1. IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012 983
Characterizing the Security Implications
of Third-Party Emergency Alert Systems
over Cellular Text Messaging Services
Patrick Traynor
Abstract—Cellular text messaging services are increasingly being relied upon to disseminate critical information during emergencies.
Accordingly, a wide range of organizations including colleges and universities now partner with third-party providers that promise to
improve physical security by rapidly delivering such messages. Unfortunately, these products do not work as advertised due to
limitations of cellular infrastructure and therefore provide a false sense of security to their users. In this paper, we perform the first
extensive investigation and characterization of the limitations of an Emergency Alert System (EAS) using text messages as a security
incident response mechanism. We show emergency alert systems built on text messaging not only can meet the 10 minute delivery
requirement mandated by the WARN Act, but also potentially cause other voice and SMS traffic to be blocked at rates upward of
80 percent. We then show that our results are representative of reality by comparing them to a number of documented but not
previously understood failures. Finally, we analyze a targeted messaging mechanism as a means of efficiently using currently
deployed infrastructure and third-party EAS. In so doing, we demonstrate that this increasingly deployed security infrastructure does
not achieve its stated requirements for large populations.
Index Terms—SMS, campus alert, denial of service, security.
Ç
1 INTRODUCTION
T EXT messaging allows individuals to transmit short,
alphanumeric communications for a wide variety of
applications. Whether to coordinate meetings, catch up on
successfully received in even the most congested regions
because the control channels responsible for their delivery
remained available. Similar are the stories from the Gulf
gossip, offer reminders of an event or even vote for a Coast during Hurricanes Katrina and Rita. With a large
contestant on a television game show, this discreet form of number of cellular towers damaged or disabled by the
communication is now the dominant service offered by storms, text messaging allowed the lines of communication
cellular networks. In fact, in the United States alone, over to remain open for many individuals in need, in spite of
five billion text messages are delivered each month [31]. their inability to complete voice calls in areas where the
While many of the applications of this service can be equipment was not damaged and power was available.
considered noncritical, the use of text messaging during Accordingly, SMS messaging is now viewed by many as a
emergency events has proven to be far more utilitarian. reliable method of communication when all other means
With millions of people attempting to contact friends and appear unavailable. In response to this perception, a number
family on September 11th 2001, telecommunications provi- of companies offer SMS-based emergency messaging ser-
ders witnessed tremendous spikes in cellular voice service vices. Touted as able to deliver critical information colleges,
usage. Verizon Wireless, for example, reported voice traffic universities, and even municipalities hoping to coordinate
rate increases of up to 100 percent above typical levels; and protect the physical security of the general public have
Cingular Wireless recorded an increase of up to 1,000 per- spent tens of millions of dollars to install such systems.
cent on calls destined for the Washington D.C. area [34]. Unfortunately, these products will not work as advertised
While these networks are engineered to handle elevated and provide a false sense of security to their users.
amounts of traffic, the sheer number of calls was far greater In this paper, we explore the limitations of third-party
than capacity for voice communications in the affected Emergency Alert Systems (EAS). In particular, we show that
areas. However, with voice-based phone services being because of the currently deployed cellular infrastructure,
almost entirely unavailable, SMS messages were still such systems will not be able to deliver a high volume of
emergency messages in a short period of time. This identifies
a key failure in a critical security incident response and recovery
. The author is with Converging Infrastructure Security (CISEC), mechanism (the equivalent of finding weaknesses in techniques
Laboratory Georgia Tech Information Security Center (GTISC),
Georgia Institute of Technology, Klaus Advanced Computing Building, such as VM snapshots for rootkits and dynamic packet filtering
Room 3138, 266 Ferst Drive, Atlanta, Georgia 30332-0765. rules for DDoS attacks) and demonstrates its inability to properly
E-mail: traynor@cc.gatech.edu. function during the security events for which it was ostensibly
Manuscript received 15 Oct. 2010; revised 18 Feb. 2011; accepted 15 Apr. designed. The fundamental misunderstanding of the require-
2011; published online 26 May 2011. ments necessary to successfully deploy this piece of security
For information on obtaining reprints of this article, please send e-mail to:
tmc@computer.org, and reference IEEECS Log Number TMC-2010-10-0477. infrastructure are likely to contribute to real-world, human-
Digital Object Identifier no. 10.1109/TMC.2011.120. scale consequences.
1536-1233/12/$31.00 ß 2012 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS
2. 984 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012
In so doing, we make the following contributions:
. Emergency event characterization. Through model-
ing and simulation based on real provider deploy-
ments, we provide the first public characterization of
the impact of an emergency event on a cellular
network. This contribution is novel in that it explores
a range of realistic emergency scenarios and pro-
vides a better understanding of their failure modes.
Fig. 1. Text messages arrive in a provider’s network from a wide variety
. Measure EAS over SMS for multiple emergency of sources and are processed by the SMSC before being delivered to
scenarios. We provide data to debunk the common mobile devices.
assertion made by many third-party vendors that
large quantities of text messages can be delivered which messages can be sent. From the Internet, for instance,
within a short period of time (i.e., seconds to it is possible to send text messages to mobile devices
minutes). We evaluate a number of different, through a number of webpages, e-mail, and even instant
realistic emergency scenarios and explain why a messaging software. Third parties can also access the
number of college campuses have reported “success- network using so-called SMS Aggregators. These servers,
ful” tests of their systems. Finally, we provide a real- which can be connected directly to the phone network or
world example that very closely mirrors the results communicate via the Internet, are typically used to send
of our simulations. “bulk” or large quantities of text messages. Aggregators
. Quantify collateral damage. We characterize the typically inject messages on behalf of other companies and
presence of the additional traffic generated by third- charge their clients for the service. Finally, most providers
party EAS over SMS and show that such traffic have established relationships between each other to allow
causes increased blocking of normal calls and text for messages sent from one network to be delivered in the
message, potentially preventing those in need of other. Fig. 1 shows these three high-level strategies.
