Sophos Cloud Optix
If you live in the UK and listened to the radio earlier this week, you might have heard Chester Wisniewski and me talking to a number of local radio stations about the UK government’s proposal to introduce an emergency alerting service based on mobile phone text messages.
The plan, which will enter a trial stage later this month, is aimed at tapping into the ubiquity of mobile phones and the simplicity of Short Message Service (SMS) text messages to provide an effective method of giving clear and concise advice in the event of an emergency.
Radio and TV are highly effective tools that already get the news out rapidly in the event of local or national crises, but if you aren’t watching or listening at the moment that the alert goes out, you miss it.
Augmenting this with text messages may not be the most cutting-edge approach – texts are so 1999, after all – but it will work with just about every mobile phone in the UK, and just about everyone has a mobile phone.
It all sounds uncontroversial, doesn’t it?
You can probably imagine any number of local incidents that, were they to happen in your town, you wouldn’t mind hearing about without needing to be watching a TV or listening to a radio at the time.
At the risk of sounding a bit gruesome, examples might be: factory on fire, poisonous smoke billowing out; flood waters burst banks, CBD inundated; train accident, blood donations needed urgently; and so on.
But many, if not most, of the radio interviewers were at best cautiously optimistic, and with good reason: they wanted to speak to computer security experts because they wanted to consider the potential security risks before endorsing the proposal.
Thinking through the privacy implications before implementing a plan that is “obviously” the right thing to do?
That’s a good sign, if you ask me!
Quantifying the risks
So, how might this work, and what are the risks?
• Knowing whom to tell
You can build a giant list of users, and send them each an SMS in turn when you have something to say. This makes the service opt-in (unless you compel the mobile operators to hand over their subscriber databases), so the people who will receive the alerts are those who genuinely want them.
But it’s inefficient, since you have to send thousands or millions of messages, one by one, and for local emergencies, it doesn’t automatically target people on the spot (they might be out of town for the day, or have their phone turned off).
And there’s the problem of maintaining and disseminating the list so it can be used in real time: that list would be a prized possession for cybercrimimals.
Or you can use SMS-CB, or “cell broadcasts,” where the mobile operator simultaneously sends a message to all the phones currently in a particular cellular area, thus promptly and efficiently reaching phones that are in range, and appropriately located.
But there’s no opt-in, and although many phones can opt out of CBs with a configuration setting, that’s usually an all-or-nothing approach.
• Authenticating the messages
Cybercriminals are adept at hijacking news stories, especially those involving tragedy and disaster, to peddle their own fraudulent information, or to spread misinformation and fear.
And they’re adept at copying the look and feel of genuine security warnings to give themselves an aura of legitimacy that misleads people, especially when they are in a hurry.
For web pages, there’s room in the browser’s interface for visual alerts that can’t easily be forged or disguised by the crooks (the HTTPS padlock in the address bar, for example), and those can help well-informed users to distiguish fake from real.
We don’t have similar protections for SMSes, and while the brevity of text messages is handy for clarity and simplicity in an emergency, it makes them easy to clone, or copy, or spoof, in a believable way.
• Tolerance for unexpected messages
Several of the interviwers noted that they suffer a similar problem to me: SMS fatigue.
We already receive so much SMS spam (what Naked Security jocularly calls SPASMS), urging us to consolidate our debts, or trying to sell us insurance we don’t need, that our tolerance for text messages is very low.
We’re probably the sort of people who wouldn’t opt in to any service, even a well-meant one, that required us to hand over our mobile phone details.
Unless we were expecting a message from a specific source (such as a two-factor authentication code we know is on the way), we wouldn’t pay much attention to it on the grounds that we never opted in to start with.
• Safeguarding the system
Similar emergency alerting systems, though admittedly not SMS-based ones, in other countries, have had terrible trouble with hackers.
Not because they were hacked frequently, but because they were hacked and abused at all – it only takes one fake emergency to cause panic, or to destroy trust for ever in the alerting system.
Indonesia’s disaster management adviser’s Twitter account was hacked; someone sent a bogus message claiming “Jakarta: tsunami arrives tomorrow.”
And in Montana, US, a TV-based alerting system was abused to send out warnings of a zombie apocalypse. (It might sound funny in hindsight, but it is a dire reminder of why security matters fourfold in alerting systems of this sort.)
Should it go ahead?
As one interviewer, desipte his own sceptical concern, pointed out, “The fact that there are lots of potential problems is no reason not to do it.”
He’s right.
What I applaud in this case is that the trials, which will involve up to 50,000 people, are to see if the system might work well enough in the UK to be adopted there.
In the post-9/11 security era, it seems that the trials of many security systems are more about seeing how to implement them, not to decide whether to do so.
And security systems put in place “because it’s obvious they’ll do good,” may end up having quite the opposite result.
Image of hand holding mobile phone courtesy of Shutterstock.
