Abstract
Cellular text messaging services are increasingly being relied upon to disseminate critical information during emergencies. Accordingly, a wide range of organizations including colleges, universities and large metropolises now partner with third-party providers that promise to improve physical security by rapidly delivering such messages. Unfortunately, these products do not work as advertised due to limitations of cellular infrastructure and therefore provide a false sense of security to their users. In this paper, we perform the first extensive investigation and characterization of the limitations of an Emergency Alert System (EAS) using text messages as a security incident response and recovery mechanism. Through the use of modeling and simulation based on configuration information from major US carriers, we show emergency alert systems built on text messaging not only can not meet the 10 minute delivery requirement mandated by the WARN Act, but also potentially cause other legitimate voice and SMS traffic to be blocked at rates upwards of 80%. We then show that our results are representative of reality by comparing them to a number of documented but not previously understood failures. Finally, we discuss the causes of the mismatch of expectations and operational ability and suggest a number of techniques to improve the reliability of these systems. We demonstrate that this piece of deployed security infrastructure simply does not achieve its stated requirements.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Andersen, D.: Mayday: Distributed Filtering for Internet Services. In: Proceedings of the USENIX Symposium on Internet Technologies and Systems (USITS) (2003)
Anderson, T., Roscoe, T., Wetherall, D.: Preventing Internet Denial of Service with Capabilities. In: Proceedings of ACM HotNets (2003)
Argyraki, K., Cheriton, D.R.: Scalable Network-layer Defense Against Internet Bandwidth-Flooding Attacks. ACM/IEEE Transactions on Networking (TON) (2009)
Blons, S.: Emergency team aids efforts (2007), http://graphic.pepperdine.edu/special/2007-10-24-emergencyteam.htm
Casado, M., Cao, P., Akella, A., Provos, N.: Flow Cookies: Using Bandwidth Amplification to Defend Against DDoS Flooding Attacks. In: Proceedings of the International Workshop on Quality of Service, IWQoS (2006)
Christensen, T.: Ga. Tech Building Cleared After Blast (2007), http://www.11alive.com/news/article_news.aspx?storyid=106112
CollegeSafetyNet. Campus Alert, Campus Security, Emergency Warning, college safety Crisis notification, Reverse 911, Mass emergency notification, Emergency Alert System, Cell phone alerts, Email alerts, Text Message Alerts, Student warning system, Student notification, campus notification, and Mass notification at CollegeSafetyNet.com (2008), http://www.collegesafetynet.com/
Courant.com. University Emergency SMS service doesn’t deliver, http://www.courant.com (November 13, 2007).
Daly, B.K.: Wireless Alert & Warning Workshop, http://www.oes.ca.gov/WebPage/oeswebsite.nsf/ClientOESFileLibrary/Wireless%20Alert%20and%20Warning/file/ATT-OES-2
e2Campus. Mass Notification Systems for College, University & Higher Education Schools by e2Campus: Info On The Go! (2008), http://www.e2campus.com/
Elliott, A.-M.: Texters to experience 6 hour delays on New Year’s Eve (2007), http://www.pocket-lint.co.uk/news/news.phtml/11895/12919/palm-new-years-text-delay.phtml
European Telecommunications Standards Institute. Analysis of the Short Message Service (SMS) and Cell Broadcast Service (CBS) for Emergency Messaging applications; Emergency Messaging; SMS and CBS. Technical Report ETSI TR 102 444 V1.1.1
Fall, K.: A Delay-Tolerant Network Architecture for Challenged Internets. In: Proceedings of the Conference on Applications, Technologies, Architectures and Protocols for Computer Communications, COMM (2003)
Ganosellis, L.: UF to test texting alerts after LSU glitch (2008), http://www.alligator.org/articles/2008/01/08/news/uf_administration/lsu.txt
Geer, D.: Wireless victories. Wireless Business & Technology, 2005 (September 11, 2001)
Hedden, J.: Math::Random::MT::Auto - Auto-seeded Mersenne Twister PRNGs. Version 5.01, http://search.cpan.org/~jdhedden/Math-Random-MT-Auto-5.01/lib/Math/Random/MT/Auto.pm
HTC Corporation. HTC Tattoo Specifications (2009) http://www.htc.com/europe/product/tattoo/specification.html
Inspiron Logistics. Inspiron Logistics Corporation WENS - Wireless Emergency Notification System for Emergency Mobile Alerts (2008), http://www.inspironlogistics.com/
Jain, S., Fall, K., Patra, R.: Routing in a Delay Tolerant Network. In: Proceedings of the Conference on Applications, Technologies, Architectures and Protocols for Computer Communications, COMM (2004)
Jaramillo, E.: UT director: Text alerts effective (2008), http://www.dailytexanonline.com/1.752094
Keromytis, A., Misra, V., Rubenstein, D.: SOS: Secure Overlay Services. In: Proceedings of ACM SIGCOMM (2002)