help from receiving it. We also discuss a number of After entering a provider’s network, messages are sent to
ways in which these networks can cause unexpected the Short Messaging Service Center (SMSC). SMSCs perform
failures (e.g., message delay, message reordering, operations similar to e-mail handling servers in the Internet,
alert spoofing). and store and forward messages to their appropriate
The paper is organized as follows: Section 2 provides a destinations. Because messages can be injected into the
technical overview of SMS delivery and a general third- network from so many external sources, SMSCs typically
party EAS provider architecture. Section 3 models capacity perform aggressive spam filtering on all incoming mes-
of such networks; Section 4 provides the results of simula- sages. All messages passing this filtering are then converted
tions for a range of different emergency scenarios; Section 5 and copied into the necessary SMS message format and
discusses how currently deployed systems can best be used encoding and then placed into a queue to be forwarded to
during an emergency event; Section 6 provides a discussion their final destination.
of why such a mismatch has occurred; Section 7 explores
related work; Section 8 provides concluding thoughts. 2.1.2 Finding a Device
Delivering messages in a cellular network is a much greater
challenge than in the traditional Internet. Chief in this
2 NETWORK ARCHITECTURE difficulty is that users in a cellular network tend to be
Before we attempt to characterize the cellular infrastruc- mobile, so it is not possible to assume that users will be
ture during an emergency, it is necessary to understand located where we last found them. Moreover, the informa-
how such networks deliver text messages. In this section, tion about a user’s specific location is typically limited. For
we provide a technical overview of message delivery and instance, if a mobile device is not currently exchanging
a high-level description of how third-party vendors try to messages with a base station, the network may only know a
use these systems to deliver alert messages. We specifi- client’s location at a very coarse level (i.e., the mobile device
cally examine GSM networks [3] in these discussions as may be known to be in a specific city, but no finer grained
they represent the most widely deployed cellular technol- location information would be known). Accordingly, the
ogy in the world; however, it should be noted that SMSC needs to first find the general location for a message’s
message delivery for other technologies such as CDMA, intended client before anything else can be done.
IDEN, and TDMA are very similar and are therefore A server known as the Home Location Register (HLR)
subject to similar problems. assists in this task. This database acts as the permanent
repository for a user’s account information (i.e., subscribed
2.1 Cellular Network Architecture
services, call forwarding information, etc.). When a request
2.1.1 Sending a Message to locate a user is received, the HLR determines whether or
There are a number of ways in which text messages can be not that device is currently turned on. If a mobile device is
injected into a GSM or CDMA network. While most users currently powered off, the HLR instructs the SMSC to store
are only familiar with sending a text message from their the text message and attempt to deliver it at another time.
phone, known as Mobile Originated SMS (MO-SMS), service Otherwise, the HLR tells the SMSC the address of the Mobile
providers offer an expanding set of interfaces through Switching Center (MSC) currently serving the desired device.
3. TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 985
Fig. 2. Before a message can be delivered, a mobile device must be located. To do so, the MSC requests that towers within a given area all transmit
paging requests. If and when a device is found, the MSC forwards the message to the appropriate tower, which attempts to deliver it wirelessly. The
status of the delivery attempt is then returned to the SMSC. If delivery failed, the SMSC will attempt delivery at a later time. (Not shown: Base
stations are controlled in groups by a Base Station Controller.)
Having received this location information, the SMSC then deletes it. Otherwise, the SMSC stores the message until a
forwards the text message on to the appropriate MSC. later period, at which time the network reattempts delivery.
Fig. 2 offers an overview of this entire process.
2.1.3 Wireless Delivery
As mentioned earlier, even the MSC may not know more 2.2 Third-Party Provider Solutions
information about a targeted device’s location. In order to In the past few years, a significant number of third-parties
determine whether or not the current base station serving offering to deliver alert messages (and other information
this device is known, the MSC queries the Visitor Location services) via text messaging have appeared. Citing the need
Register (VLR), which temporarily stores information about for improved delivery targeted to a highly mobile popula-
clients while they are being served by the MSC. In most tion, many such services advertise text messaging as an
cases, this information is not known, and so the MSC must instant, targeted disseminator capable of delivering of
begin the extensive and expensive process of locating the critical information to tens of thousands of mobile phones
mobile device. The MSC completes this task by generating when it is most needed. These systems have been
and forwarding paging requests to all of its associated base extensively deployed on college and university campuses
stations, which may number in the hundreds. This process throughout the United States.
is identical to locating a mobile device for delivery of a The architecture of these systems is relatively simple.
voice call. Whether activated through a web interface [13], [16], [42],
Upon receiving a paging request from the MSC, a base [53], [54], directly from a phone [24], or as software running
on a campus administrator’s computer [41], [35], these
station attempts to determine whether or not the targeted
services act as SMS aggregators and inject large numbers of
device is nearby. To achieve this, the base station attempts
text messages into the network. Colleges and universities
to use a series of Control Channels to establish a connection
subscribing to these services then collect mobile phone
with the user. First, the base station broadcasts a paging
numbers from students, faculty, and staff. In the event of an
request over the Paging Channel (PCH) and then waits for a
alert, all or a subset of the collected numbers can be
response. If the device is nearby and hears this request, it
targeted. While network providers may offer some limited
responds to the base station via the Random Access Channel
information back to the third party, aggregators are largely
(RACH) to alert the network of its readiness to receive
unaware of conditions in the network or the geographic
information. When this response is received, the network
location of any specific individual.
