Different systems are used in the world to deliver emergency notifications to people. This allows individuals to receive a (possibly life-saving) warning message, sent by the network in a point-to-multipoint way. For example, the ETWS (Earthquake and Tsunami Warning System) system is used in Japan currently for Universal Mobile Telecommunications System (UMTS) (corresponding of the 3GPP Work Item ETWS). This system relies on the older Cell Broadcast legacy technology (CBS, see TS 23.041). ETWS was introduced in the 3GPP Rel-8. In the Rel-9, the Commercial Mobile Alert System (CMAS) was introduced. The 3GPP work Items of CMAS and ETW put together make the Public Warning System (PWS) Work Item. This is also defined in 3GPP LTE.
Generally speaking, unfortunate possibilities exist on any emergency notification system in the world such as a false network sending a false (non-genuine) warning notification to the user(s). The false network could be created by, for example, a prankster to create a panic by sending false warning messages. Those warning messages could be anything such as “There is a fire in the theater, leave now!” Such messages could create a mass panic that would be harmful to people if they try to escape in a hurry from a crowded place, as an example. Some network authentication security schemes could exist to allow the device to spot false messages and, for example, not display it. Though, these security schemes could be “cracked” by non-genuine sources, the network may not have implemented them (e.g. in a deployment scenario), or the network not have activated this security.
For ETWS, the stage 1 in the Rel-8 is defined in TS 22.168. For PWS, the stage 1 starting at the Rel-9 is defined in TS 22.268. The stage 2 that defines the UE behavior is defined in 23.041 for UMTS (as built on CBS) and in the general stage 2 TS 23.401 for LTE. When ETWS started to be specified in the Rel-8, the intention was that this may contain some security features to guards against potential false network.
However, since authenticating the network for a point-to-multipoint scheme is fundamentally different than authenticating a network for a point-to-point scheme (as it already exists in 3GPP), this scheme was not fully completed in the standards. A “digital signature” and “timestamp” was introduced in the standards, and it is possible for the network to provide them to the device via signaling; however, which digital signature algorithm to use, such as how manage the security keys, was not defined in the standards. This omission is acknowledged by 3GPP (see S3-110148), and the Working Group SA3 has started a Rel-11 new Work Item for this (see S3-110204), which goal is to define and introduce a (possibly completely different) security for network authentication for PWS.
Therefore, it is possible that the current security in place in the Rel-8 standards may not be used, and that basically no scenario of “digital signature” or “timestamp” should lead to the prevention of a warning message to be displayed, in the device behavior (see the reply LS from SA3 to CT1, SA1, SA2 in S3-110852, reply to the CT1 LS C1-112199). This is because otherwise, if for some reasons, due to the incomplete security, the device identifies that security failed or is incomplete, then there is a risk that a genuine life-saving message would not be displayed to the user due to the security incorrectly preventing its presentation. Therefore, since safety comes before security, 3GPP is taking the direction to have the warning message always displayed with regards to the digital signature/timestamp security. In practice, this means that text related to digital signature and timestamp (that in some cases was preventing the message to be displayed) may be removed in the Rel8/rel-9/Rel-10 in TS 23.041 (UMTS) and TS 23.401 (LTE). In another scenario, regardless of any removal or change in the specifications, a network may simply decide not to use this security. Therefore, this raises an issue. 3GPP acknowledges that the work to re-introduce security for PWS would not be done before the Rel-11 (the related SA3 Work Item is of the Rel-11), so Rel-8/Rel-9/Rel-10 may possibly not preclude a false network and false warning message attacks.
Generally speaking, it cannot be precluded that, on any warning notification system in the world (and for any release), the security system is “cracked” by non-genuine sources, or the (genuine) network does not implement the network authentication security part, or decides to not activate this security, with the risk for the user(s) to receive a false warning notification.
As for the ability to disable the PWS, from the Rel-8 onwards, the possibility exists in stage 1 for the user to disable the PWS Warning message reception/display. This is basically an on/off switch that is operated by the user. The stage 1 TS 22.168 (Rel-8) and TS 22.268 (Rel-9, Rel-10) specifies that the default setting for this “switch” should be enabled. An extract from TS 22.268 states, “It shall be possible for users to disable (e.g., opt-out) presentation of some or all of the Warning Notifications, subject to regulatory requirements and/or operator policy. The user shall be able to select PWS-UE enabling/disabling options via the User Interface to disable, or later enable, the PWS-UE behavior in response to some or all Warning Notifications.” This provision was included so that the life-warning message would always be received by default by the user. A user needing to search in the user manual on how to activate the PWS is undesirable, or even worse, a setting of “disabled” may lead to no possibility of receiving a life-saving message. The user would not be aware of the disabled feature. Though, in order to address that the Rel-8/Rel-9/Rel-10 warning notifications could be used maliciously, SA3 proposed (in the reply LS S3-110852) that the following: (1) the default setting is changed to “disabled” (at the device factory); and (2) the granularity of this setting is changed to a public land mobile network (PLMN) basis as oppose to an overall setting. In these cases, at the factory, the device is preset to include a list of all the networks (PLMNs) that effectively use PWS. For example, if PWS/ETWS is used in Japan and not in the UK or France, the setting would be “on” for NTT DoCoMo Japan and by default “off” for Vodafone UK and “SFR France”. No fake messages could be displayed on the Vodafone UK network or SFR France network. Though, the manufacturer cannot know the entire list of PLMNs in the world that use PWS (considering also the scenarios when this list changes over time), and the list of “on/off setting” and the corresponding PLMN Identity will be limited.
A mobile communication device, such as a cellular mobile station, may be capable of making and receiving telephone calls and/or sending and receiving data over a wireless communication network. Before it is able to do this, the mobile station selects and attempts to register with one of a plurality of communication networks which are available within its geographic coverage area. After selecting a PLMN, the mobile station operates in an idle mode where it camps on a particular wireless communication channel. If there is successful PLMN registration, the mobile station monitors for calls or messages. If PLMN registration is not successful, the mobile station may still monitor for emergency calls or warning notifications. In general, PLMN selection includes the mobile station selecting a communication network through which to register and operate.
Cellular telephony operation and PLMN selection schemes are documented in standards specifications that govern the behavior of cellular mobile stations and associated systems. One well-known cellular standard is the Global System for Mobile Communications (GSM) standard. GSM 03.22/European Technical Standards Institute (ETSI) TX 100 930, Technical Specification (TS) 23.122 from the 3.sup.rd Generation Partnership Project (3GPP), and other related standards specifications describe the many details of cellular operation and network selection. These documents describe how a mobile station behaves as it moves and roams between various regions and countries to maintain coverage with networks (referred to as Public Land Mobile Networks or PLMNs), primarily for the purpose of providing continuous telephone service.