12
Characterizing the Security Implications of Third-Party Emergency Alert Systems over Cellular Text Messaging Services Patrick Traynor Abstract—Cellular text messaging services are increasingly being relied upon to disseminate critical information during emergencies. Accordingly, a wide range of organizations including colleges and universities now partner with third-party providers that promise to improve physical security by rapidly delivering such messages. Unfortunately, these products do not work as advertised due to limitations of cellular infrastructure and therefore provide a false sense of security to their users. In this paper, we perform the first extensive investigation and characterization of the limitations of an Emergency Alert System (EAS) using text messages as a security incident response mechanism. We show emergency alert systems built on text messaging not only can meet the 10 minute delivery requirement mandated by the WARN Act, but also potentially cause other voice and SMS traffic to be blocked at rates upward of 80 percent. We then show that our results are representative of reality by comparing them to a number of documented but not previously understood failures. Finally, we analyze a targeted messaging mechanism as a means of efficiently using currently deployed infrastructure and third-party EAS. In so doing, we demonstrate that this increasingly deployed security infrastructure does not achieve its stated requirements for large populations. Index Terms—SMS, campus alert, denial of service, security. Ç 1 INTRODUCTION T EXT messaging allows individuals to transmit short, alphanumeric communications for a wide variety of applications. Whether to coordinate meetings, catch up on gossip, offer reminders of an event or even vote for a contestant on a television game show, this discreet form of communication is now the dominant service offered by cellular networks. In fact, in the United States alone, over five billion text messages are delivered each month [31]. While many of the applications of this service can be considered noncritical, the use of text messaging during emergency events has proven to be far more utilitarian. With millions of people attempting to contact friends and family on September 11th 2001, telecommunications provi- ders witnessed tremendous spikes in cellular voice service usage. Verizon Wireless, for example, reported voice traffic rate increases of up to 100 percent above typical levels; Cingular Wireless recorded an increase of up to 1,000 per- cent on calls destined for the Washington D.C. area [34]. While these networks are engineered to handle elevated amounts of traffic, the sheer number of calls was far greater than capacity for voice communications in the affected areas. However, with voice-based phone services being almost entirely unavailable, SMS messages were still successfully received in even the most congested regions because the control channels responsible for their delivery remained available. Similar are the stories from the Gulf Coast during Hurricanes Katrina and Rita. With a large number of cellular towers damaged or disabled by the storms, text messaging allowed the lines of communication to remain open for many individuals in need, in spite of their inability to complete voice calls in areas where the equipment was not damaged and power was available. Accordingly, SMS messaging is now viewed by many as a reliable method of communication when all other means appear unavailable. In response to this perception, a number of companies offer SMS-based emergency messaging ser- vices. Touted as able to deliver critical information colleges, universities, and even municipalities hoping to coordinate and protect the physical security of the general public have spent tens of millions of dollars to install such systems. Unfortunately, these products will not work as advertised and provide a false sense of security to their users. In this paper, we explore the limitations of third-party Emergency Alert Systems (EAS). In particular, we show that because of the currently deployed cellular infrastructure, such systems will not be able to deliver a high volume of emergency messages in a short period of time. This identifies a key failure in a critical security incident response and recovery mechanism (the equivalent of finding weaknesses in techniques such as VM snapshots for rootkits and dynamic packet filtering rules for DDoS attacks) and demonstrates its inability to properly function during the security events for which it was ostensibly designed. The fundamental misunderstanding of the require- ments necessary to successfully deploy this piece of security infrastructure are likely to contribute to real-world, human- scale consequences. IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012 983 . The author is with Converging Infrastructure Security (CISEC), Laboratory Georgia Tech Information Security Center (GTISC), Georgia Institute of Technology, Klaus Advanced Computing Building, Room 3138, 266 Ferst Drive, Atlanta, Georgia 30332-0765. E-mail: [email protected]. Manuscript received 15 Oct. 2010; revised 18 Feb. 2011; accepted 15 Apr. 2011; published online 26 May 2011. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference IEEECS Log Number TMC-2010-10-0477. Digital Object Identifier no. 10.1109/TMC.2011.120. 1536-1233/12/$31.00 ß 2012 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS

GSM

Embed Size (px)

Citation preview

Page 1: GSM

Characterizing the Security Implicationsof Third-Party Emergency Alert Systemsover Cellular Text Messaging Services

Patrick Traynor

Abstract—Cellular text messaging services are increasingly being relied upon to disseminate critical information during emergencies.

Accordingly, a wide range of organizations including colleges and universities now partner with third-party providers that promise to

improve physical security by rapidly delivering such messages. Unfortunately, these products do not work as advertised due to

limitations of cellular infrastructure and therefore provide a false sense of security to their users. In this paper, we perform the first

extensive investigation and characterization of the limitations of an Emergency Alert System (EAS) using text messages as a security

incident response mechanism. We show emergency alert systems built on text messaging not only can meet the 10 minute delivery

requirement mandated by the WARN Act, but also potentially cause other voice and SMS traffic to be blocked at rates upward of

80 percent. We then show that our results are representative of reality by comparing them to a number of documented but not

previously understood failures. Finally, we analyze a targeted messaging mechanism as a means of efficiently using currently

deployed infrastructure and third-party EAS. In so doing, we demonstrate that this increasingly deployed security infrastructure does

not achieve its stated requirements for large populations.

Index Terms—SMS, campus alert, denial of service, security.

Ç

1 INTRODUCTION

TEXT messaging allows individuals to transmit short,alphanumeric communications for a wide variety of

applications. Whether to coordinate meetings, catch up ongossip, offer reminders of an event or even vote for acontestant on a television game show, this discreet form ofcommunication is now the dominant service offered bycellular networks. In fact, in the United States alone, overfive billion text messages are delivered each month [31].While many of the applications of this service can beconsidered noncritical, the use of text messaging duringemergency events has proven to be far more utilitarian.

With millions of people attempting to contact friends andfamily on September 11th 2001, telecommunications provi-ders witnessed tremendous spikes in cellular voice serviceusage. Verizon Wireless, for example, reported voice trafficrate increases of up to 100 percent above typical levels;Cingular Wireless recorded an increase of up to 1,000 per-cent on calls destined for the Washington D.C. area [34].While these networks are engineered to handle elevatedamounts of traffic, the sheer number of calls was far greaterthan capacity for voice communications in the affectedareas. However, with voice-based phone services beingalmost entirely unavailable, SMS messages were still

successfully received in even the most congested regionsbecause the control channels responsible for their deliveryremained available. Similar are the stories from the GulfCoast during Hurricanes Katrina and Rita. With a largenumber of cellular towers damaged or disabled by thestorms, text messaging allowed the lines of communicationto remain open for many individuals in need, in spite oftheir inability to complete voice calls in areas where theequipment was not damaged and power was available.

Accordingly, SMS messaging is now viewed by many as areliable method of communication when all other meansappear unavailable. In response to this perception, a numberof companies offer SMS-based emergency messaging ser-vices. Touted as able to deliver critical information colleges,universities, and even municipalities hoping to coordinateand protect the physical security of the general public havespent tens of millions of dollars to install such systems.Unfortunately, these products will not work as advertisedand provide a false sense of security to their users.

In this paper, we explore the limitations of third-partyEmergency Alert Systems (EAS). In particular, we show thatbecause of the currently deployed cellular infrastructure,such systems will not be able to deliver a high volume ofemergency messages in a short period of time. This identifiesa key failure in a critical security incident response and recoverymechanism (the equivalent of finding weaknesses in techniquessuch as VM snapshots for rootkits and dynamic packet filteringrules for DDoS attacks) and demonstrates its inability to properlyfunction during the security events for which it was ostensiblydesigned. The fundamental misunderstanding of the require-ments necessary to successfully deploy this piece of securityinfrastructure are likely to contribute to real-world, human-scale consequences.

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012 983

. The author is with Converging Infrastructure Security (CISEC),Laboratory Georgia Tech Information Security Center (GTISC),Georgia Institute of Technology, Klaus Advanced Computing Building,Room 3138, 266 Ferst Drive, Atlanta, Georgia 30332-0765.E-mail: [email protected].

Manuscript received 15 Oct. 2010; revised 18 Feb. 2011; accepted 15 Apr.2011; published online 26 May 2011.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TMC-2010-10-0477.Digital Object Identifier no. 10.1109/TMC.2011.120.

1536-1233/12/$31.00 � 2012 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS

Page 2: GSM

In so doing, we make the following contributions:

. Emergency event characterization. Through model-ing and simulation based on real provider deploy-ments, we provide the first public characterization ofthe impact of an emergency event on a cellularnetwork. This contribution is novel in that it exploresa range of realistic emergency scenarios and pro-vides a better understanding of their failure modes.

. Measure EAS over SMS for multiple emergencyscenarios. We provide data to debunk the commonassertion made by many third-party vendors thatlarge quantities of text messages can be deliveredwithin a short period of time (i.e., seconds tominutes). We evaluate a number of different,realistic emergency scenarios and explain why anumber of college campuses have reported “success-ful” tests of their systems. Finally, we provide a real-world example that very closely mirrors the resultsof our simulations.

. Quantify collateral damage. We characterize thepresence of the additional traffic generated by third-party EAS over SMS and show that such trafficcauses increased blocking of normal calls and textmessage, potentially preventing those in need ofhelp from receiving it. We also discuss a number ofways in which these networks can cause unexpectedfailures (e.g., message delay, message reordering,alert spoofing).

The paper is organized as follows: Section 2 provides atechnical overview of SMS delivery and a general third-party EAS provider architecture. Section 3 models capacityof such networks; Section 4 provides the results of simula-tions for a range of different emergency scenarios; Section 5discusses how currently deployed systems can best be usedduring an emergency event; Section 6 provides a discussionof why such a mismatch has occurred; Section 7 exploresrelated work; Section 8 provides concluding thoughts.

2 NETWORK ARCHITECTURE

Before we attempt to characterize the cellular infrastruc-ture during an emergency, it is necessary to understandhow such networks deliver text messages. In this section,we provide a technical overview of message delivery anda high-level description of how third-party vendors try touse these systems to deliver alert messages. We specifi-cally examine GSM networks [3] in these discussions asthey represent the most widely deployed cellular technol-ogy in the world; however, it should be noted thatmessage delivery for other technologies such as CDMA,IDEN, and TDMA are very similar and are thereforesubject to similar problems.

2.1 Cellular Network Architecture

2.1.1 Sending a Message

There are a number of ways in which text messages can beinjected into a GSM or CDMA network. While most usersare only familiar with sending a text message from theirphone, known as Mobile Originated SMS (MO-SMS), serviceproviders offer an expanding set of interfaces through

which messages can be sent. From the Internet, for instance,it is possible to send text messages to mobile devicesthrough a number of webpages, e-mail, and even instantmessaging software. Third parties can also access thenetwork using so-called SMS Aggregators. These servers,which can be connected directly to the phone network orcommunicate via the Internet, are typically used to send“bulk” or large quantities of text messages. Aggregatorstypically inject messages on behalf of other companies andcharge their clients for the service. Finally, most providershave established relationships between each other to allowfor messages sent from one network to be delivered in theother. Fig. 1 shows these three high-level strategies.

After entering a provider’s network, messages are sent tothe Short Messaging Service Center (SMSC). SMSCs performoperations similar to e-mail handling servers in the Internet,and store and forward messages to their appropriatedestinations. Because messages can be injected into thenetwork from so many external sources, SMSCs typicallyperform aggressive spam filtering on all incoming mes-sages. All messages passing this filtering are then convertedand copied into the necessary SMS message format andencoding and then placed into a queue to be forwarded totheir final destination.

2.1.2 Finding a Device

Delivering messages in a cellular network is a much greaterchallenge than in the traditional Internet. Chief in thisdifficulty is that users in a cellular network tend to bemobile, so it is not possible to assume that users will belocated where we last found them. Moreover, the informa-tion about a user’s specific location is typically limited. Forinstance, if a mobile device is not currently exchangingmessages with a base station, the network may only know aclient’s location at a very coarse level (i.e., the mobile devicemay be known to be in a specific city, but no finer grainedlocation information would be known). Accordingly, theSMSC needs to first find the general location for a message’sintended client before anything else can be done.

A server known as the Home Location Register (HLR)assists in this task. This database acts as the permanentrepository for a user’s account information (i.e., subscribedservices, call forwarding information, etc.). When a requestto locate a user is received, the HLR determines whether ornot that device is currently turned on. If a mobile device iscurrently powered off, the HLR instructs the SMSC to storethe text message and attempt to deliver it at another time.Otherwise, the HLR tells the SMSC the address of the MobileSwitching Center (MSC) currently serving the desired device.

984 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012

Fig. 1. Text messages arrive in a provider’s network from a wide varietyof sources and are processed by the SMSC before being delivered tomobile devices.

Page 3: GSM

Having received this location information, the SMSC thenforwards the text message on to the appropriate MSC.

2.1.3 Wireless Delivery

As mentioned earlier, even the MSC may not know moreinformation about a targeted device’s location. In order todetermine whether or not the current base station servingthis device is known, the MSC queries the Visitor LocationRegister (VLR), which temporarily stores information aboutclients while they are being served by the MSC. In mostcases, this information is not known, and so the MSC mustbegin the extensive and expensive process of locating themobile device. The MSC completes this task by generatingand forwarding paging requests to all of its associated basestations, which may number in the hundreds. This processis identical to locating a mobile device for delivery of avoice call.

Upon receiving a paging request from the MSC, a basestation attempts to determine whether or not the targeteddevice is nearby. To achieve this, the base station attemptsto use a series of Control Channels to establish a connectionwith the user. First, the base station broadcasts a pagingrequest over the Paging Channel (PCH) and then waits for aresponse. If the device is nearby and hears this request, itresponds to the base station via the Random Access Channel(RACH) to alert the network of its readiness to receiveinformation. When this response is received, the networkuses the Access Grant Channel (AGCH) to tell the device tolisten to a specific Standalone Dedicated Control Channel(SDCCH) for further exchanges. Using this SDCCH, thenetwork is able to authenticate the client, perform a numberof maintenance routines and deliver the text message. Bylimiting the operations necessary to deliver a text messageto the control channels used for call setup, such messagescan be delivered when all call circuits, known as TrafficChannels (TCHs) are busy.

