Issue:
CMAS / WEA is the alert system you just experienced. Security is relatively nonexistent with the protocol.
Discussion:
WEA uses the SMS stack for broadcast. The problem with WEA is that it is unauthenticated. If you’re familiar with SMS, you may be aware of a few attack vectors, some of which I’ve included as a link or attachment. You can disable most alerts except national-level alerts like today unless you have stock Android, GrapheneOS, or a rooted device. First-party software doesn’t allow it for FCC reasons. If iOS allows this to be disabled, please correct me.
Recommendation:
Disabling the alerts when able, especially during travel.
- FK
For the record, I’m neither confirming or denying anything that isn’t publicly available information.
Lee, J., Lee, G., Lee, J., Im, Y., Hollingsworth, M., Wustrow, E., Grunwald, D., & Ha, S. (2021). Securing the wireless emergency alerts system. Communications of the ACM, 64(10), 85–93. Securing the wireless emergency alerts system | Communications of the ACM