uses the Access Grant Channel (AGCH) to tell the device to
listen to a specific Standalone Dedicated Control Channel
(SDCCH) for further exchanges. Using this SDCCH, the 3 MODELING EMERGENCY EVENTS IN REAL
network is able to authenticate the client, perform a number ENVIRONMENTS
of maintenance routines and deliver the text message. By To determine whether there exists a mismatch between the
limiting the operations necessary to deliver a text message current cellular text messaging infrastructure and third-
to the control channels used for call setup, such messages party EAS, it is necessary to observe such systems during an
can be delivered when all call circuits, known as Traffic emergency. However, because large-scale physical security
Channels (TCHs) are busy. incidents are rare, we apply a number of modeling
When the attempt to deliver the message between the techniques to help characterize such events.
targeted device and the base station is complete, the device
either confirms the success or failure of delivery. This status 3.1 Location Selection and Characterization
information is carried back through the network to the The events that unfolded at the Virginia Polytechnic Institute
SMSC. If the message was successfully delivered, the SMSC and State University (“Virginia Tech”) on 16 April 2007 have
4. 986 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012
Fig. 4. Calculated blocking probabilities versus delivery windows for
emergency notification traffic.
Tech would require the following amount of time to deliver
Fig. 3. The placement of base stations (red triangles) for a major GSM a single message to 15,000 recipients
provider near Virginia Tech. Given that each base station has three
sectors, the campus itself receives service from approximately eight 15;000 msgs 1 campus 1 sector
total sectors. T ¼ Â Â
1 campus 8 sectors 8 SDCCHs
1 SDCCH
become one of the primary motivations behind the calls to Â
use SMS as the basis of an emergency system. Many argue 0:25 msg=sec
that had such a system been in place during what became the % 938 sec
deadliest campus shooting in US history, countless lives % 15:6 mins:
could have been saved. However, a thorough examination of
such claims has not been conducted. In particular, it is not Because the contents of emergency messages are likely to
clear whether or not the messages transmitted by such a exceed the 160 character limit of a single text message,
system would have reached all students before the Norris providers and emergency management officials have
Hall shootings. Accordingly, we have selected Virginia Tech estimated the number of messages is likely to increase by
at least four times
as our location to characterize.
Located in southwestern Virginia, this land grant 15;000 msgs 1 campus
university is home to over 32,000 students, faculty, and T¼ Â 4 msgs Â
1 campus 8 sectors
staff [56]. For the purposes of this work, we assume that just 1 sector 1 SDCCH
under half (15,000) of these individuals subscribe to a GSM Â Â
8 SDCCHs 0:25 msgs=sec
network. As is shown by the red triangles in Fig. 3, the
major GSM provider in this area provides service to the % 3752 secs
campus of Virginia Tech from four base stations.1 Given % 62:5 mins:
that each base station has three sectors (each covering a
The above calculations represent an optimistic minimum
120 degree range), we assume that the campus itself is
time for the delivery of all messages. For instance, it is
covered by 8 of the 12 total sectors in the area. While we
highly unlikely that all eight SDCCHs will be available for
believe this campus to be representative, specific results
delivering text messages as these channels are also used to
from other universities can be determined using informa-
establish voice calls and assist with device mobility.
tion specific to those locations.
Moreover, contention between emergency messages for
3.2 Mathematical Characterization of Emergencies SDCCHs will also be a significant factor given that the
The first step in characterizing a cellular network during an SMSC is unaware of traffic conditions in individual sectors.
emergency is determining delivery time. In particular, we Finally, depending on conditions within the network, each
are interested in understanding the minimum time required message is likely to experience different delays. To better
to deliver emergency messages. If this time is less than the characterize these factors, we apply a simple Erlang-B
goal of 10 minutes set forth in by the current public EAS queuing analysis of the system. In a system with n servers
policies and the WARN Act [47], then such a system may and an offered load of A ¼ , where is the intensity of
À1
indeed be possible. However, if this goal cannot be met, incoming messages and signaling traffic and is the rate at
current networks cannot be considered as good candidates which a single server can service incoming requests, the
for EAS message delivery. probability that an incoming emergency message is blocked
Given that most sectors have a total of eight SDCCHs, (i.e., dropped) is
that it takes approximately 4 seconds to deliver a text An
message in a GSM network [15], [34] and the information n!
PB ¼ Pl¼nÀ1 Al : ð1Þ
above, the GSM network serving the campus of Virginia l¼0 l!
1. This is the actual configuration of the major GSM carrier in this area, as Fig. 4 compares an imposed deadline for delivering all
confirmed through conversations with this provider. SMS-based emergency messages against the expected
5. TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 987
TABLE 1
Simulation Parameters
blocking. We note that while Poisson arrival is not
appropriate for modeling traffic on the Internet, it is
Fig. 5. The probability that calls experience TCH blocking. Note that only
regularly used in telecommunications. Like the delivery
under very busy conditions does blocking become likely.
equations, this calculation shows that such large volumes of
messages cannot be delivered in a short period of time, even 4.1 Normal Traffic
without the presence of traffic from normal operations.
