funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Aren't emergency messages to cellphones a bad idea?

From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Tue, 20 Jun 2006 19:19:13 +0200 (CEST)
On Tue, 20 Jun 2006, Richard M. Smith wrote:


Here's a thought experiment.  Let's say a teenager blasted out 10,000 fake
SMS messages to area code 617 warning of an anthrax attack in downtown
Boston and that everyone should get out of the area at once.  How bad would
be the mess?  Do we really want a emergency warning system that anyone can
use to send out messages of their choice?


On a slightly more serious note...

The thing is, most of emergency broadcast systems are quite vulnerable to
spoofing. The benefits outweight the risks, however, and the abuse is not
common. By making them overly complex and spoof-proof, you're not only
risking a greater chance of critical failure, but your effort is also
quite likely futile. That's because people are quite naive and prone to
scares - no matter how well you protect the integrity of the "official"
channel, an illussion of authority is sufficient to trigger widespread
panic. You can put some lights and decals on your pick-up, grab a
megaphone - and prompt a nice stampede in any crowded place.

There are some deterrents, but most of them boil down to requiring SOME
(not a whole lot) time and effort to mount successful attacks, and
discouraging attackers altogether by imposing stringent consequences for
such vandalism.

This channel is probably no different: it takes time, effort and money to
send these messages, the attack can be easily noticed, tracked, and
stopped in its tracks before you've reached enough recipients. It's also
hard to hide with a cell phone, so you're risking a lot.

So yeah, you can do that, and there's a million other ways to subvert
modern society. This method is probably not particularly notable or
effective, as far as my standards for doomsday scenarios go...

/mz
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: