdWe believe that the more users receive fake messages the merrierthe impact becomes as mass panic may lead to hazardous incidentssuch as physical harm In fact the attackerrsquos objective is to affectas many people as possible within a dense limited or overcrowdedspace for a specific time window Geographically speaking [44]has shown that four LTE base stations can easily impact a stadiumwith an approximate capacity of 50 000 seats On such a level webelieve that the attacks can turn into an alarming risk

Is it a relevant threat if an attacker can suppress warning messagesto an individual user or a small group of users or only to a large crowdSimilar to spoofing bogus messages message suppression aims toinfluence as many network subscribers as possible Not allowing


Figure 10 Emergency Call Flow

many users to get notifications about an emergency could also leadto life threatening scenarios In addition based on Section 4 weconsider suppression more trivial than any spoofing approacheshence increasing the threat level

Could PWS Security be a mandatory requirement Protection ofwarning notifications and users against attackers are subject toregulatory policies According to 3GPP [16] the requirements forPWS security are optional since there are regions and countriesthat do not require or aim to deploy this feature any time soon(such as US and Japan) Therefore without outright and compulsorysecurity networks will remain exposed to warning spoofing andsuppression

Are SMS-based warnings affected On 5G the SMS [4] deliveriesare either over IMS (SIP-based) or over NAS The UE receives a spe-cific paging message for an SMS service and then the UE enters theRRC-Connected state while sending a Service Request Then thenetwork delivers the SMS notifications using the downlink trans-mission We ran dedicated experiments for the SMS-based warningsSince our suppression attacks disallow connection to the legitimatenetwork the victim-UE will not be able to receive paging messagesand consequently the SMS-based warning Regarding spoofing SMSwarnings and DoS past works [42 63ndash65] have demonstrated theweakness of SMS over IMS on LTE which may also affect 5G incertain cases On the other hand according to 3GPP [2] SMS overNAS implements encryption and integrity-protection when the UEhas already activated NAS security with the AMF However moretesting is required to verify its robustness on 5G against spoofingas [43 51] have confirmed SMS over NAS weaknesses on LTE

C EMERGENCY CALL FLOWThe emergency warning procedure of Figure 2 is extended to Fig-ure 10 having the following steps

(0) The UE registration and mutual authentication proceduresare performed Encryption and integrity protection are en-abled for the established communication (Control plane andUser plane) based on the specifications [2]

(1) The CBE sends the Emergency Broadcast Request to theCBCCBCF based on the authorities Then the CBCCBCFauthenticates this request which includes the warning typewarning message impacted area and time period

(2) Using the area of impact the CBCCBCF identifies whichAMFs need to be contacted and determines the informationto be incorporated into the Warning Area List NG-RANInformation Element (IE) The CBCCBCF sends a Write-Replace-Warning Request message containing the warningmessage and its attributes to the AMFs In case of a PWS-IWF entity the message is forwarded through it to the AMFsAdditionally the Write-Replace-Warning Request messageusually incorporates the Message Identifier Serial Numberlist of NG-RAN Tracking Areas Warning Area List NG-RANGlobal RAN Node ID Warning Area Coordinates etc Itshould be noted that the list of NG-RAN Tracking Areas isonly used by the AMF for selecting which base stations toforward the Write-Replace-Warning Request message to

(3) The AMF sends a Write-Replace-Warning Confirm NG-RANmessage indicating to the CBCCBCF that the AMF hasstarted the distribution of warning message to NG-RANbase stations The Write-Replace-Warning Confirm NG-RANmessage may contain the Unknown Tracking Area List IEwhich identifies the Tracking Areas that are unknown tothe AMF and where the Request cannot be delivered If thismessage is not received by the CBCCBCF within an appro-priate time period the CBCCBCF may attempt to deliverthe warning message via another AMF in the same region

(4) Upon reception of the Write-Replace Confirm NG-RAN mes-sages from the AMFs the CBCF may confirm to the CBE thatthe distribution of the warning message has commenced

(5) The AMF forwards Write-Replace-Warning Message RequestNG-RAN to NG-RAN nodes If the list of NG-RAN TrackingAreas is not included and no Global RAN Node ID has beenreceived from the CBCCBCF the message is forwarded toall RAN base stations that are operated under the AMF Onthe other hand if a Global RAN Node ID has been receivedthe AMF shall forward the message only to the NG-RANbase station indicated by this ID IE