There's a similar sort of system here in the US called Wireless Emergency Alert, which I've seen used by the National Weather service to warn people of severe weather in the area. It resembles a cross between a system message (like an alert or warning generated by the cellphone os) and an sms. It also has a distinct ring tone that seems to be set by the manufacturer. It's convenient, but it can also be irritating as they'll sometimes spam out the same message on 15 or 30 minute intervals
Before the UK government takes this whole project any further there should be a comprehensive survey of all mobile phone signal coverage throughout the UK. The majority of people won't have the latest smartphone using 4G.
It's no good assuming that everyone everywhere is going to receive the emergency SMS when the signal is so patchy in so many areas. The figures vary but you could have up to 1 in 5 people getting the SMS either hours later or not at all.
Also, during emergencies and disasters or just when many people are trying to use the system at once (New Year's Eve as an example) the system tends to become overloaded and cuts out anyway.
As with so many government IT projects, now would be a good time to pause and have a reality check to avoid being dazzled by the glamour of the technology.
The thing with SMSes is that they can be delivered by pretty much any of the networks, from the newest to the oldest, on any supported frequency.
And you don't need *everyone* to receive the message. I'd suggest that 1 in 5 "not getting the SMS" would matter very little, since this isn't like a 2FA code (one-to-one, if you don't get it you can't proceed).
Emergency radio bulletins probably don't reach 80% of the people who happen to own radios, and no-one is suggesting that we stop broadcasting by that means.
I think the main concerns about whether to do it are quite different from the reach of GSM and UMTS signals…but then again, that's why I wrote the article.
One key problem, as Duck points out, is that the important message will easily be lost in the 'noise' of all the SMS messages many people get. Or, for those of us who are not incessantly using 'social media' websites and rarely look at their mobile phone it is very common to not look at the messages as soon as they arrive, but maybe some hours or days later – so negating the 'emergency' aspect.
The SMS system is not reliant on 4G or any other ?G transmissions, and 4G is very much in its infancy with just three areas being 'live' at present but more being added gradually in the coming months.
My main concerns would be privacy and security and they need to be examioned and considered very carefully first.
The SMS alert scheme has several fatal flaws:
•If it’s based on “normal” SMS messages it will overwhelm the capacity of the mobile networks SMS Centres, so some of the messages might take hours or days to arrive, and some might never arrive.
•If it’s based on SMSCB then there’s no opt-out – and that’s always bad.
•Many mobile user don’t know how to read an SMS message.
•Not everyone has a mobile phone.
•There are areas of no coverage even if you do have a mobile phone.
What are the risks? Let's start with trying to figure out what train the governments hapless technoweenie will leave the data of millions of people on!
This is a good argument for SMSCB, as it'll just go out to everyone near the local cells; there will be no list to maintain. This isn't all that different than air raid sirens; you couldn't opt out of those either.
While there is the issue of SMS intolerance, I've been hard pressed to figure out how receiving one of these SMSes could actually be harmful. Not receiving them would be just like not hearing an air raid siren; you'd depend on the people around you to notify you, as always.
Broadcast phishes could still be an issue, as someone could send you an SMS with a forged caller ID that gets you to evacuate your neighbourhood so the crooks can walk in and take what they want. But this just points to a change in habits — if you get an emergency broadcast, it's supposed to be a broadcast; so check with a few other people and see if they got it too. After all, that's what this system is supposed to do; raise instant community awareness of an issue.
If everyone's phone starts beeping at the same time, it's likely legit. If you're the only person in your area to get the SMS, it's fake.
The only added bit to this is that someone could inject a false SMSCB into the local towers, bypassing tower security — or, they could compromise somewhere along the chain from the message origin to the cell towers. This is definitely something that should be analysed and reported on; overriding/spoofing a local cell broadcast is something that I thought was currently highly illegal, but not that difficult.
Acá en Chile se está tratando de implementar un servicio parecido pero con un servicio de SMS llamado Alerta de Emergencia, que es una aplicación propia del teléfono distinto a los SMS normales. En julio de este año comenzaron las pruebas.
Chile es un país con riesgo de terremotos importante y añadido a eso están los tsunamis por lo que este sistema es de importancia vital
Sounds like… "In Chile they're trying to implement a similar service but with a SMS service called Emergency Alert, which is a special phone application, separate from regular SMS. In July of this year they started the tests. Chile is a country with risks of earthquakes (and resulting tsunamis) so this system is of vital importance."
An opt in system exists run by the Environment Agency for flood alerts. Living in an area that is prone to flooding, I have subscribed.
I enabled all three formats and get
1) email
2) SMS
3) telephone rings with a pre-recorded message
When I am away, the telephone message ensures my house sitter receives the message. If I am not around and miss the phone, then SMS and email ensure that I get the message.
It is far more useful and targeted than the blanket weather warnings – there seems to be one every time more than a shower of rain is forecast.
I think an easy opt-in is probably a good idea so that a user can balance the annoyance with benefits.