Luders, C., Haferbeck, R.: The Performance of the GSM Random Access Procedure. In: Vehicular Technology Conference (VTC), pp. 1165–1169 (June 1994)
Mahajan, R., Bellovin, S.M., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling High Bandwidth Aggregates in the Network. Computer Communications Review 32(3), 62–73 (2002)
Mahimkar, A., Dange, J., Shmatikov, V., Vin, H., Zhang, Y.: dFence: Transparent Network-based Denial of Service Mitigation. In: Proceedings of USENIX Networked Systems Design and Implementation (NSDI) (2007)
Maney, K.: Surge in text messaging makes cell operators, http://www.usatoday.com/money/2005-07-27-text-messaging_x.htm (July 27, 2005)
McAdams, J.: SMS does SOS (2006), http://www.fcw.com/print/12_11/news/92790-1.html
Mirkovic, J., Reiher, P.: A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. ACM SIGCOMM Computer Communication Review 34(2), 39–53 (2004)
National Communications System. SMS over SS7. Technical Report Technical Information Bulletin 03-2 (NCS TIB 03-2) (December 2003)
National Notification Network (3n). 3n InstaCom Campus Alert - Mass Notification for Colleges and Universities (2008), http://www.3nonline.com/campus-alert
Nettles, C.: iPhone 3 to have Broadcom BCM4329, 802.11N/5GHzWireless, FM transmitter/receiver (2009), http://www.9to5mac.com/broadcom-BCM4329-iphone-802.11n-FM
Nizza, M.: This is only a (text messaging) test (2007), http://thelede.blogs.nytimes.com/2007/09/25/this-is-only-a-text-messaging-test/?scp=5-sq=Emergency%20Text%20Messaging-st=cse
Nyquetek, Inc. Wireless Priority Service for National Security (2002), http://wireless.fcc.gov/releases/da051650PublicUse.pdf
Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B.: Portcullis: Protecting Connection Setup from Denial of Capability Attacks. In: Proceedings of ACM SIGCOMM (2007)
Reverse 911. Reverse 911 - The only COMPLETE notification system for public safety (2008), http://www.reverse911.com/index.php
Roam Secure (2008), http://www.roamsecure.net/
shelbinator.com. Evacuate! Or Not (2007), http://shelbinator.com/2007/11/08/evacuate-or-not/
Simon Fraser University. Special Report on the April 9th Test of SFU Alerts (2008), http://www.sfu.ca/sfualerts/april08_report.html
Stavrou, A., Cook, D.L., Morein, W.G., Keromytis, A.D., Misra, V., Rubenstein, D.: WebSOS: An Overlay-based System For Protecting Web Servers From Denial of Service Attacks. Journal of Computer Networks, special issue on Web and Network Security 48(5), 781–807 (2005)
Stavrou, A., Keromytis, A.: Countering DOS Attacks With Stateless Multipath Overlays. In: Proceedings of ACM Conference on Computer and Communications Security (CCS) (2005)
The 109th Senate of the United States of America. Warning, Alert, and Response Network Act (2005), http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.1753:
Traynor, P., Enck, W., McDaniel, P., La Porta, T.: Exploiting Open Functionality in SMS-Capable Cellular Networks. Journal of Computer Security (JCS) (2008)
Traynor, P., Enck, W., McDaniel, P., La Porta, T.: Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks. IEEE/ACM Transactions on Networking (TON) 17 (2009)
Traynor, P., Lin, M., Ongtang, M., Rao, V., Jaeger, T., La Porta, T., McDaniel, P.: On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2009)
Traynor, P., McDaniel, P., La Porta, T.: On Attack Causality in Internet-Connected Cellular Networks. In: Proceedings of the USENIX Security Symposium (2007)
TXTLaunchPad. TXTLaunchPad provides Bulk SMS text message alerts to businesses, schools, and advertisers (2007), http://www.txtlaunchpad.com/
Voice Shot. automated emergency alert notification call - VoiceShot (2008), http://www.voiceshot.com/public/urgentalert.asp?ref=uaemergencyalert
Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., Shenkar, S.: DDoS Offense by Offense. In: Proceedings of ACM SIGCOMM (2006)
Wikipedia. Virginia Polytechnic Institute and State University (2008), http://en.wikipedia.org/wiki/Virginia_Tech
Yang, X., Wetherall, D., Anderson, T.: TVA: A DoS-limiting Network Architecture. IEEE/ACM Transactions on Networking (TON) (2009)
Zho, W., Ammar, M., Zegura, E.: A message ferrying approach for data delivery in sparse mobile ad hoc networks. In: Proceedings of the International Symposium on Mobile Ad Hoc Networking & Computing, MOBIHOC (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Traynor, P. (2010). Characterizing the Security Implications of Third-Party Emergency Alert Systems over Cellular Text Messaging Services. In: Jajodia, S., Zhou, J. (eds) Security and Privacy in Communication Networks. SecureComm 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 50. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16161-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-16161-2_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16160-5
Online ISBN: 978-3-642-16161-2
eBook Packages: Computer ScienceComputer Science (R0)