Exploring the security flaws in WEA's broadcast protocol

Issue:

CMAS / WEA is the alert system you just experienced. Security is relatively nonexistent with the protocol.

Discussion:

WEA uses the SMS stack for broadcast. The problem with WEA is that it is unauthenticated. If you’re familiar with SMS, you may be aware of a few attack vectors, some of which I’ve included as a link or attachment. You can disable most alerts except national-level alerts like today unless you have stock Android, GrapheneOS, or a rooted device. First-party software doesn’t allow it for FCC reasons. If iOS allows this to be disabled, please correct me.

Recommendation:

Disabling the alerts when able, especially during travel.

  • FK

For the record, I’m neither confirming or denying anything that isn’t publicly available information.

Lee, J., Lee, G., Lee, J., Im, Y., Hollingsworth, M., Wustrow, E., Grunwald, D., & Ha, S. (2021). Securing the wireless emergency alerts system. Communications of the ACM, 64(10), 85–93. Securing the wireless emergency alerts system | Communications of the ACM

In iOS, you can go to Notifications-> Government Alerts; there are toggles to turn off all of them. However, it appears it won’t notify you but still shows up on your home screen, too. The best guess is iOS is still accepting and processing the WEA message but not silencing the notification.
image