(6) The NG-RAN node first detects duplicate messages by check-ing the message identifier and serial number fields withinthe warning message as it may receive the same messagefrom multiple AMFs If any redundant messages are detectedonly the first one received will be broadcasted by the cellsThe NG-RAN base station shall use the Warning Area ListNG-RAN information to determine the cell(s) in which themessage is to be broadcasted Furthermore the NG-RANbase stations return a Write-Replace-Warning Message Re-sponse to the AMF even in case of a duplicate If there is awarning broadcast message already ongoing and the Con-current Warning Message (CWM) Indicator is included inthe Write-Replace-Warning Request NG-RAN message thebase station does not stop the existing broadcast messagebut starts broadcasting the new message concurrently Oth-erwise it shall immediately replace the existing broadcastmessage with the newer one If concurrent warning messagesare not supported message priority is enforced Eventuallyeach base station begins delivering the paging and the SIBmessages to all available UEs as illustrated also by Figure 2

(7) If the UE has been configured to receive warning messagesand to accept warnings on that PLMN [15] then the UE can


use warning type values such as rsquoearthquakersquo or rsquotsunamirsquoimmediately to alert the user When the warning type isrsquotestrsquo the UE silently discards the primary notification butthe specially designed UEs for testing purposes may alertthe user based on hisher coordinates and location At thesame time the Write-Replace Response is sent to the AMFas an acknowledgement

(8) If the Warning-Message-Indication parameter was presentin the Write-Replace-Warning Request NG-RAN and it isconfigured in the AMF based on operatorrsquos policy the AMFshall forward the Broadcast Scheduled Area Lists in a Write-Replace-Warning Indication(s) NG-RAN to the CBCCBCFThe Broadcast Scheduled Area List shall contain the Broad-cast Completed Area List the AMF has received from theNG-RAN node Nevertheless this step is optional

(9) From the Write-Replace-Warning Response messages re-turned by NG-RAN base stations the AMF determines thesuccess or failure of the delivery and creates a trace record

D NETWORK CONFIGURATIONSWe configured the network to use the testing PLMN which is00101 and to consist of a gNodeB and a Core Network (includ-ing AMF and IMS) in the Amarisoft Box The gNodeB had thefollowing configurations 119892119899119887 119894119889 = 01199091234119860 119905119886119888 = 100 (decimal)and 119903119900119900119905 119904119890119902119906119890119899119888119890 119894119899119889119890119909 = 1 It also included two distinct cellscell 1 with 119888119890119897119897 119894119889 = 011990901 and 119899 119894119889 119888119890119897119897 = 500 and cell 2 with119888119890119897119897 119894119889 = 011990902 and 119899 119894119889 119888119890119897119897 = 501 Both cells possessed separatefrequencies in the 11989978 band for 5G Standalone and in the 11989941 bandfor 5G non-Standalone During our experimentation we tested boththe Time Division Duplex (TDD) and Frequency Division Duplex(FDD) communication technologies For testing emergency SMSsand SIP calls we also incorporated an IP Multimedia System (IMS)into the core network which allowed us to send SMSs to the UEand allowed the user to call 911 as it is supported by AmarisoftFinally for the UEs we had to configure the Access Point Names(APNs) in order for the UEs to be fully connected According toAmarisoft documentation we used the Internet APN and the IMSAPN whenever possible

E CMAS AND ETWS CONFIGURATIONSThe basic format of our ETWSCMAS messages follows the Amarisoftguidelines During our experimentation we altered only values thatare presented in the following structures in respect to the specifica-tions

pws msgs [ ETWS earthquake or tsunami message local identifier 1message identifier 0x1102serial number 0x3000warning type 0x0580data coding scheme 0x0f (GSM 7 bit encoding)warning message rdquoThis is a ETWS test messagerdquo CMAS Presidential Level Alert local identifier 2

message identifier 0x1112serial number 0x3000data coding scheme 0x0f (GSM 7 bit encoding)warning message rdquoThis is a CMAS test messagerdquo

]

F EXPERIMENTAL EVIDENCEFigures 18 and 14 show the transmitted warnings in our setup withall the involved network entities Additionally Figures 12 15 16and 17 show the structure of the paging and SIB messages that weused as a core network and as an attacker while Figure 13 presents aSIP emergency call during our attacks on 5G PWS Finally Figure 11displays the discretionary and mandatory options on Huawei P405G