Our first set of experiments represent normal network
behavior. Fig. 5 illustrates the blocking rates for Traffic
4 SIMULATING EMERGENCY EVENTS Channels (TCHs) under four different busy hour voice
EAS over SMS traffic may still improve the physical security traffic loads. Most relevant to the current discussion is the
of its intended recipients even though it cannot be delivered low call blocking when fewer than 15,000 calls are made per
to the entire population within a 10 minute time period. If hour. Note that given the limited wireless resources
such information can be sent without interfering with other available, such throughput is significant and highlights the
traffic, it could be argued that it would remain beneficial to robustness of this deployment. Cellular networks general
at least some portion of the receiving population. limit blocking to below 1 percent, making any sustained
To better understand the impact of this security incident event above this threshold significant. Fig. 6 further supports
response and recovery mechanism on other traffic, we the blocking data by illustrating very low SDCCH utilization
further characterize a number of emergency scenarios. rates for all of the offered loads. This graph also reinforces
While the calculations provided in the previous section the case for using SDCCHs for SMS delivery. Even in the
and a post-9/11 government study on national text 25,000 calls per hour case, during which nearly more than
messaging capacity [34] are a good start, neither of these 55 percent of incoming calls cannot be completed, SDCCHs
approximations help us understand the complex dynamics are utilized at approximately 18 percent.
of the range of emergency scenarios. We therefore use a
4.2 Emergency Scenarios
GSM simulator developed in our previous work [49], [50],
Users having received notification of an emergency are
[52] and extend it for our needs. This tool focuses on the
wireless portion of the network and allows the interaction unlikely to maintain normal usage patterns. In particular,
between various resources to be characterized. This users are likely to attempt to contact their friends and/or
simulator was designed according to 3GPP standards family soon after learning about such conditions. Whether by
documents, input from commercial providers and given text message or phone call, however, such instinctual
optimal settings where applicable [28] so that our results are communication leads to significant congestion in cellular
as conservative as possible.2 Table 1 provides a summary of networks. This phenomenon leads to a spike in the number of
additional parameters representing busy hour load condi- attempted calls to the Washington D.C. by over 1,000 percent
tions (i.e., rush hour) and channel holding/service times. on September 11th [34]. Accordingly, increases of varying
All experiments represent the average of 500 runs, the intensities and characteristics representing reactionary usage
inputs for which were generated according to an exponen-
tial interarrival time using the Mersenne Twister Pseudor-
andom Number Generator [22]. Confidence intervals of
95 percent for all runs were less than two orders of
magnitude from the mean, and are therefore too small to be
shown. Given this system, we are able to explore the details
of an emergency without having to wait for such an event
occur or requesting log data from cellular providers. In the
following sections, we offer views of normal operations,
surges of messages and a full emergency situation with EAS
over SMS deployed.
2. We note that some providers configure their network such that
incoming text messages use four of the eight SDCCHs to decrease delivery
time. However, this configuration results in higher blocking during busy Fig. 6. The average utilization of control channels (SDCCHs) for a
periods, so we do not consider it further. variety of traffic intensities.
6. 988 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012
Fig. 7. The impact on blocking probability of increasing volumes of Fig. 8. Channel utilization during an emergency without EAS over SMS.
traffic without EAS over SMS. Note that more voice traffic is delivered Note that voice and SMS traffic have largely saturated the available
in the TCH þ 100% (doubling) case due to elevated blocking in the channels.
þ200% (tripling) case.
scenario in which traffic triples. The reason for this
must be considered when designing text messaging-based apparent inversion is explained by the increased SDCCH
EAS. We explore two such scenarios, which assume that the blocking over the same time period. Because fewer voice
third-party EAS over SMS provider has configured their calls ever reach the point in call setup where a TCH is
system to deliver all messages within the WARN Act’s assigned, there is simply less competition for these
10 minute requirement [47], that SMSCs retransmit pre- resources. Fig. 8, which provides channel utilization for
viously undeliverable messages once every 15 minutes and these experiments, confirms this conclusion. In particular,
assume that four messages per user are transmitted by the in the presence of increasing SMS and voice traffic,
EAS over SMS system when an emergency occurs. utilization of TCHs for the tripling case remains largely
steady and actually decreases toward the end of the hour.
4.2.1 Small-Scale Response Emergencies As shown in Fig. 9a, the addition of EAS over SMS traffic
Some emergencies are likely to elicit smaller spikes in usage almost immediately causes more than 80 percent of all
that others. While scenarios such as wildfire evacuations [9] incoming voice and SMS to be blocked. Corresponding to
or tornado warnings for specific college campuses would these spikes, Fig. 9b shows SDCCH utilization holding at
certainly cause an increase in the amount of traffic sent over nearly full capacity during the transmission of these
the network, they are unlikely to stimulate the generation of emergency messages. However, Fig. 9c shows a significant
the volumes of traffic observed during a terrorist attack. To impact on the number of calls completed in the system.
model this scenario, we simulate the gradual doubling Nearly the inverse of Fig. 9a, this figure shows a drop in
(þ100%) and tripling (þ200%) of voice and SMS traffic to the TCH utilization from over 90 percent to approximately
Virginia Tech campus over the course of an hour. We then 20 percent. This decreased ability to complete calls in spite
repeat these experiments in the presence of EAS over SMS of available resources demonstrates that those who may be
messages. These experiments extend our previous model- attempting to reach out to emergency services such as 9-1-1
ing efforts [48]. will be less able to do so.
Fig. 7 shows the probability of calls and text messages
being blocked on SDCCHs and TCHs in an emergency 4.2.2 Large-Scale Emergencies
without EAS over SMS. As expected, as voice and SMS Major emergency events are likely to exhibit different
traffic approaches double or triple their normal volumes, characteristics than the previously profiled small-scale
notable blocking begins to occur on both SDCCHs and scenarios. Whereas small events may have a gradual
TCHs. Of particular interest, however, is the increased increase in the volume of traffic, large-scale emergencies
probability of TCH blocking in the doubling case over the are often characterized by substantial and rapid spikes in
Fig. 9. The blocking and channel utilization during an emergency event with EAS over SMS. Note that (a) over 80 percent of all calls and SMS
messages are blocked when EAS messages are sent or retransmission occurs. Also note (c) the drop in TCH utilization when EAS transmissions
occur, meaning that resources to allow calls are available but unused.
7. TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 989
Fig. 10. The average blocking experienced during a large-scale Fig. 12. The average blocking during a large-scale emergency in the
emergency without EAS over SMS. Note that blocking on TCHs presence of EAS over SMS. The network experiences blocking rates of
remains steady in spite of increasing call loads due to increased approximately 90 percent when EAS messages are being transmitted.
blocking on the SDCCH.
4.3 Testing Campus Alert Systems
usage, followed by continued gradual growth. Although the The discrepancy between the scenarios presented thus far
small-scale emergency experiments have already demon- and the reports of successful tests of deployed systems is a
strated the impracticality of EAS over SMS given the result of a number of factors. As previously mentioned, the
currently deployed infrastructure, we explore this worst 160 character limit per text message often requires the
case to understand the full extent of the problems such transmission of multiple text messages during an emer-
third-party solutions may create. We therefore model a gency. Most system tests, however, typically involve
September 11th-like event in which normal traffic increases sending a single message. Traffic in these tests is therefore
by 1,000 percent [34], with a 500 percent increase occurring sent at one-fourth the volume of more realistic emergency
over the course over a few minutes and the outstanding
scenarios. The second difference is the size of the affected
500 percent being distributed across the remaining hour.
population. While many universities offer these systems as
Like the previous scenario, we conduct these experiments
an optional service to their students, an increasing number
with and without the presence of EAS over SMS.
is beginning to make enrollment mandatory. Accordingly,
As expected, the sudden surge of traffic during the
current tests attempt to contact only a subset of students with a
emergency almost immediately makes communications
difficult. Fig. 10 shows blocking rates of approximately smaller volume of traffic than would be used in a real emergency.
47 percent for TCHs and between 59 and 79 percent for We use reports of successful tests as input for our final set
SDCCHs. With both SDCCHs and TCHs experiencing of experiments. In particular, we attempt to recreate the
near total utilization as shown in Fig. 11, the network is environment in which these tests are occurring. We site
already significantly overloaded and unable to deliver information from officials at the University of Texas Austin
additional traffic. [26] and Purdue University [37], each of which have reported
The presence of traffic generated by an EAS over SMS transmitting messages to approximately 10,000 participants.
system makes this scenario considerably worse. As shown Note that this represents roughly 25 percent of the under-
in Fig. 12, call and SMS blocking on SDCCHs almost graduate student body at these institutions. We therefore
immediately reaches between 80 and 85 percent. Like the reduce the receiving population at Virginia Tech to 7,500, of
previous scenario, call blocking on TCHs actually decreases. which only half are subscribers to the GSM provider.
Such a decrease can again be attributed to the elevated Fig. 14 shows the probability of blocking for this scenario.
blocking on the SDCCHs, as Fig. 13 demonstrates that TCHs With approximately 18 percent blocking, such a system
remain idle in spite of an increased call volume. would appear to replicate current deployments—over
Fig. 11. Channel utilization observed during a large-scale emergency Fig. 13. Channel utilization during a large-scale emergency in the
without EAS over SMS. The network becomes saturated almost presence of EAS over SMS. TCH utilization falls significantly when EAS
immediately after the emergency event is realized. messages are sent, meaning fewer voice calls are delivered.
8. 990 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012
Fig. 14. The average blocking observed during a test (one message) of a Fig. 15. The average blocking observed when four messages are
third-party EAS over SMS system with only 25 percent of students transmitted and all other traffic remains constant.
registered.
the virtual ubiquity of cell phones, such systems can still be
80 percent of recipients are reached within the first 10-minute made useful.
long transmission. However, as is shown in Fig. 15, by Significant changes to the network could potentially
increasing the number of messages sent to this small group make such systems more useful. The most promising of
by a factor of four to allow for a longer emergency message, such solutions is cell broadcast. Instead of the point to point
the probability of blocking increases to 58 percent. Because delivery of messages in current networks, cell broadcast
the transmission of multiple messages is more likely, campus would allow for the rapid dissemination of emergency
emergency coordinators should test their systems based on information through point to multipoint communications.
this setting to gain a realistic view of its performance and Such a system could reach the majority of cellular users in
behavior. an area without requiring knowledge of each particular
These two cases provide a more complete picture of the user’s location. This option is backed by the Commercial
issues facing these systems. Whereas a third-party security Mobile Service Alert Advisory Committee, which is
incident response and recovery system may be able to currently working on developing standards documents.
deliver a small number of messages to one quarter of the However, the timeline for the deployment of this standard
students on campus, attempts to send more messages and is not currently known.
