 Hello, everyone. I'm Liu Weiguang from 360 Technology. I'm the researcher from Unicorn Team. Today, my topic is about the public warning system in IoT network. And my title is Warning Magnitude Tenors Quick. It's coming in one minute. OK. Here is the agenda. First, I'm going to introduce you what is the public warning system in IoT network and what it is used for. Then I'm going to talk about the vulnerability in IoT protocol. Then I'm going to introduce you how to trigger the vulnerability. And first thing is to build up a fake base station. And then we need to forward the fake warning message. In the last part, I will talk about the mitigation and the potential risk of the vulnerability. OK. Let's talk about what is a public warning system in IoT network. The public warning system is used to alert the public to such disasters, such as the earthquake, the tooth money, the nuclear war, and even the zombie outbreak. In other words, when you receive a warning message on your mobile phone, it usually means that you are in big trouble. You should find a safer place as soon as possible. There are four kinds of public warning system all over the world. And the ETWS, which is the earthquake and the tooth money warning system, is used for Japan. And the commercial mobile alert surface, CMS, is used for the USA. And the KPS is for South Korea. And the EU Alert is used for European countries. All of their four kinds of public warning system, but they share the same architecture and the common signaling procedure. OK, here is an example of the American CMS example. And this is an aerial missile alert in Hawaii last year. OK, please play the demo. New reporting. How did it happen that false alarm in Hawaii that led to 38 minutes of terror? More than a million people warned of an imminent missile attack told this is not a drill. Families huddling in closets, parents hiding children in manholes. ABC's Jim Avila from Honolulu. The worker blamed for causing 38 minutes of fear and panic is reassigned after a routine internal test turned into the nightmare scenario for more than a million Hawaiians. A missile may impact on land or sea within minutes. This is not a drill. The dire message causing this father to hide his daughter in a manhole. Families to race into World War II era bunkers. Tourists to gather in hotel basements. I had my mom on speakerphone on the mainland. And I was calling and saying goodbye to my family. All starting during a shift change when officials tell ABC News an employee mistakenly clicked missile alert instead of the test option. 8.07 Saturday morning. The warning. This is not a drill. In just three minutes at 8.10, the command center knows it's a false alarm. Official word taking and anguishing 38 minutes to come from this room. OK, from the video, we can learn that even the this is a false alarm, but it can cause the population a huge panic and disruption. But luckily, this is just a mistake of the operator in the network center. It is not issued by an attacker. But we may wonder, is it possible that we can forward the fake warning message and issue it maliciously to the population? And the answer is yes. This is the basic architecture of the public warning system. And the CBC and CBE are used for generating the warning message. And the MIME and EMB are used for transmitting the warning message from the network to the mobile phone users. And there is a vulnerability in the air interface, which is the warning message are not encrypted or integrity protected. They are just transmitted in clear text. Another vulnerability is that when the mobile phone came to a new cell, it doesn't authenticate the authenticity of the cell. So we can set up a fake base station. OK, let's see how to trigger the vulnerability. First, we need to set up a fake base station. The hardware is not very complicated. We just need a SDR device, which is used to send the radio frequency signal and the laptop to run the LTE protocol stack. The SDR device we use is USRP B210. And the laptop we use is the ThinkPad. I recommend that you better use the high-performance laptop, because the LTE bandwidth is very large. The LTE protocol we use is an open-source LTE platform, which is the SSLTE. OK, at this time, we are going to forge the fake warning message. The warning message is defined in LTE system information block. There are 13 types of information blocks. Here are list 12. The SIP10 and SIP11 are used for transmitting the ETWS warning message. They are used for Japan. And the SIP12 are used to transmit the other three types of warning message. OK, because though there are four kinds of warning message, but they share the same architecture, and the ETWS, which is used for Japan, is the most complicated. It has two levels, alert information. The SIP10 is used for transmitting the first level, which is a primary notification. And the SIP11 is used for transmitting the secondary notification. The page message is used for making the mobile phone to receive the warning message as soon as possible. And the SIP1 is used for scheduling the SIP10 and SIP11. It's just a control message. It doesn't contain the warning message. Here I'm going to talk about the detail about the primary notification. This is a structure of the SIP10, which defines the primary notification. It is a screenshot of the LTE standard specification. The picture below is the source code we added in the SSLTE to transmit the warning message. And we perform an ASM1 encoding, because the SRLTE doesn't support sending the warning message, so we have to add the source code. Here is an example of the demo. This demo is the warning message we forged. And this is the primary notification. Let's see the demo. Please play the demo. This is a primary notification. It just contains the fixed information. It cannot customize the content. The text is just the ETWS, and it will make a very harsh alarm with the earthquake reminder. Well, the secondary notification can customize the content. And it also supports the segmentation when the warning message is too large. And it also supports multiple languages. It supports Chinese and English. We can use the GSM7 for sending the English and UCS2 to sending the Chinese warning message. This is the architecture of the SIP11, which defines the secondary notification. And the picture below is the source code we're adding in SLSLTE to send the secondary notification. What's more, because the secondary notification can be customized, so we could add anything we want into it. If we want to send the earthquake warning message, we can add the earthquake epic center, the magnitude, the time, and the location into the warning message to make it more like a real one. And we found that when we set the message identifier to from 0x1102 to 0x1104, the mobile phone will not make a harsh alarm. It will just make very mad bells. We will see it later in another demo. And we even could make the warning message to send the advertisement. And it's just irrelevant with the earthquake warning message. We could add anything like the phishing website and the phishing phone number into it. OK, here is the four fake warning message we have forged. The first two pictures are the earthquake warning message. We added the earthquake location time and the magnitude. It said there will be earthquake in Beijing and Tianjin. The second picture is the same content we translated into Chinese with the UCS2 encoding standard. And the last two pictures are not the earthquake warning message. They are just an emergency warning because we set the identifier to 0x1104. And we added the phishing website and the phishing phone number respectively. OK, here is a demo of the second notification. This is a fake warning message that we... And please play the demo. OK, at this time, we can see that the mobile phone will not make a very harsh alarm with no earthquake or reminder, just very mad bells. All the tests we have done before is based on the Google Pixel. But also we have done many tests on other phones because China doesn't support the PWS. So our domestic variant Android phones like Xiaomi and Huawei doesn't support the public warning system. They have removed the function in the operating system. But our domestic... Our China variant iPhones will respond to the warning message only under the test network, whose MCC is 001 and MCC is 001. They will not respond to the warning message under the network of the China mobile, China Unicorn, or ChinaNet. So our China doesn't need to worry about the warning message. Next, I will show you the response of the China variant iPhone. OK, please play the demo. OK, it is a China variant, but it speaks Japanese. I don't know why. OK, here is the conclusion part. I will talk about the risk and the mitigation. If there is a foldable stadium, there are four people and just like this picture. And at this time, we set up a fake base station and we send out the fake warning message like the warning. Magnitude 10 earthquake is coming in one minute. What will happen? Because the warning message is a broadcast message, so it can be received by all the mobile phones users simultaneously. And all the mobile phones that support the PWA as well make a harsh alarm with an earthquake reminder. And this may cause the population a huge panic and even stampede when they try to escape from their seats. OK, let's see what we can do to prevent this fake warning message. We could use the seismic encryption to protect the warning message. The network can use the private key to append a digital signature into the warning message. And the mobile phone may use the public key to authenticate, to verify the authenticity of the network and the warning message. This may prevent the fake warning message and I hope our public warning message will not use the clear text anymore. OK, here's my talk. Thank you. And any question? No? OK, thank you.