Figure 11 Compulsory and Optional Alert on Huawei P405G


Figure 12 Paging Messages


Figure 15 SIB6

Figure 16 SIB 7

Figure 17 SIB 8

Figure 18 Broadcast Control Channel (BCCH) used for SIB6 transmission

Figure 13 SIP PRACK message for an emergency call andVoLTE Fallback

Figure 14 Warning Flow for the CBC Core Network andRAN

Abstract

1 Introduction

2 Background

21 Network Structure

22 The Paging Procedure

23 Broadcast and Warning Messages

3 Adversarial Setup amp Weaknesses

31 Threat Model

32 Setting Up the False Base Station

33 Frail Cellular Features and Flaws

4 Exploiting the PWS

41 Malicious Attachment

42 Attacks based on MitM

43 Attacks Without MitM

5 Experimentation

51 Experimental Setup

52 Experimental Results

6 Countermeasures

7 Related Work

8 Conclusion

References

A Adoption of the PWS

B Further Discussion

C Emergency Call Flow

D Network Configurations

E CMAS and ETWS Configurations

F Experimental Evidence


on commercial HWSW without being limited to open-source op-tions (e g srsLTE) and theoretical protocol evaluations We presenta thorough study of the PWS exploring two attacker setups andmultiple attacks (spoofing amp suppression variations) In our experi-ments we utilize all types of warning messages and observe thebehaviour of 5 smartphone devices from different manufacturers toassess the impact of each attack Due to the importance of roamingfor users located outside of their home network we additionallyanalyze PWS security in conjunction with roaming and delve intocountermeasures to mitigate the identified vulnerabilities

In short our major contributions are as follows(1) We are the first to investigate the security of the 5G PWS

system considering the latest defenses updates and 5G spec-ifications test all warning types defined by the 3GPP andused in real-life PWS Earthquake and Tsunami WarningSystem (ETWS) messages and the CMAS messages Through5G SA experimentation we present a comprehensive list ofinvolved vulnerabilities and security deficiencies that allowan attacker to exploit the 5G PWS

(2) We explore multiple attack vectors in depth (a) We performPWS spoofing and PWS suppression attacks based on twodifferent setups MitM based and non-MitM based We revealthat when the attacker adopts the MitM deployment theimpact is larger meaning the spoofing window is greaterthan in non-MitM situations (b) We present the PWS BarringAttack that can be used for effective warning suppressionWe discover that it is characterized by a greater impact andfeasibility than other suppression attacks

(3) We thoroughly analyze the combination of warning mes-sages with the roaming feature of cellular networks Givenpossible countermeasures against PWS attacks we examinethe effects of our attacks on the current roaming deploymentand potentially secure version of the PWS

In our investigations we also assess the impact of our attackson the user including effects on the SMS-based warnings and emer-gency calls We provide an extensive list of possible countermea-sures while pointing out advantages and drawbacks when imple-mented in the PWS

Responsible Disclosure Due to the significance of the emer-gency systems and their broad implications we reported our find-ings to GSMA the GSM Association (disclosure date Feb 7th 2022)GSMA has acknowledged them under the number CVD-2022-0054separately notified 3GPP and is about to issue an associated briefingpaper to share with its members We have been in active exchangewith GSMA for clarifications and brainstorming about countermea-sures We are also planning to inform other organizations (e gCISA FEMA and ENISA) about our results

2 BACKGROUNDIn this section we summarize the structure and functionality of thePWS on 5G network systems according to the specifications [3 10]

21 Network StructureThe network architecture is presented in Figure 1 It consists of thefollowing entities and functions

Figure 1 5G PWS Architecture

CBE (Cell Broadcast Entity) The CBErsquos responsibility is to prop-erly format the Cell Broadcast Service (CBS) messages and whennecessary divide the CBS message into a number of pages A fed-eral authority typically informs the CBE about the correspondingwarning messageCBCCBCF (Cell Broadcast CenterCell Broadcast Center Func-tion) Its main task is to modify or delete CBS messages allocateserial numbers while indicating the geographical scope of eachCBS message initiate broadcast by sending fixed length CBS mes-sages determine the set of cells to which a CBS message should bebroadcasted determine the time at which a CBS message shouldcommence or cease being broadcasted and determine the period atwhich the broadcast of the CBS message should be repeated EachCBCCBCF may be connected to several AMFs or PWS-IWFsPWS-IWF (Public Warning System Interworking Function) Thepurpose of this logical function is to translate messages (e g Write-Replace-Warning-Indication and Stop-Warning-Indication) fromN50 interface to SBc interface and vice versa Finally the PWS-IWFmay interface to one or multiple AMFs and one or multiple CBCsAMF (Authentication and Mobility Function) In PWS the AMF pro-vides reports and acknowledgements to the CBCCBCF regardingthe execution and forwarding of commands received from themand routes the warning messages (e g Write-Replace-Warning Re-quest) to the appropriate RAN nodes in the indicated Tracking AreaIn addition it reports the Broadcast Completed Area List the Broad-cast Cancelled Area List the PWS Restart Indication and the PWSFailure Indication received from RAN nodes to all CBCsCBCFs andPWS-IWFs that it interfaces withNG-RAN (Next Generation-Radio Access Network) It comprisesgNodeBs andor ng-eNodeBs which are the 5G related base stationsUpon reception of a command it executes the associated procedurefor the UEs in the target cells For instance a warning request willmake the RAN deliver the proper paging messages to all UEs andthen broadcast the SIBs as instructed In the case of cancellationthe RAN ceases the transmission of warning messages Finally theRAN reports to the AMF regarding the execution of each commandUE (User Equipment) It is the mobile terminal of a subscribed user(with a dedicated USIM) that utilizes legitimate network servicesoffered by a network provider