When the attempt to deliver the message between thetargeted device and the base station is complete, the deviceeither confirms the success or failure of delivery. This statusinformation is carried back through the network to theSMSC. If the message was successfully delivered, the SMSC

deletes it. Otherwise, the SMSC stores the message until alater period, at which time the network reattempts delivery.Fig. 2 offers an overview of this entire process.

2.2 Third-Party Provider Solutions

In the past few years, a significant number of third-partiesoffering to deliver alert messages (and other informationservices) via text messaging have appeared. Citing the needfor improved delivery targeted to a highly mobile popula-tion, many such services advertise text messaging as aninstant, targeted disseminator capable of delivering ofcritical information to tens of thousands of mobile phoneswhen it is most needed. These systems have beenextensively deployed on college and university campusesthroughout the United States.

The architecture of these systems is relatively simple.Whether activated through a web interface [13], [16], [42],[53], [54], directly from a phone [24], or as software runningon a campus administrator’s computer [41], [35], theseservices act as SMS aggregators and inject large numbers oftext messages into the network. Colleges and universitiessubscribing to these services then collect mobile phonenumbers from students, faculty, and staff. In the event of analert, all or a subset of the collected numbers can betargeted. While network providers may offer some limitedinformation back to the third party, aggregators are largelyunaware of conditions in the network or the geographiclocation of any specific individual.

3 MODELING EMERGENCY EVENTS IN REAL

ENVIRONMENTS

To determine whether there exists a mismatch between thecurrent cellular text messaging infrastructure and third-party EAS, it is necessary to observe such systems during anemergency. However, because large-scale physical securityincidents are rare, we apply a number of modelingtechniques to help characterize such events.

3.1 Location Selection and Characterization

The events that unfolded at the Virginia Polytechnic Instituteand State University (“Virginia Tech”) on 16 April 2007 have

TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 985

Fig. 2. Before a message can be delivered, a mobile device must be located. To do so, the MSC requests that towers within a given area all transmitpaging requests. If and when a device is found, the MSC forwards the message to the appropriate tower, which attempts to deliver it wirelessly. Thestatus of the delivery attempt is then returned to the SMSC. If delivery failed, the SMSC will attempt delivery at a later time. (Not shown: Basestations are controlled in groups by a Base Station Controller.)

Page 4: GSM

become one of the primary motivations behind the calls touse SMS as the basis of an emergency system. Many arguethat had such a system been in place during what became thedeadliest campus shooting in US history, countless livescould have been saved. However, a thorough examination ofsuch claims has not been conducted. In particular, it is notclear whether or not the messages transmitted by such asystem would have reached all students before the NorrisHall shootings. Accordingly, we have selected Virginia Techas our location to characterize.

Located in southwestern Virginia, this land grantuniversity is home to over 32,000 students, faculty, andstaff [56]. For the purposes of this work, we assume that justunder half (15,000) of these individuals subscribe to a GSMnetwork. As is shown by the red triangles in Fig. 3, themajor GSM provider in this area provides service to thecampus of Virginia Tech from four base stations.1 Giventhat each base station has three sectors (each covering a120 degree range), we assume that the campus itself iscovered by 8 of the 12 total sectors in the area. While webelieve this campus to be representative, specific resultsfrom other universities can be determined using informa-tion specific to those locations.

3.2 Mathematical Characterization of Emergencies

The first step in characterizing a cellular network during anemergency is determining delivery time. In particular, weare interested in understanding the minimum time requiredto deliver emergency messages. If this time is less than thegoal of 10 minutes set forth in by the current public EASpolicies and the WARN Act [47], then such a system mayindeed be possible. However, if this goal cannot be met,current networks cannot be considered as good candidatesfor EAS message delivery.

Given that most sectors have a total of eight SDCCHs,that it takes approximately 4 seconds to deliver a textmessage in a GSM network [15], [34] and the informationabove, the GSM network serving the campus of Virginia

Tech would require the following amount of time to delivera single message to 15,000 recipients

T ¼ 15;000 msgs

1 campus� 1 campus

8 sectors� 1 sector

8 SDCCHs

� 1 SDCCH

0:25 msg=sec

� 938 sec

� 15:6 mins:

Because the contents of emergency messages are likely toexceed the 160 character limit of a single text message,providers and emergency management officials haveestimated the number of messages is likely to increase byat least four times

T ¼ 15;000 msgs

1 campus� 4 msgs� 1 campus

8 sectors

� 1 sector

8 SDCCHs� 1 SDCCH

0:25 msgs=sec

� 3752 secs

� 62:5 mins:

The above calculations represent an optimistic minimumtime for the delivery of all messages. For instance, it ishighly unlikely that all eight SDCCHs will be available fordelivering text messages as these channels are also used toestablish voice calls and assist with device mobility.Moreover, contention between emergency messages forSDCCHs will also be a significant factor given that theSMSC is unaware of traffic conditions in individual sectors.Finally, depending on conditions within the network, eachmessage is likely to experience different delays. To bettercharacterize these factors, we apply a simple Erlang-Bqueuing analysis of the system. In a system with n serversand an offered load of A ¼ �

��1 , where � is the intensity ofincoming messages and signaling traffic and � is the rate atwhich a single server can service incoming requests, theprobability that an incoming emergency message is blocked(i.e., dropped) is

PB ¼An

n!Pl¼n�1l¼0

All!

: ð1Þ

Fig. 4 compares an imposed deadline for delivering allSMS-based emergency messages against the expected

986 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012

Fig. 3. The placement of base stations (red triangles) for a major GSMprovider near Virginia Tech. Given that each base station has threesectors, the campus itself receives service from approximately eighttotal sectors.

Fig. 4. Calculated blocking probabilities versus delivery windows foremergency notification traffic.

1. This is the actual configuration of the major GSM carrier in this area, asconfirmed through conversations with this provider.

Page 5: GSM

blocking. We note that while Poisson arrival is notappropriate for modeling traffic on the Internet, it isregularly used in telecommunications. Like the deliveryequations, this calculation shows that such large volumes of

messages cannot be delivered in a short period of time, evenwithout the presence of traffic from normal operations.

4 SIMULATING EMERGENCY EVENTS

EAS over SMS traffic may still improve the physical securityof its intended recipients even though it cannot be deliveredto the entire population within a 10 minute time period. Ifsuch information can be sent without interfering with othertraffic, it could be argued that it would remain beneficial toat least some portion of the receiving population.

