pith. sign in

arxiv: 2604.24404 · v1 · submitted 2026-04-27 · 💻 cs.CR · eess.SP

From Spoofing to Trust: Emergency Alerts Spoofing Testbed and Cross-Cell Verification

Abdallah Abou Hasna , Nada Chendeb , Ammar El Falou This is my paper

Pith reviewed 2026-05-08 02:47 UTC · model grok-4.3

classification 💻 cs.CR eess.SP
keywords 5G securityemergency alert spoofingpublic warning systemscross-cell verificationsoftware-defined radiocellular network attacksOpenAirInterface
0
0 comments X

The pith

5G emergency alerts can be faked with modified open-source radio software, but phones can flag them by comparing broadcasts from neighboring cells.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that attackers can transmit forged 5G emergency alerts using changes to open-source network code and a software-defined radio, causing phones to display the fakes along with extra effects like embedded links. It demonstrates this feasibility through a working testbed and smartphone tests under different conditions. To counter the threat, the work adds a device-side check that compares any incoming alert against what neighboring cells are sending and treats unmatched single-source messages as suspicious. A sympathetic reader would care because public warning systems rely on instant trust during crises, and successful spoofing could trigger panic or lead users to malicious content without any network-level changes.

Core claim

We present the first open-source 5G emergency alert spoofing attack, implemented by modifying the openairinterface RAN code and executed using a software-defined radio, complemented by a custom network management system to automate network and warning configuration. We conduct a detailed analysis of how different smartphones behave under various conditions, showing that devices readily display spoofed alerts and that the alerting mechanism enables multiple practical attack scenarios. Finally, to address this threat, we propose and implement a lightweight cross-cell verification mechanism in which the device compares the received warning with neighboring cell broadcasts to flag single-source

What carries the argument

The cross-cell verification mechanism, in which the receiving device compares an incoming emergency warning against broadcasts from neighboring cells and flags any alert that appears from only a single source.

If this is right

  • Phones could adopt the verification to ignore alerts that do not match neighboring cells.
  • Network operators would need to ensure consistent alert content across cells for the check to succeed.
  • Attackers would require simultaneous control of multiple cells to evade detection.
  • The open testbed enables further experiments on warning system behavior across device models.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same comparison idea could apply to other cellular broadcast messages such as system information blocks.
  • Widespread adoption would shift detection burden to the device without requiring core network upgrades.
  • In areas with sparse cell coverage the mechanism might need fallback rules for when few neighbors are audible.

Load-bearing premise

That legitimate alerts will be broadcast identically from multiple neighboring cells at the same time, allowing a device to reliably spot a single fake source.

What would settle it

An experiment in which an attacker simultaneously spoofs the identical fake alert from two or more neighboring cells and checks whether the device-side comparison still marks it suspicious.

Figures

Figures reproduced from arXiv: 2604.24404 by Abdallah Abou Hasna, Ammar El Falou, Nada Chendeb.

Figure 1
Figure 1. Figure 1: Warning Message Overall Delivery Procedure. view at source ↗
Figure 3
Figure 3. Figure 3: Experimental testbed. B. Warning Delivery in Idle and Inactive States 3GPP specifications explicitly state that warnings should be delivered to UEs even when they are not connected to the network [1], [8]. This means that UEs in the RRC_IDLE or RRC_INACTIVE states must be able to receive warning notifications. Therefore, an attacker does not need to establish a full network connection with the UE in order … view at source ↗
Figure 2
Figure 2. Figure 2: Emergency Alert Spoofing via Cell Reselection. view at source ↗
Figure 4
Figure 4. Figure 4: NMS interface for OAI gNB and SIB8 configuration. view at source ↗
Figure 5
Figure 5. Figure 5: Real vs. spoofed emergency alerts. The attacker can view at source ↗
Figure 6
Figure 6. Figure 6: Cross-cell verification workflow. the short period where the UE remains camped on the rogue cell. The repeated alert sounds and vibrations resulted in a highly disruptive user experience. Finally, we evaluated the handling of segmented warn￾ing messages transmitted in parallel. According to 3GPP specifications, when segments belonging to different warning messages (i.e., different message identifiers or se… view at source ↗
read the original abstract

Public warning systems (PWS) in cellular networks enable authorities to broadcast emergency alerts to all mobile phones in a geographic region in the event of threats such as earthquakes or severe weather. If an attacker can imitate these alerts and transmit a forged warning containing fake news or phishing links, the impact could range from public panic to user compromise. In this work, we present the first open-source 5G emergency alert spoofing attack, implemented by modifying the openairinterface (OAI) radio access network (RAN) code and executed using a software-defined radio, complemented by a custom network management system to automate network and warning configuration. We conduct a detailed analysis of how different smartphones behave under various conditions. Our findings show that while devices readily display spoofed alerts, the alerting mechanism enables multiple practical attack scenarios beyond simple warning display. Finally, to address this threat, we propose and implement a lightweight cross-cell verification mechanism in OAI, in which the device compares the received warning with neighboring cell broadcasts to flag single-source alerts as suspicious.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper claims to present the first open-source 5G emergency alert spoofing attack implemented by modifying OpenAirInterface (OAI) RAN code and executed via software-defined radio, along with a custom network management system. It reports qualitative analysis of smartphone behavior under spoofed alerts and proposes/implements a lightweight cross-cell verification mechanism in OAI, where the device compares a received warning against neighboring cell broadcasts to flag single-source alerts as suspicious.