The architecture mainly supports the CBCF as the CBC andPWS-IWF are considered optional entities

22 The Paging ProcedureIn cellular networks UEs enter into an RRC-Idle state to preservebattery when there is no active service or any ongoing data trans-missions When there is an upcoming service (e g incoming call)to be delivered to a specific UE the AMF makes sure that the UE is


































119863119904119906119901119901 (119872119894119905119872) asymp 119863119904119901119900119900 119891 (119872119894119905119872) + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (1)








119863119904119906119901119901 (119860119905119905119886119888ℎ) asymp 119863119904119901119900119900 119891 (119860119905119905119886119888ℎ) + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (2)






Power On

Searchfor a cell

Decodethe MIB

Stop theprocess

Is the cellbarred

DecodeSIB1

Proceedwith the

connectionyes

no







119894 where 119892119894 119892




120572 =

1 if 120575119894 ge 10119889119861

0 otherwise(3)



119863119904119906119901119901 (119861119886119903119903 ) asymp 119905119887119886119903119903 + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (4)










































































































































]






Figure 15 SIB6

Figure 16 SIB 7

Figure 17 SIB 8




Abstract

1 Introduction

2 Background





31 Threat Model







5 Experimentation



6 Countermeasures

7 Related Work

8 Conclusion

References








































119863119904119906119901119901 (119872119894119905119872) asymp 119863119904119901119900119900 119891 (119872119894119905119872) + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (1)








119863119904119906119901119901 (119860119905119905119886119888ℎ) asymp 119863119904119901119900119900 119891 (119860119905119905119886119888ℎ) + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (2)






Power On

Searchfor a cell

Decodethe MIB

Stop theprocess

Is the cellbarred

DecodeSIB1

Proceedwith the

connectionyes

no







119894 where 119892119894 119892




120572 =

1 if 120575119894 ge 10119889119861

0 otherwise(3)



119863119904119906119901119901 (119861119886119903119903 ) asymp 119905119887119886119903119903 + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (4)










































































































































]






Figure 15 SIB6

Figure 16 SIB 7

Figure 17 SIB 8




Abstract

1 Introduction

2 Background





31 Threat Model







5 Experimentation



6 Countermeasures

7 Related Work

8 Conclusion

References









Power On

Searchfor a cell

Decodethe MIB

Stop theprocess

Is the cellbarred

DecodeSIB1

Proceedwith the

connectionyes

no







119894 where 119892119894 119892




120572 =

1 if 120575119894 ge 10119889119861

0 otherwise(3)



119863119904119906119901119901 (119861119886119903119903 ) asymp 119905119887119886119903119903 + 119905119903119890119888119904119906119901119894 + 119905119903119886119888ℎ119903119886119899 (4)










































































































































]






Figure 15 SIB6

Figure 16 SIB 7

Figure 17 SIB 8




Abstract

1 Introduction

2 Background





31 Threat Model







5 Experimentation



6 Countermeasures

7 Related Work

8 Conclusion

References













































































































































]






Figure 15 SIB6

Figure 16 SIB 7

Figure 17 SIB 8




Abstract

1 Introduction

2 Background





31 Threat Model







5 Experimentation



6 Countermeasures

7 Related Work

8 Conclusion

References








Figure 15 SIB6

Figure 16 SIB 7

Figure 17 SIB 8




Abstract

1 Introduction

2 Background





31 Threat Model







5 Experimentation



6 Countermeasures

7 Related Work

8 Conclusion

References







abusing 5g's warning and emergency systems - arxiv

Documents