therefore more meaningful communications quickly result In the absence of this change, currently deployed third-
in high blocking. Such systems are simply unable to scale party EAS could be effectively used to contact limited
for the rapid delivery of emergency messages to the entire subsets of people in an affected area. On a University
population of the campus. campus, for instance, sending emergency alerts to faculty
As corroboration of this final assertion and to further members first would allow for a message to manually be
ground our results in reality, we note the results of a amplified (e.g., immediately to their classes, research group,
campus alert system deployed on the campus of Simon etc.). We again use Virginia Tech to measure the feasibility
Fraser University in Burnaby, British Columbia, Canada. of this approach. Given approximately 1,300 faculty
In April of 2008, the University attempted to send test alert members [56], we again assume that just under half of this
messages to 29,374 people; however, only 8,600 were able population (600) subscribes to the GSM network. With
to receive these messages [44]. Only 6,500 of those having the same network resources described in Section 3, the
received the message were able to do so within five hours minimum time to distribute a single emergency message to
of it being sent, representing nearly an 80 percent rate of the faculty is
blocking. Worse still, many students reported getting an
elevated rate of busy signals even many hours later. These 600 msgs 1 campus 1 sector
T ¼ Â Â
results are very similar to those shown in Fig. 12, which 1 campus 8 sectors 8 SDCCHs
while showing a slightly higher load, shows extremely 1 SDCCH
Â
close levels of blocking (approximately 85 percent). The 0:25 msgs=sec
analysis in this paper, in concert with this real-life test, % 37:5 sec:
clearly explains the failure of this response mechanism to
meet its requirement. Similarly, the time to send a long message requiring the
delivery of four messages would require the following
minimum delivery time:
5 EFFICIENT SOLUTIONS USING CURRENT EAS
The experiments in the previous section demonstrate the 600 msgs 4 msgs 1 campus
T¼ Â Â
inability of current cellular infrastructure to support 1 campus user 8 sectors
emergency-scale messaging. However, entirely dismissing 1 sector 1 SDCCH
 Â
mobile phones and networks as a means of disseminating 8 SDCCHs 0:25 msgs=sec
critical information during such an event misses an % 150 secs
opportunity. Given the extensive deployment of third-party % 2:5 mins:
EAS on university campuses across the United States and
9. TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 991
platform for receiving alerts even in the absence of
connectivity to cellular infrastructure.
6 DISCUSSION
6.1 Third-Generation (3G) Networks
We profiled the use of GSM networks in this work because
they represent the most widely used cellular technology in
the world. However, much faster third-generation cellular
systems are beginning to be deployed. With high speed
data service available in many metropolitan areas, it
would appear as if the analysis made in this paper will
Fig. 16. Experimentally measured maximum blocking for messages
not remain relevant.
sent to a small subset of a university’s population based on variable The migration to these new systems will not address
delivery deadlines. Note that all faculty members can receive a single these issues for a number of reasons. First, all cellular
text message in under 5 minutes with a blocking probability of less networks expend significant effort when establishing a
than 9 Ã 10À6 .
connection. As demonstrated in Section 2, these operations
include locating a targeted mobile device and performing
Given that these minimum times are more than an order
significant negotiations before a single packet can be
of magnitude smaller than those associated with directly
delivered. While the delivery rates of cellular data services
messaging every person on campus, we performed simula-
have been steadily improving over the past decade, this
tions to measure the blocking experienced in this scenario.
setup and delivery of the first bit of information remains a
Fig. 16 shows the maximum blocking experienced for the
significant bottleneck in the process. This means that while
transmission of one and four messages with delivery
it is possible to download large files relatively quickly using
deadlines ranging from 1 to 10 minutes. Like previous
such networks, beginning the download remains expensive.
experiments, each point is the result of 500 runs of the
Second, many providers currently have configured their 3G
simulator with 95 percent confidence intervals being less
networks for the circuit switched delivery of text messages.
than two orders of magnitude smaller than the mean. Note
Accordingly, such messages will continue to compete with
that the delivery of a single message to the faculty can occur
incoming voice calls for resources, leading to the same
very rapidly, with the probability of blocking dropping
kinds of blocking conditions.
below 1 percent with a delivery requirement of only
2 minutes. Even the delivery of four messages to the faculty 6.2 False Alarms
can be done with a blocking probability of less than Being able to disseminate alert messages in a timely manner
1 percent if given a deadline of 7 minutes. We note that is not the only essential component when evaluating EAS
this approach is different than assuming that the first subset requirements. Users must be able to trust the authenticity of
of students to receive such an alert their peers; rather, this every emergency message they receive. Failure to ensure
targeted strategy will reach the individuals most likely to be that the source of a message can be correctly identified
dispersed across the campus with the ability to immediately allows malicious parties opportunities to add confusion
amplify the delivery of the message. to an emergency event. Unfortunately, there is no way to
Such a solution is not without its own difficulties. Many authenticate the source of messages, making fraudulent
faculty members travel and some disciplines rely on alerts easy to send.
graduate instructors to teach courses. Moreover, such a Text messaging does not provide any means of authen-
plan does not adequately inform or protect staff members. tication. Accordingly, it is possible for any individual with
The selection of the precise subset must therefore be an Internet connection to inject messages with arbitrary
carefully considered by each university and should reflect contents to anyone with a cellular phone. As Fig. 17
not only maximum coverage but also the dynamic patterns demonstrates, such messages are indistinguishable from
of students, faculty, and staff during throughout the day. legitimate messages.
Integration with a university’s course management or The implications of this limitation are significant. For
registration system may provide improved location infor- instance, in the event of an emergency such as a chemical
mation to such decisions. We leave the creation of such a leak, it would be easy for a malicious party to send an “all-
system to future work. clear” message before the situation was deemed safe.
Finally, we recommend that alert system systems take Because it would not be possible for users to verify the
advantage of multiple forms of media to improve robust- source of the information, maliciously induced confusion is
ness. Relying on any one technology makes an EAS a real threat. False alerts have already been observed,
ineffective should that system fail. The use of a range of including fraudulent warnings about earthquakes [25],
systems including campus television and radio stations, the tsunamis [4], school shootings [19], false Amber Alerts
university’s website and sirens make the likelihood of [39], and other misuses [11], [8].
widespread notification significantly greater. Note that
because of the advanced capabilities of many mobile 6.3 Message Delivery Order
phones including AM/FM and 802.11 radios and television Implicit in the misunderstanding of text messaging as a
receivers [36], [23], mobile phones may still be a useful real-time service are misconceptions about the order in
10. 992 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012
Fig. 17. The picture on the left was a test message sent using the e2campus website. The middle picture contains the exact same message and
claims to be from the same source, but was sent from a service provider’s web interface. The right-most picture is a forged emergency message
warning the user of an on-campus shooting and falsely claims to be sent by the Police.
