13-11-2012, 02:22 PM
Characterizing the Security Implications of Third-Party Emergency Alert Systems over Cellular Text Messaging Services
ABSTRACT
Cellular text messaging services are increasingly
being relied upon to disseminate critical information
during emergencies. Accordingly, a wide range of
organizations including colleges and universities now
partner with third-party providers that promise to
improve physical security by rapidly delivering such
messages. Unfortunately, these products do not work
as advertised due to limitations of cellular
infrastructure and therefore provide a false sense of
security to their users. In this paper, we perform the
first extensive investigation and characterization of the
limitations of an Emergency Alert System (EAS)
using text messages as a security incident response
mechanism. We show emergency alert systems built
on text messaging not only can meet the 10 minute
delivery requirement mandated by the WARN Act,
but also potentially cause other voice and SMS traffic
to be blocked at rates upward of 80 percent. We then
show that our results are representative of reality by
comparing them to a number of documented but not
previously understood failures. Finally, we analyze a
targeted messaging mechanism as a means of
efficiently using currently deployed infrastructure and
third-party EAS. In so doing, we demonstrate that this
increasingly deployed security infrastructure does not
achieve its stated requirements for large populations.