Significance. If the implementation is reproducible and the defense holds under realistic conditions, the work would be significant for demonstrating practical 5G PWS vulnerabilities and offering an open-source testbed plus device-side mitigation. The open-source attack implementation and OAI modifications are explicit strengths that support reproducibility and further research in cellular security.

major comments (2)
  1. Cross-cell verification mechanism: the proposal assumes legitimate alerts are identically broadcast by all neighboring cells and that an attacker cannot coordinate simultaneous spoofing across multiple cells. No analysis, evidence, or testbed results are provided to validate these assumptions in real 5G deployments where alert scheduling, cell configuration, or coverage boundaries may differ.
  2. Smartphone behavior analysis and findings: the abstract states that devices 'readily display spoofed alerts' and describes 'detailed analysis' under various conditions, but no quantitative results, error rates, tables, or specific metrics are referenced, undermining assessment of the attack's practical impact.
minor comments (1)
  1. Abstract: the description of the custom network management system for automating configuration lacks any implementation details or role in the experiments, which would improve clarity of the testbed setup.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the thorough and constructive review of our manuscript. The comments highlight important areas for clarification and strengthening, particularly regarding the assumptions in our proposed defense and the presentation of our experimental findings. We address each major comment below and describe the revisions we will incorporate.

read point-by-point responses

  1. Referee: Cross-cell verification mechanism: the proposal assumes legitimate alerts are identically broadcast by all neighboring cells and that an attacker cannot coordinate simultaneous spoofing across multiple cells. No analysis, evidence, or testbed results are provided to validate these assumptions in real 5G deployments where alert scheduling, cell configuration, or coverage boundaries may differ.

    Authors: We appreciate this observation on the foundational assumptions of the cross-cell verification approach. The mechanism was implemented and evaluated in our OAI-based testbed under controlled conditions where uniform broadcast holds, and we observed effective detection of single-source spoofed alerts. We agree that real-world 5G deployments may exhibit variations in alert scheduling, cell configurations, and coverage boundaries. In the revised manuscript, we will add a dedicated subsection discussing these assumptions in detail, including potential limitations, scenarios where neighboring cells might legitimately differ, and the practical difficulties an attacker would face in coordinating multi-cell spoofing (such as requiring synchronized access to multiple base stations and knowledge of network topology). We will also include additional testbed results demonstrating the mechanism's operation. Comprehensive empirical validation across live commercial 5G networks remains outside the scope of this work, as it would require operator cooperation and infrastructure access not available in a research testbed setting. revision: partial

  2. Referee: Smartphone behavior analysis and findings: the abstract states that devices 'readily display spoofed alerts' and describes 'detailed analysis' under various conditions, but no quantitative results, error rates, tables, or specific metrics are referenced, undermining assessment of the attack's practical impact.

    Authors: The analysis in Section 4 is primarily qualitative, documenting observed smartphone responses across multiple device models, firmware versions, and attack parameters (e.g., alert content, timing, and network conditions), as the core outcome—whether an alert is displayed—is binary and device-specific rather than amenable to traditional error-rate metrics. To improve clarity and allow better assessment of practical impact, we will revise the manuscript to include a summary table listing the tested devices, conditions, and observed behaviors. This will provide a more structured presentation of the findings while preserving the qualitative insights into additional attack vectors beyond simple display. revision: yes

Circularity Check

0 steps flagged

No significant circularity; experimental implementation with no derivations or self-referential claims

full rationale

The paper presents an experimental testbed for 5G PWS spoofing via OAI modifications and proposes a cross-cell verification defense. No mathematical derivations, equations, fitted parameters, or predictions exist that could reduce to inputs by construction. The work relies on standard 5G RAN protocols and open-source code changes rather than any self-citation chains, uniqueness theorems, or ansatzes. The central claims are implementation results and a protocol-level proposal, which remain independent of the paper's own outputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The work is an implementation study rather than a theoretical derivation and therefore rests on standard assumptions about 5G broadcast protocols and device alert handling.

axioms (1)
  • domain assumption Current 5G public warning system broadcasts lack source authentication, allowing spoofing from any transmitter in range.
    This is the foundational premise enabling the spoofing attack described in the abstract.

pith-pipeline@v0.9.0 · 5489 in / 1255 out tokens · 61490 ms · 2026-05-08T02:47:38.473095+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

15 extracted references · 15 canonical work pages

  1. [1]