To better understand the impact of this security incidentresponse and recovery mechanism on other traffic, wefurther characterize a number of emergency scenarios.While the calculations provided in the previous sectionand a post-9/11 government study on national textmessaging capacity [34] are a good start, neither of theseapproximations help us understand the complex dynamicsof the range of emergency scenarios. We therefore use aGSM simulator developed in our previous work [49], [50],[52] and extend it for our needs. This tool focuses on thewireless portion of the network and allows the interactionbetween various resources to be characterized. Thissimulator was designed according to 3GPP standardsdocuments, input from commercial providers and givenoptimal settings where applicable [28] so that our results areas conservative as possible.2 Table 1 provides a summary ofadditional parameters representing busy hour load condi-tions (i.e., rush hour) and channel holding/service times.All experiments represent the average of 500 runs, theinputs for which were generated according to an exponen-tial interarrival time using the Mersenne Twister Pseudor-andom Number Generator [22]. Confidence intervals of95 percent for all runs were less than two orders ofmagnitude from the mean, and are therefore too small to beshown. Given this system, we are able to explore the detailsof an emergency without having to wait for such an eventoccur or requesting log data from cellular providers. In thefollowing sections, we offer views of normal operations,surges of messages and a full emergency situation with EASover SMS deployed.

4.1 Normal Traffic

Our first set of experiments represent normal network

behavior. Fig. 5 illustrates the blocking rates for TrafficChannels (TCHs) under four different busy hour voice

traffic loads. Most relevant to the current discussion is thelow call blocking when fewer than 15,000 calls are made per

hour. Note that given the limited wireless resourcesavailable, such throughput is significant and highlights the

robustness of this deployment. Cellular networks generallimit blocking to below 1 percent, making any sustained

event above this threshold significant. Fig. 6 further supportsthe blocking data by illustrating very low SDCCH utilization

rates for all of the offered loads. This graph also reinforcesthe case for using SDCCHs for SMS delivery. Even in the

25,000 calls per hour case, during which nearly more than55 percent of incoming calls cannot be completed, SDCCHs

are utilized at approximately 18 percent.

4.2 Emergency Scenarios

Users having received notification of an emergency areunlikely to maintain normal usage patterns. In particular,

users are likely to attempt to contact their friends and/orfamily soon after learning about such conditions. Whether by

text message or phone call, however, such instinctualcommunication leads to significant congestion in cellular

networks. This phenomenon leads to a spike in the number ofattempted calls to the Washington D.C. by over 1,000 percent

on September 11th [34]. Accordingly, increases of varyingintensities and characteristics representing reactionary usage

TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 987

2. We note that some providers configure their network such thatincoming text messages use four of the eight SDCCHs to decrease deliverytime. However, this configuration results in higher blocking during busyperiods, so we do not consider it further.

TABLE 1Simulation Parameters

Fig. 5. The probability that calls experience TCH blocking. Note that onlyunder very busy conditions does blocking become likely.

Fig. 6. The average utilization of control channels (SDCCHs) for avariety of traffic intensities.

Page 6: GSM

must be considered when designing text messaging-basedEAS. We explore two such scenarios, which assume that thethird-party EAS over SMS provider has configured theirsystem to deliver all messages within the WARN Act’s10 minute requirement [47], that SMSCs retransmit pre-viously undeliverable messages once every 15 minutes andassume that four messages per user are transmitted by theEAS over SMS system when an emergency occurs.

4.2.1 Small-Scale Response Emergencies

Some emergencies are likely to elicit smaller spikes in usagethat others. While scenarios such as wildfire evacuations [9]or tornado warnings for specific college campuses wouldcertainly cause an increase in the amount of traffic sent overthe network, they are unlikely to stimulate the generation ofthe volumes of traffic observed during a terrorist attack. Tomodel this scenario, we simulate the gradual doubling(þ100%) and tripling (þ200%) of voice and SMS traffic to theVirginia Tech campus over the course of an hour. We thenrepeat these experiments in the presence of EAS over SMSmessages. These experiments extend our previous model-ing efforts [48].

Fig. 7 shows the probability of calls and text messagesbeing blocked on SDCCHs and TCHs in an emergencywithout EAS over SMS. As expected, as voice and SMStraffic approaches double or triple their normal volumes,notable blocking begins to occur on both SDCCHs andTCHs. Of particular interest, however, is the increasedprobability of TCH blocking in the doubling case over the

scenario in which traffic triples. The reason for thisapparent inversion is explained by the increased SDCCHblocking over the same time period. Because fewer voicecalls ever reach the point in call setup where a TCH isassigned, there is simply less competition for theseresources. Fig. 8, which provides channel utilization forthese experiments, confirms this conclusion. In particular,in the presence of increasing SMS and voice traffic,utilization of TCHs for the tripling case remains largelysteady and actually decreases toward the end of the hour.

As shown in Fig. 9a, the addition of EAS over SMS trafficalmost immediately causes more than 80 percent of allincoming voice and SMS to be blocked. Corresponding tothese spikes, Fig. 9b shows SDCCH utilization holding atnearly full capacity during the transmission of theseemergency messages. However, Fig. 9c shows a significantimpact on the number of calls completed in the system.Nearly the inverse of Fig. 9a, this figure shows a drop inTCH utilization from over 90 percent to approximately20 percent. This decreased ability to complete calls in spiteof available resources demonstrates that those who may beattempting to reach out to emergency services such as 9-1-1will be less able to do so.

4.2.2 Large-Scale Emergencies

Major emergency events are likely to exhibit differentcharacteristics than the previously profiled small-scalescenarios. Whereas small events may have a gradualincrease in the volume of traffic, large-scale emergenciesare often characterized by substantial and rapid spikes in

988 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012

Fig. 7. The impact on blocking probability of increasing volumes oftraffic without EAS over SMS. Note that more voice traffic is deliveredin the TCHþ 100% (doubling) case due to elevated blocking in theþ200% (tripling) case.

Fig. 8. Channel utilization during an emergency without EAS over SMS.Note that voice and SMS traffic have largely saturated the availablechannels.

Fig. 9. The blocking and channel utilization during an emergency event with EAS over SMS. Note that (a) over 80 percent of all calls and SMSmessages are blocked when EAS messages are sent or retransmission occurs. Also note (c) the drop in TCH utilization when EAS transmissionsoccur, meaning that resources to allow calls are available but unused.

Page 7: GSM

usage, followed by continued gradual growth. Although thesmall-scale emergency experiments have already demon-strated the impracticality of EAS over SMS given thecurrently deployed infrastructure, we explore this worstcase to understand the full extent of the problems suchthird-party solutions may create. We therefore model aSeptember 11th-like event in which normal traffic increasesby 1,000 percent [34], with a 500 percent increase occurringover the course over a few minutes and the outstanding500 percent being distributed across the remaining hour.Like the previous scenario, we conduct these experimentswith and without the presence of EAS over SMS.

As expected, the sudden surge of traffic during theemergency almost immediately makes communicationsdifficult. Fig. 10 shows blocking rates of approximately47 percent for TCHs and between 59 and 79 percent forSDCCHs. With both SDCCHs and TCHs experiencingnear total utilization as shown in Fig. 11, the network isalready significantly overloaded and unable to deliveradditional traffic.

The presence of traffic generated by an EAS over SMSsystem makes this scenario considerably worse. As shownin Fig. 12, call and SMS blocking on SDCCHs almostimmediately reaches between 80 and 85 percent. Like theprevious scenario, call blocking on TCHs actually decreases.Such a decrease can again be attributed to the elevatedblocking on the SDCCHs, as Fig. 13 demonstrates that TCHsremain idle in spite of an increased call volume.