which messages will be delivered to targeted devices. such as e-mail, where users have learned to expect at least
Specifically, it is often assumed that messages will be minor delays between messages.
delivered in the order in which they were injected by the Examples of the delay that can be experienced during
sender. Message delivery order is not always predictable. times of high volume are most easily observed during New
The order in which messages are delivered can be affected Years Eve celebrations or the most recent US Presidential
by a number of factors. For instance, Traynor et al. [49] Inauguration. As hundreds of millions of users around the
showed that the SMSCs of different providers implement a globe send celebratory greetings via SMS, service providers
variety of service algorithms, including FIFO and LIFO often become inundated with a flood of messages. Accord-
service disciplines. Accordingly, it is possible for two ingly, the delivery of such messages has been noted to
providers to deliver the same stream of messages in opposite exceed more than six hours [17]. Even though providers
often plan and temporarily deploy additional resources to
order. Even if all carriers implemented the same delivery
minimize the number of blocked calls, the sheer volume of
algorithm, congestion in the network can cause further
messages during such an event demonstrates the practical
disordering of packets. If an incoming text message is unable
limitations of current systems. In spite of temporarily
to be delivered due to a lack of resources on the air interface, deploying additional towers, such delays are experienced
the SMSC will store the message for a later attempt. even when cellular providers are aware that a high volume
However, if subsequent messages have been sent before this event will take place.
message fails and manage to gain the required resources, Why then has SMS been a successful means of commu-
they will be delivered out of the sender’s intended order. In nication during other national emergencies such as Sep-
an emergency such as a tornado, which may change tember 11th and Hurricanes Katrina and Rita? Numerous
directions, out of order delivery may send subscribers sources cite SMS as an invaluable service when both man-
directly into the storm as opposed to away from it. made and natural disasters strike [21], [32]. The difference
There are a number of emergency scenarios in which the between these events and other emergencies is the
above has occurred. During a wildfire evacuation at magnitude of messages sent. For instance, at the time of
Pepperdine University in 2007, multipart messages were the attacks of September 11th, text messaging was still
transmitted to students and faculty to provide relocation largely a fringe service in the United States. Had most users
instructions. However, some reported that the messages across the country attempted to communicate using SMS as
were not useful. One student later noted that “Each their primary mode of communication, however, a report
notification that was sent came through in six to eight text by the National Communications System (NCS) estimates
messages. . . And they were jumbled, not even coming in that current network capacities would need to be expanded
order” [9]. More serious conflicts in message delivery order by 100-fold [34] in order to support such a volume. The
were noted on the campus of the Georgia Institute of reliability of text messaging during Hurricane Katrina is
Technology [12]. After a chemical spill in 2007, a message due to similar reasons. Because only a very small number of
alerting students and faculty to evacuate campus was people were communicating via text messaging, the towers
transmitted. Later, instructions to ignore the evacuation undamaged by the storm were able to deliver such
notification were also sent. However, a number of students messages without any significant competition from other
noted receiving the messages out of order [43], adding traffic. Moreover, because the network automatically
greater confusion to the situation. Similar problems have attempted retransmission, users were more likely to receive
been reported at a number of other universities [14], [20]. text messages than calls. If SMS use during either of these
We note that these issues can potentially be addressed by events approached emergency levels, it would have
implementing multipart messaging, which allows a handset experienced delays similar to those regularly observed on
to order message on receipt; however, this feature is not New Years Eve.
uniformly supported.
6.4 Message Delay 7 RELATED WORK
When a call is placed, users expect to hold a conversation Following the events of September 11th, 2001, curiosity
without large periods of delay between responses. This about the ability to use text messaging as the basis of a
immediacy is in stark contrasts to asynchronous services reliable communications system during times of crisis
11. TRAYNOR: CHARACTERIZING THE SECURITY IMPLICATIONS OF THIRD-PARTY EMERGENCY ALERT SYSTEMS OVER CELLULAR TEXT... 993
arose. In response, the National Communications System recovery mechanism simply does not work as advertised.
conducted an investigation on the use of text messaging Through modeling, a series of experiments and corroborat-
during a nation-wide emergency, which through simple ing evidence from real-world tests, we have shown that
calculations concluded that current systems would require these networks cannot meet the 10 minute alert goal
“100 times more capacity to meet [the] load” created by mandated by the public EAS charter and the WARN Act.
widespread use of text messaging [34]. A related study by Moreover, we have demonstrated that the extra text
the European Telecommunications Standard Institute messaging traffic generated by third-party EAS will cause
(ETSI) identified the increasing prevalence of spam as a congestion in the network and may potentially block
upward of 80 percent of normal requests, potentially
significant threat to the operation of cellular networks
including calls between emergency responders or the public
during an emergency [18]. However, both studies were
to 9-1-1 services. Accordingly, it is critical that legislators,
limited to high-level calculations of a single emergency
technologists, and the general public understand the
scenario and neither considered the use of third-party EAS fundamental limitations of this mechanism to safeguard
over SMS systems. Our study conducted the first character- physical security and public safety and that future solutions
ization and simulation of multiple scenarios for EAS over are thoroughly evaluated before they are deployed.
cellular services and compared them directly to real-world,
on-campus testing. Related efforts are also investigating the
creation of more efficient disaster response infrastructure ACKNOWLEDGMENTS
[1]; however, we note that many of the problems discussed This work was supported in part by 3G Americas and the
in this paper are the result of not fully implementing GSM US National Science Foundation (NSF) (CNS-0916047 and
standards for bulk sending and cell broadcast [3], [2]. CNS-0952959). Any opinions, findings, conclusions, or
The specific impacts on the reliability and security of recommendations expressed in this publication are those
such networks under torrents of text messages have also of the authors and do not necessarily reflect the views of 3G
been explored. Traynor el al. [49], [51] noted that an attacker Americas or the NSF. The author would also like to thank
could exploit connections between the Internet and cellular the cellular providers that helped him more accurately
networks to cause significant outages. With the bandwidth model this issue.
