Characterizing the Security Implications of Third-Party Emergency Alert Systems over Cellular Text Messaging Services

Cellular text messaging services are increasingly being relied upon to disseminate critical information during emergencies. Accordingly, a wide range of organizations including colleges, universities and large metropolises now partner with third-party providers that promise to improve physical security by rapidly delivering such messages. Unfortunately, these products do not work as advertised due to limitations of cellular infrastructure and therefore provide a false sense of security to their users. In this paper, we perform the first extensive investigation and characterization of the limitations of an Emergency Alert System (EAS) using text messages as a security incident response and recovery mechanism. Through the use of modeling and simulation based on configuration information from major US carriers, we show emergency alert systems built on text messaging not only can not meet the 10 minute delivery requirement mandated by the WARN Act, but also potentially cause other legitimate voice and SMS traffic to be blocked at rates upwards of 80%. We then show that our results are representative of reality by comparing them to a number of documented but not previously understood failures. Finally, we discuss the causes of the mismatch of expectations and operational ability and suggest a number of techniques to improve the reliability of these systems. We demonstrate that this piece of deployed security infrastructure simply does not achieve its stated requirements.