4.3 Testing Campus Alert Systems

The discrepancy between the scenarios presented thus farand the reports of successful tests of deployed systems is aresult of a number of factors. As previously mentioned, the160 character limit per text message often requires thetransmission of multiple text messages during an emer-gency. Most system tests, however, typically involvesending a single message. Traffic in these tests is thereforesent at one-fourth the volume of more realistic emergencyscenarios. The second difference is the size of the affectedpopulation. While many universities offer these systems asan optional service to their students, an increasing numberis beginning to make enrollment mandatory. Accordingly,current tests attempt to contact only a subset of students with asmaller volume of traffic than would be used in a real emergency.

We use reports of successful tests as input for our final setof experiments. In particular, we attempt to recreate theenvironment in which these tests are occurring. We siteinformation from officials at the University of Texas Austin[26] and Purdue University [37], each of which have reportedtransmitting messages to approximately 10,000 participants.Note that this represents roughly 25 percent of the under-graduate student body at these institutions. We thereforereduce the receiving population at Virginia Tech to 7,500, ofwhich only half are subscribers to the GSM provider.

Fig. 14 shows the probability of blocking for this scenario.With approximately 18 percent blocking, such a systemwould appear to replicate current deployments—over

TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 989

Fig. 10. The average blocking experienced during a large-scaleemergency without EAS over SMS. Note that blocking on TCHsremains steady in spite of increasing call loads due to increasedblocking on the SDCCH.

Fig. 11. Channel utilization observed during a large-scale emergencywithout EAS over SMS. The network becomes saturated almostimmediately after the emergency event is realized.

Fig. 12. The average blocking during a large-scale emergency in thepresence of EAS over SMS. The network experiences blocking rates ofapproximately 90 percent when EAS messages are being transmitted.

Fig. 13. Channel utilization during a large-scale emergency in thepresence of EAS over SMS. TCH utilization falls significantly when EASmessages are sent, meaning fewer voice calls are delivered.

Page 8: GSM

80 percent of recipients are reached within the first 10-minutelong transmission. However, as is shown in Fig. 15, byincreasing the number of messages sent to this small groupby a factor of four to allow for a longer emergency message,the probability of blocking increases to 58 percent. Becausethe transmission of multiple messages is more likely, campusemergency coordinators should test their systems based onthis setting to gain a realistic view of its performance andbehavior.

These two cases provide a more complete picture of theissues facing these systems. Whereas a third-party securityincident response and recovery system may be able todeliver a small number of messages to one quarter of thestudents on campus, attempts to send more messages andtherefore more meaningful communications quickly resultin high blocking. Such systems are simply unable to scalefor the rapid delivery of emergency messages to the entirepopulation of the campus.

As corroboration of this final assertion and to furtherground our results in reality, we note the results of acampus alert system deployed on the campus of SimonFraser University in Burnaby, British Columbia, Canada.In April of 2008, the University attempted to send test alertmessages to 29,374 people; however, only 8,600 were ableto receive these messages [44]. Only 6,500 of those havingreceived the message were able to do so within five hoursof it being sent, representing nearly an 80 percent rate ofblocking. Worse still, many students reported getting anelevated rate of busy signals even many hours later. Theseresults are very similar to those shown in Fig. 12, whichwhile showing a slightly higher load, shows extremelyclose levels of blocking (approximately 85 percent). Theanalysis in this paper, in concert with this real-life test,clearly explains the failure of this response mechanism tomeet its requirement.

5 EFFICIENT SOLUTIONS USING CURRENT EAS

The experiments in the previous section demonstrate theinability of current cellular infrastructure to supportemergency-scale messaging. However, entirely dismissingmobile phones and networks as a means of disseminatingcritical information during such an event misses anopportunity. Given the extensive deployment of third-partyEAS on university campuses across the United States and

the virtual ubiquity of cell phones, such systems can still bemade useful.

Significant changes to the network could potentiallymake such systems more useful. The most promising ofsuch solutions is cell broadcast. Instead of the point to pointdelivery of messages in current networks, cell broadcastwould allow for the rapid dissemination of emergencyinformation through point to multipoint communications.Such a system could reach the majority of cellular users inan area without requiring knowledge of each particularuser’s location. This option is backed by the CommercialMobile Service Alert Advisory Committee, which iscurrently working on developing standards documents.However, the timeline for the deployment of this standardis not currently known.

In the absence of this change, currently deployed third-party EAS could be effectively used to contact limitedsubsets of people in an affected area. On a Universitycampus, for instance, sending emergency alerts to facultymembers first would allow for a message to manually beamplified (e.g., immediately to their classes, research group,etc.). We again use Virginia Tech to measure the feasibilityof this approach. Given approximately 1,300 facultymembers [56], we again assume that just under half of thispopulation (600) subscribes to the GSM network. Withthe same network resources described in Section 3, theminimum time to distribute a single emergency message tothe faculty is

T ¼ 600 msgs

1 campus� 1 campus

8 sectors� 1 sector

8 SDCCHs

� 1 SDCCH

0:25 msgs=sec

� 37:5 sec:

Similarly, the time to send a long message requiring thedelivery of four messages would require the followingminimum delivery time:

T ¼ 600 msgs

1 campus� 4 msgs

user� 1 campus

8 sectors

� 1 sector

8 SDCCHs� 1 SDCCH

0:25 msgs=sec

� 150 secs

� 2:5 mins:

990 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012

Fig. 14. The average blocking observed during a test (one message) of athird-party EAS over SMS system with only 25 percent of studentsregistered.

Fig. 15. The average blocking observed when four messages aretransmitted and all other traffic remains constant.

Page 9: GSM

Given that these minimum times are more than an orderof magnitude smaller than those associated with directlymessaging every person on campus, we performed simula-tions to measure the blocking experienced in this scenario.Fig. 16 shows the maximum blocking experienced for thetransmission of one and four messages with deliverydeadlines ranging from 1 to 10 minutes. Like previousexperiments, each point is the result of 500 runs of thesimulator with 95 percent confidence intervals being lessthan two orders of magnitude smaller than the mean. Notethat the delivery of a single message to the faculty can occurvery rapidly, with the probability of blocking droppingbelow 1 percent with a delivery requirement of only2 minutes. Even the delivery of four messages to the facultycan be done with a blocking probability of less than1 percent if given a deadline of 7 minutes. We note thatthis approach is different than assuming that the first subsetof students to receive such an alert their peers; rather, thistargeted strategy will reach the individuals most likely to bedispersed across the campus with the ability to immediatelyamplify the delivery of the message.

Such a solution is not without its own difficulties. Manyfaculty members travel and some disciplines rely ongraduate instructors to teach courses. Moreover, such aplan does not adequately inform or protect staff members.The selection of the precise subset must therefore becarefully considered by each university and should reflectnot only maximum coverage but also the dynamic patternsof students, faculty, and staff during throughout the day.Integration with a university’s course management orregistration system may provide improved location infor-mation to such decisions. We leave the creation of such asystem to future work.

Finally, we recommend that alert system systems takeadvantage of multiple forms of media to improve robust-ness. Relying on any one technology makes an EASineffective should that system fail. The use of a range ofsystems including campus television and radio stations, theuniversity’s website and sirens make the likelihood ofwidespread notification significantly greater. Note thatbecause of the advanced capabilities of many mobilephones including AM/FM and 802.11 radios and televisionreceivers [36], [23], mobile phones may still be a useful

platform for receiving alerts even in the absence ofconnectivity to cellular infrastructure.

