Research suggests UK emergency alerts 'can be attacked' using basic tech

If the idea of your mobile phone going off at 3pm on Sunday with a fake emergency alert wasn’t enough to worry you, a paper published by US scientists back in 2019 has resurfaced online after it claimed such a system used by governments to warn its citizens of an “imminent risk to life” could be hit with a spoof attack.

As a reminder, tomorrow will see a test message sent to nearly 90 per cent of smartphones with 4G and 5G access, complete with a “loud siren-like sound” going off for around 10 seconds.

It comes after a trial of the system in East Suffolk and Reading in 2021, and while the vibration and sound will end after 10 seconds, users will have to acknowledge the alert on their phone before being able to use it again.

It will read: “This is a test of Emergency Alerts, a new UK government service that will warn you if there’s a life-threatening emergency nearby.

“In an actual emergency, follow the instructions in the alert to keep yourself and others safe. Visit gov.uk/alerts for more information.

“This is a test. You do not need to take any action.”

Sign up to our free Indy100 weekly newsletter

The emergency alerts can be turned off if needed, and won’t occur if the phone is turned off or in airplane mode.

In response to concerns over whether the system will access individuals’ personal data, the government has also said: “The system uses the cell tower your phone is connected to. When an alert is triggered, all towers in the area will broadcast the alert.

“To do this the government does not need to know the specific location or personal data on your device.”

However, the aforementioned paper from three years ago has raised concerns that the system could be susceptible to a malicious attack.

The abstract of the research article, which was penned by a group of academics from the University of Colorado Boulder, reads: “Our attack can be performed using a commercially-available software defined radio, and our modifications to the open source NextEPC and srsLTE software libraries.

“We find that with only four malicious portable base stations of a single Watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90 per cent success rate.”

They go on to note that this would depend on the “density of cell phones in range” but that spoof alerts in such a crowded space could “potentially result in cascades of panic”.

Good lord.

Oh, and if you’re wondering what the NextEPC and srsLTE software do, LTE stands for long-term evolution and concerns wireless broadband connections for mobile phones.

In the paper’s conclusion, the researchers state “completely fixing the problem” will require “a large collaborative effort between carriers, government stakeholders and cell phone manufacturers”.

The article also details some potential defences against such attacks, with one of them being the use of a “digital signature” system which allows for the verification of emergency messages.

In the meantime, though, a government spokesperson has said the system is “extremely secure” as it was “developed in conjunction with government cyber experts”.

“The system will only ever be used in a very limited number of circumstances where there is a risk to life and all alerts will be published on gov.uk at the same time they are broadcast,” they said.

Have your say in our news democracy. Click the upvote icon at the top of the page to help raise this article through the indy100 rankings.