    Digital cellular telecommunications system (phase 2+) (GSM); universal mobile telecommunications system (UMTS); LTE; 5G; pub- lic warning system (PWS) requirements,

    3GPP, “Digital cellular telecommunications system (phase 2+) (GSM); universal mobile telecommunications system (UMTS); LTE; 5G; pub- lic warning system (PWS) requirements,” 3rd Generation Partnership Project (3GPP), Tech. Rep. TS 22.268, 2025, release 18

    work page 2025

  2. [2]

    You have been warned: Abusing 5G’s warning and emergency systems,

    E. Bitsikas and C. P ¨opper, “You have been warned: Abusing 5G’s warning and emergency systems,” inProc. of the Annual Computer Security Applications Conference (ACSAC), Dec. 2022, p. 561–575

    work page 2022

  3. [3]

    This is your president speaking: Spoofing alerts in 4G LTE networks,

    G. Lee, J. Lee, J. Lee, Y . Im, M. Hollingsworth, E. Wustrow, D. Grun- wald, and S. Ha, “This is your president speaking: Spoofing alerts in 4G LTE networks,” inProc. of the Annual International Conference on Mobile Systems, Applications, and Services (MobiSys), 2019, p. 404–416

    work page 2019

  4. [4]

    Openairinterface: Open-source software for 5G and LTE networks,

    OpenAirInterface, “Openairinterface: Open-source software for 5G and LTE networks,” accessed: January 2026. [Online]. Available: https://openairinterface.org/

    work page 2026

  5. [5]

    Digital cellular telecommunications system (phase 2+) (GSM); universal mobile telecommunications system (UMTS); LTE; 5G; tech- nical realization of cell broadcast service (CBS),

    3GPP, “Digital cellular telecommunications system (phase 2+) (GSM); universal mobile telecommunications system (UMTS); LTE; 5G; tech- nical realization of cell broadcast service (CBS),” 3rd Generation Part- nership Project (3GPP), Tech. Rep. TS 23.041, 2025, release 18

    work page 2025

  6. [6]

    5G; NR; radio resource control (RRC); protocol specification,

    ——, “5G; NR; radio resource control (RRC); protocol specification,” 3rd Generation Partnership Project (3GPP), Tech. Rep. TS 38.331, 2025, release 19

    work page 2025

  7. [7]

    Emergency communications (EMTEL); european public warning system (EU-ALERT) using the cell broadcast service,

    ——, “Emergency communications (EMTEL); european public warning system (EU-ALERT) using the cell broadcast service,” 3rd Generation Partnership Project (3GPP), Tech. Rep. TS 02.900, 2023

    work page 2023

  8. [8]

    5G; NR; user equipment (UE) procedures in idle mode and in RRC inactive state,

    ——, “5G; NR; user equipment (UE) procedures in idle mode and in RRC inactive state,” 3rd Generation Partnership Project (3GPP), Tech. Rep. TS 38.304, 2025, release 19

    work page 2025

  9. [9]

    ——, “Digital cellular telecommunications system (phase 2+) (GSM); universal mobile telecommunications system (UMTS); LTE; 5G; non- access-stratum (NAS) functions related to mobile station (MS) in idle mode,” 3rd Generation Partnership Project (3GPP), Tech. Rep. TS 23.122, 2025, release 18

    work page 2025

  10. [10]

    Park,Why we cannot win: on fake base stations and their detection methods

    S. Park,Why we cannot win: on fake base stations and their detection methods. Technische Universitaet Berlin (Germany), 2023

    work page 2023

  11. [11]

    USRP B210 software defined radio

    Ettus Research, “USRP B210 software defined radio.” [Online]. Available: https://www.ettus.com/all-products/ub210-kit/

    work page

  12. [12]

    Programmable SIM cards,

    Sysmocom, “Programmable SIM cards,” accessed: January 2026. [Online]. Available: https://www.sysmocom.de/products/sim/

    work page 2026

  13. [13]

    When the base station flies: Rethinking security for UA V- based 6G networks,

    A. El Falou, “When the base station flies: Rethinking security for UA V- based 6G networks,” inInt. Conf. on 6G Netw. (6GNet), 2025, pp. 87–91

    work page 2025

  14. [14]

    Digital cellular telecommunications system (phase 2+) (GSM); universal mobile telecommunications system (UMTS); LTE; 5G; al- phabets and language-specific information,

    3GPP, “Digital cellular telecommunications system (phase 2+) (GSM); universal mobile telecommunications system (UMTS); LTE; 5G; al- phabets and language-specific information,” 3rd Generation Partnership Project (3GPP), Tech. Rep. TS 23.038, 2025, release 19

    work page 2025

  15. [15]

    OAI 5G SIB8 alert transmission,

    A. Abouhasna, “OAI 5G SIB8 alert transmission,” 2025. [Online]. Available: https://github.com/5gattacks/5g-sib8-alert

    work page 2025