6 DISCUSSION

6.1 Third-Generation (3G) Networks

We profiled the use of GSM networks in this work becausethey represent the most widely used cellular technology inthe world. However, much faster third-generation cellularsystems are beginning to be deployed. With high speeddata service available in many metropolitan areas, itwould appear as if the analysis made in this paper willnot remain relevant.

The migration to these new systems will not addressthese issues for a number of reasons. First, all cellularnetworks expend significant effort when establishing aconnection. As demonstrated in Section 2, these operationsinclude locating a targeted mobile device and performingsignificant negotiations before a single packet can bedelivered. While the delivery rates of cellular data serviceshave been steadily improving over the past decade, thissetup and delivery of the first bit of information remains asignificant bottleneck in the process. This means that whileit is possible to download large files relatively quickly usingsuch networks, beginning the download remains expensive.Second, many providers currently have configured their 3Gnetworks for the circuit switched delivery of text messages.Accordingly, such messages will continue to compete withincoming voice calls for resources, leading to the samekinds of blocking conditions.

6.2 False Alarms

Being able to disseminate alert messages in a timely manneris not the only essential component when evaluating EASrequirements. Users must be able to trust the authenticity ofevery emergency message they receive. Failure to ensurethat the source of a message can be correctly identifiedallows malicious parties opportunities to add confusionto an emergency event. Unfortunately, there is no way toauthenticate the source of messages, making fraudulentalerts easy to send.

Text messaging does not provide any means of authen-tication. Accordingly, it is possible for any individual withan Internet connection to inject messages with arbitrarycontents to anyone with a cellular phone. As Fig. 17demonstrates, such messages are indistinguishable fromlegitimate messages.

The implications of this limitation are significant. Forinstance, in the event of an emergency such as a chemicalleak, it would be easy for a malicious party to send an “all-clear” message before the situation was deemed safe.Because it would not be possible for users to verify thesource of the information, maliciously induced confusion isa real threat. False alerts have already been observed,including fraudulent warnings about earthquakes [25],tsunamis [4], school shootings [19], false Amber Alerts[39], and other misuses [11], [8].

6.3 Message Delivery Order

Implicit in the misunderstanding of text messaging as areal-time service are misconceptions about the order in

TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 991

Fig. 16. Experimentally measured maximum blocking for messagessent to a small subset of a university’s population based on variabledelivery deadlines. Note that all faculty members can receive a singletext message in under 5 minutes with a blocking probability of lessthan 9 � 10�6.

Page 10: GSM

which messages will be delivered to targeted devices.Specifically, it is often assumed that messages will bedelivered in the order in which they were injected by thesender. Message delivery order is not always predictable.

The order in which messages are delivered can be affectedby a number of factors. For instance, Traynor et al. [49]showed that the SMSCs of different providers implement avariety of service algorithms, including FIFO and LIFOservice disciplines. Accordingly, it is possible for twoproviders to deliver the same stream of messages in oppositeorder. Even if all carriers implemented the same deliveryalgorithm, congestion in the network can cause furtherdisordering of packets. If an incoming text message is unableto be delivered due to a lack of resources on the air interface,the SMSC will store the message for a later attempt.However, if subsequent messages have been sent before thismessage fails and manage to gain the required resources,they will be delivered out of the sender’s intended order. Inan emergency such as a tornado, which may changedirections, out of order delivery may send subscribersdirectly into the storm as opposed to away from it.

There are a number of emergency scenarios in which theabove has occurred. During a wildfire evacuation atPepperdine University in 2007, multipart messages weretransmitted to students and faculty to provide relocationinstructions. However, some reported that the messageswere not useful. One student later noted that “Eachnotification that was sent came through in six to eight textmessages. . . And they were jumbled, not even coming inorder” [9]. More serious conflicts in message delivery orderwere noted on the campus of the Georgia Institute ofTechnology [12]. After a chemical spill in 2007, a messagealerting students and faculty to evacuate campus wastransmitted. Later, instructions to ignore the evacuationnotification were also sent. However, a number of studentsnoted receiving the messages out of order [43], addinggreater confusion to the situation. Similar problems havebeen reported at a number of other universities [14], [20].We note that these issues can potentially be addressed byimplementing multipart messaging, which allows a handsetto order message on receipt; however, this feature is notuniformly supported.

6.4 Message Delay

When a call is placed, users expect to hold a conversationwithout large periods of delay between responses. Thisimmediacy is in stark contrasts to asynchronous services

such as e-mail, where users have learned to expect at leastminor delays between messages.

Examples of the delay that can be experienced duringtimes of high volume are most easily observed during NewYears Eve celebrations or the most recent US PresidentialInauguration. As hundreds of millions of users around theglobe send celebratory greetings via SMS, service providersoften become inundated with a flood of messages. Accord-ingly, the delivery of such messages has been noted toexceed more than six hours [17]. Even though providersoften plan and temporarily deploy additional resources tominimize the number of blocked calls, the sheer volume ofmessages during such an event demonstrates the practicallimitations of current systems. In spite of temporarilydeploying additional towers, such delays are experiencedeven when cellular providers are aware that a high volumeevent will take place.

Why then has SMS been a successful means of commu-nication during other national emergencies such as Sep-tember 11th and Hurricanes Katrina and Rita? Numeroussources cite SMS as an invaluable service when both man-made and natural disasters strike [21], [32]. The differencebetween these events and other emergencies is themagnitude of messages sent. For instance, at the time ofthe attacks of September 11th, text messaging was stilllargely a fringe service in the United States. Had most usersacross the country attempted to communicate using SMS astheir primary mode of communication, however, a reportby the National Communications System (NCS) estimatesthat current network capacities would need to be expandedby 100-fold [34] in order to support such a volume. Thereliability of text messaging during Hurricane Katrina isdue to similar reasons. Because only a very small number ofpeople were communicating via text messaging, the towersundamaged by the storm were able to deliver suchmessages without any significant competition from othertraffic. Moreover, because the network automaticallyattempted retransmission, users were more likely to receivetext messages than calls. If SMS use during either of theseevents approached emergency levels, it would haveexperienced delays similar to those regularly observed onNew Years Eve.

7 RELATED WORK

Following the events of September 11th, 2001, curiosityabout the ability to use text messaging as the basis of areliable communications system during times of crisis

992 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012

Fig. 17. The picture on the left was a test message sent using the e2campus website. The middle picture contains the exact same message andclaims to be from the same source, but was sent from a service provider’s web interface. The right-most picture is a forged emergency messagewarning the user of an on-campus shooting and falsely claims to be sent by the Police.

Page 11: GSM

arose. In response, the National Communications Systemconducted an investigation on the use of text messagingduring a nation-wide emergency, which through simplecalculations concluded that current systems would require“100 times more capacity to meet [the] load” created bywidespread use of text messaging [34]. A related study bythe European Telecommunications Standard Institute(ETSI) identified the increasing prevalence of spam as asignificant threat to the operation of cellular networksduring an emergency [18]. However, both studies werelimited to high-level calculations of a single emergencyscenario and neither considered the use of third-party EASover SMS systems. Our study conducted the first character-ization and simulation of multiple scenarios for EAS overcellular services and compared them directly to real-world,on-campus testing. Related efforts are also investigating thecreation of more efficient disaster response infrastructure[1]; however, we note that many of the problems discussedin this paper are the result of not fully implementing GSMstandards for bulk sending and cell broadcast [3], [2].

The specific impacts on the reliability and security ofsuch networks under torrents of text messages have alsobeen explored. Traynor el al. [49], [51] noted that an attackercould exploit connections between the Internet and cellularnetworks to cause significant outages. With the bandwidthavailable to a cable modem, an attacker could send a smallbut targeted stream of text messages to a specific geo-graphic region and prevent legitimate voice and textmessages from being delivered. While subsequent researchwas able to better characterize and provide mitigationsagainst such attacks [50], it was ultimately discovered that amore basic problem was responsible. Instead of simplybeing a matter of using a low-bandwidth channel to deliverdata, the real cause of such attacks was a result offundamental tension between cellular networks and theInternet. Specifically, because cellular networks cannotamortize the significant cost of connection establishmentwhen delivering data, they are fundamentally vulnerable tosuch attacks [52]. Accordingly, as long as text messages aredelivered in the point to point fashion as is done now, theexpense of establishing connections with each and everyphone in an area will remain prohibitively expensive.

Whether as an unintended consequence or deliberate act,the flooding behavior exhibited in this above work closelyresembles Denial of Service (DoS) attacks on the Internet.The research community has responded with attempts toclassify [33] and mitigate [5], [6], [7], [10], [27], [29], [30],[40], [46], [45], [55], [57] such attacks. However, such attacksare only beginning to be understood in the context ofcellular networks, making the direct application of thesesolutions unsuitable.

8 CONCLUSION

Cellular networks are increasingly becoming the primarymeans of communication during emergencies. Riding thewidely held perception that text messaging is a reliablemethod of rapidly distributing messages, a large number ofcolleges, universities, and municipalities have spent tens ofmillions of dollars to deploy third-party EAS over cellularsystems. However, this security incident response and

recovery mechanism simply does not work as advertised.Through modeling, a series of experiments and corroborat-ing evidence from real-world tests, we have shown thatthese networks cannot meet the 10 minute alert goalmandated by the public EAS charter and the WARN Act.Moreover, we have demonstrated that the extra textmessaging traffic generated by third-party EAS will causecongestion in the network and may potentially blockupward of 80 percent of normal requests, potentiallyincluding calls between emergency responders or the publicto 9-1-1 services. Accordingly, it is critical that legislators,technologists, and the general public understand thefundamental limitations of this mechanism to safeguardphysical security and public safety and that future solutionsare thoroughly evaluated before they are deployed.

ACKNOWLEDGMENTS

This work was supported in part by 3G Americas and theUS National Science Foundation (NSF) (CNS-0916047 andCNS-0952959). Any opinions, findings, conclusions, orrecommendations expressed in this publication are thoseof the authors and do not necessarily reflect the views of 3GAmericas or the NSF. The author would also like to thankthe cellular providers that helped him more accuratelymodel this issue.

REFERENCES

[1] “Earthquake and Tsunami Warning System (ETWS); Require-ments and Solutions,” Technical Report 3GPP TS 23.828 v2.0.0.,3rd Generation Partnership Project, 2008.

[2] “Technical Realization of Short Message Service Cell Broadcast(SMSCB),” Technical Report 3GPP TS 03.41 v7.5.0., 3rd GenerationPartnership Project, 2000.

[3] “Technical Realization of the Short Message Service (SMS),”Technical Report 3GPP TS 03.40 v7.5.0., 3rd Generation Partner-ship Project, 2002.

[4] Agence France-Presse, “Hoax Text Message Spreads TsunamiTerror in Indonesia,” http://www.breitbart.com/article.php?id=070606101917.31jf2eyb&show_arti, 2007.

[5] D. Andersen, “Mayday: Distributed Filtering for Internet Ser-vices,” Proc. USENIX Symp. Internet Technologies and Systems(USITS), 2003.

[6] T. Anderson, T. Roscoe, and D. Wetherall, “Preventing InternetDenial of Service with Capabilities,” Proc. ACM Workshop HotTopics in Networking (HotNets), 2003.

[7] K. Argyraki and D.R. Cheriton, “Scalable Network-Layer Defenseagainst Internet Bandwidth-Flooding Attacks,” ACM/IEEE Trans.Networking, vol. 17, no. 4, pp. 1284-1297, Aug. 2009.

[8] Associated Press, “Man Admits Sending ‘Monkey Out of Cage’Message,” http://www.google.com/hostednews/ap/article/ALeqM5gjBi_YGzVmUqV0YDKifMv, 2009.

[9] S. Blons, “Emergency Team Aids Efforts,” http://graphic.pepperdine.edu/special/2007-10-24-emergencyteam.htm, 2007.

[10] M. Casado, P. Cao, A. Akella, and N. Provos, “Flow Cookies:Using Bandwidth Amplification to Defend against DDoS FloodingAttacks,” Proc. Int’l Workshop Quality of Service (IWQoS), 2006.

[11] Cellular-News, “Malaysian Operators Dismiss Hoax SMS,”http://www.cellular-news.com/story/31247.php, 2008.

[12] T. Christensen, “Ga. Tech Building Cleared After Blast,” http://www.11alive.com/life/pets/story.aspx?storyid=106112, 2007.

[13] CollegeSafetyNet.com, http://www.collegesafetynet.com, 2008.[14] Courant.com, “University Emergency SMS Service Doesn’t De-

liver,” http://www.courant.com, Nov. 2007.[15] B.K. Daly, “Wireless Alert & Warning Workshop,” http://www.

oes.ca.gov/WebPage/oeswebsite.nsf/ClientOESFileLibrary/Wirel, 2011.

[16] e2Campus, “Mass Notification Systems for College, University &Higher Education Schools by e2Campus: Info on the Go!” http://www.e2campus.com, 2008.

TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 993

Page 12: GSM

[17] A.-M. Elliott, “Texters to Experience 6 Hour Delays on New Year’sEve,” http://www.pocket-lint.co.uk/news/news.phtml/11895/12919/palm-new-years, 2007.

[18] “Analysis of the Short Message Service (SMS) and Cell BroadcastService (CBS) for Emergency Messaging Applications; EmergencyMessaging; SMS and CBS,” Technical Report ETSI TR 102 444V1.1.1., European Telecomm. Standards Inst., 2006.

[19] J. Gambrell, “School Shooting Text Rumours Emptied ElementarySchool by 10 am,” http://www.washingtonpost.com/wp-dyn/content/article/2007/12/29/AR20071, 2007.

[20] L. Ganosellis, “UF to Test Texting Alerts After LSU Glitch,” http://www.alligator.org/news/uf_administration/article_3c1a9de6-670e-54fe-a882-c7e71309f83e.html, 2008.

[21] D. Geer, “Wireless Victories, Sept. 11th, 2001,” Wireless Business &Technology, 2005.

[22] J. Hedden, “Math::Random::MT::Auto - Auto-Seeded MersenneTwister PRNGs,” http://search.cpan.org/~jdhedden/Math-Random-MT-Auto-6.18/lib/Math/Random/MT/Auto.pm, Ver-sion 5.01, 2011.

[23] HTC Corporation, “HTC Tattoo Specifications,” http://www.htc.com/europe/product/tattoo/specification.html, 2009.

[24] Inspiron Logistics, “Inspiron Logistics Corporation WENS -Wireless Emergency Notification System for Emergency MobileAlerts,” http://www.inspironlogistics.com, 2008.

[25] Jakarta Post, “INDONESIA: Police Question Six More over SMSHoax,” http://www.asiamedia.ucla.edu/article-southeastasia.asp?parentid=50410, 2006.

[26] E. Jaramillo, “UT Director: Text Alerts Effective,” http://www.dailytexanonline.com/1.752094, 2008.

[27] A. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure OverlayServices,” Proc. ACM SIGCOMM, 2002.

[28] C. Luders and R. Haferbeck, “The Performance of the GSMRandom Access Procedure,” Proc. Vehicular Technology Conf.(VTC), pp. 1165-1169, June 1994.

[29] R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, andS. Shenker, “Controlling High Bandwidth Aggregates in theNetwork,” Computer Comm. Rev., vol. 32, no. 3, pp. 62-73, July2002.

[30] A. Mahimkar, J. Dange, V. Shmatikov, H. Vin, and Y. Zhang,“dFence: Transparent Network-Based Denial of Service Mitiga-tion,” Proc. USENIX Conf. Networked Systems Design and Imple-mentation (NSDI), 2007.

[31] K. Maney, “Surge in Text Messaging Makes Cell Operators :-),”http://www.usatoday.com/money/2005-07-27-text-messaging_x.htm, July 2005.

[32] J. McAdams, “SMS Does SOS,” http://www.fcw.com/print/12_11/news/92790-1.html, 2006.

[33] J. Mirkovic and P. Reiher, “A Taxonomy of DDoS Attacks andDDoS Defense Mechanisms,” ACM SIGCOMM Computer Comm.Rev., vol. 34, no. 2, pp. 39-53, 2004.

[34] Nat’l Comm. System, “SMS over SS7,” technical report, TechnicalInformation Bull. 03-2 (NCS TIB 03-2), Dec. 2003.

[35] Nat’l Notification Network (3n), “3n InstaCom Campus Alert -Mass Notification for Colleges and Universities,” http://www.3nonline.com/campus-alert, 2008.

[36] C. Nettles, “iPhone 3 to Have Broadcom BCM4329, 802.11N/5GHz Wireless, FM Transmitter/Receiver,” http://www.9to5mac.com/broadcom-BCM4329-iphone-802.11n-FM, 2009.

[37] M. Nizza, “This Is Only a (Text Messaging) Test,” http://thelede.blogs.nytimes.com/2007/09/25/this-is-only-a-text-messagi, 2007.

[38] Nyquetek, Inc., “Wireless Priority Service for National Security,”http://wireless.fcc.gov/releases/da051650PublicUse.pdf, 2002.

[39] Oregon State Police, “False Amber Alerts Showing up on CellPhones,” http://www.katu.com/news/local/26073444.html,2008.

[40] B. Parno, D. Wendlandt, E. Shi, A. Perrig, and B. Maggs,“Portcullis: Protecting Connection Setup from Denial of CapabilityAttacks,” Proc. ACM SIGCOMM, 2007.

[41] Reverse 911, “Reverse 911 - The Only COMPLETE NotificationSystem for Public Safety,” http://www.reverse911.com/index.php, 2008.

[42] Roam Secure, “Roam Secure,” http://www.roamsecure.net, 2008.[43] shelbinator.com, “Evacuate! or Not,” http://shelbinator.com/

2007/11/08/evacuate-or-not, 2007.[44] Simon Fraser Univ., “Special Report on the Apr. 9th Test of SFU

Alerts,” http://www.sfu.ca/sfualerts/april08_report.html, 2008.

[45] A. Stavrou, D.L. Cook, W.G. Morein, A.D. Keromytis, V. Misra,and D. Rubenstein, “WebSOS: An Overlay-Based System forProtecting Web Servers from Denial of Service Attacks,”J. Computer Networks, Special Issue on Web and Network Security,vol. 48, no. 5, pp. 781-807, 2005.

[46] A. Stavrou and A. Keromytis, “Countering DOS Attacks withStateless Multipath Overlays,” Proc. ACM Conf. Computer andComm. Security (CCS), 2005.

[47] The 109th Senate of the United States of Am., “Warning, Alert,and Response Network Act,” http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.1753:, 2005.

[48] P. Traynor, “Characterizing the Security Implications of Third-Party EAS over Cellular Text Messaging Services,” Proc. SecondIEEE Int’l Conf. Security and Privacy in Comm. Networks (Secur-eComm), 2010.

[49] P. Traynor, W. Enck, P. McDaniel, and T. La Porta, “ExploitingOpen Functionality in SMS-Capable Cellular Networks,”J. Computer Security, vol. 16, no. 6, pp. 713-742, 2008.

[50] P. Traynor, W. Enck, P. McDaniel, and T. La Porta, “MitigatingAttacks on Open Functionality in SMS-Capable Cellular Net-works,” IEEE/ACM Trans. Networking, vol. 17, no. 1, pp. 40-53, Feb.2009.

[51] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, T. La Porta, andP. McDaniel, “On Cellular Botnets: Measuring the Impact ofMalicious Devices on a Cellular Network Core,” Proc. ACM Conf.Computer and Comm. Security (CCS), 2009.

[52] P. Traynor, P. McDaniel, and T. La Porta, “On Attack Causality inInternet-Connected Cellular Networks,” Proc. USENIX SecuritySymp., 2007.

[53] TXTLaunchPad, “TXTLaunchPad Provides Bulk SMS Text Mes-sage Alerts,” http://www.txtlaunchpad.com, 2007.

[54] Voice Shot, “Automated Emergency Alert Notification Call -VoiceShot,” http://www.voiceshot.com/public/urgentalert.asp?ref=uaemergencyalert, 2008.

[55] M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S.Shenkar, “DDoS Offense by Offense,” Proc. ACM SIGCOMM,2006.

[56] Wikipedia, “Virginia Polytechnic Institute and State University,”http://en.wikipedia.org/wiki/Virginia_Tech, 2008.

[57] X. Yang, D. Wetherall, and T. Anderson, “TVA: A DoS-LimitingNetwork Architecture,” IEEE/ACM Trans. Networking (TON),vol. 16, no. 6, pp. 1267-1280, Dec. 2008.

Patrick Traynor received the PhD degree fromThe Pennsylvania State University in 2008. He isan assistant professor in the School of ComputerScience at the Georgia Institute of Technologyand is also a member of the Georgia TechInformation Security Center (GTISC). In additionto serving on a number of program committees,he is also a member of the editorial board for theEncyclopedia of Cryptography and Security. Hisresearch is focused in areas including telephony

security and provenance, security for mobile phones, and the systemsissues associated with applied cryptography.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.

994 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012