available to a cable modem, an attacker could send a small
but targeted stream of text messages to a specific geo-
graphic region and prevent legitimate voice and text
REFERENCES
messages from being delivered. While subsequent research [1] “Earthquake and Tsunami Warning System (ETWS); Require-
ments and Solutions,” Technical Report 3GPP TS 23.828 v2.0.0.,
was able to better characterize and provide mitigations 3rd Generation Partnership Project, 2008.
against such attacks [50], it was ultimately discovered that a [2] “Technical Realization of Short Message Service Cell Broadcast
more basic problem was responsible. Instead of simply (SMSCB),” Technical Report 3GPP TS 03.41 v7.5.0., 3rd Generation
Partnership Project, 2000.
being a matter of using a low-bandwidth channel to deliver [3] “Technical Realization of the Short Message Service (SMS),”
data, the real cause of such attacks was a result of Technical Report 3GPP TS 03.40 v7.5.0., 3rd Generation Partner-
fundamental tension between cellular networks and the ship Project, 2002.
Internet. Specifically, because cellular networks cannot [4] Agence France-Presse, “Hoax Text Message Spreads Tsunami
Terror in Indonesia,” http://www.breitbart.com/article.php?id=
amortize the significant cost of connection establishment 070606101917.31jf2eybshow_arti, 2007.
when delivering data, they are fundamentally vulnerable to [5] D. Andersen, “Mayday: Distributed Filtering for Internet Ser-
such attacks [52]. Accordingly, as long as text messages are vices,” Proc. USENIX Symp. Internet Technologies and Systems
(USITS), 2003.
delivered in the point to point fashion as is done now, the [6] T. Anderson, T. Roscoe, and D. Wetherall, “Preventing Internet
expense of establishing connections with each and every Denial of Service with Capabilities,” Proc. ACM Workshop Hot
phone in an area will remain prohibitively expensive. Topics in Networking (HotNets), 2003.
Whether as an unintended consequence or deliberate act, [7] K. Argyraki and D.R. Cheriton, “Scalable Network-Layer Defense
against Internet Bandwidth-Flooding Attacks,” ACM/IEEE Trans.
the flooding behavior exhibited in this above work closely Networking, vol. 17, no. 4, pp. 1284-1297, Aug. 2009.
resembles Denial of Service (DoS) attacks on the Internet. [8] Associated Press, “Man Admits Sending ‘Monkey Out of Cage’
The research community has responded with attempts to Message,” http://www.google.com/hostednews/ap/article/
ALeqM5gjBi_YGzVmUqV0YDKifMv, 2009.
classify [33] and mitigate [5], [6], [7], [10], [27], [29], [30], [9] S. Blons, “Emergency Team Aids Efforts,” http://graphic.
[40], [46], [45], [55], [57] such attacks. However, such attacks pepperdine.edu/special/2007-10-24-emergencyteam.htm, 2007.
are only beginning to be understood in the context of [10] M. Casado, P. Cao, A. Akella, and N. Provos, “Flow Cookies:
cellular networks, making the direct application of these Using Bandwidth Amplification to Defend against DDoS Flooding
Attacks,” Proc. Int’l Workshop Quality of Service (IWQoS), 2006.
solutions unsuitable. [11] Cellular-News, “Malaysian Operators Dismiss Hoax SMS,”
http://www.cellular-news.com/story/31247.php, 2008.
[12] T. Christensen, “Ga. Tech Building Cleared After Blast,” http://
8 CONCLUSION www.11alive.com/life/pets/story.aspx?storyid=106112, 2007.
[13] CollegeSafetyNet.com, http://www.collegesafetynet.com, 2008.
Cellular networks are increasingly becoming the primary [14] Courant.com, “University Emergency SMS Service Doesn’t De-
means of communication during emergencies. Riding the liver,” http://www.courant.com, Nov. 2007.
widely held perception that text messaging is a reliable [15] B.K. Daly, “Wireless Alert Warning Workshop,” http://www.
method of rapidly distributing messages, a large number of oes.ca.gov/WebPage/oeswebsite.nsf/ClientOESFileLibrary/
Wirel, 2011.
colleges, universities, and municipalities have spent tens of [16] e2Campus, “Mass Notification Systems for College, University
millions of dollars to deploy third-party EAS over cellular Higher Education Schools by e2Campus: Info on the Go!” http://
systems. However, this security incident response and www.e2campus.com, 2008.
12. 994 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 6, JUNE 2012
[17] A.-M. Elliott, “Texters to Experience 6 Hour Delays on New Year’s [45] A. Stavrou, D.L. Cook, W.G. Morein, A.D. Keromytis, V. Misra,
Eve,” http://www.pocket-lint.co.uk/news/news.phtml/11895/ and D. Rubenstein, “WebSOS: An Overlay-Based System for
12919/palm-new-years, 2007. Protecting Web Servers from Denial of Service Attacks,”
[18] “Analysis of the Short Message Service (SMS) and Cell Broadcast J. Computer Networks, Special Issue on Web and Network Security,
Service (CBS) for Emergency Messaging Applications; Emergency vol. 48, no. 5, pp. 781-807, 2005.
Messaging; SMS and CBS,” Technical Report ETSI TR 102 444 [46] A. Stavrou and A. Keromytis, “Countering DOS Attacks with
V1.1.1., European Telecomm. Standards Inst., 2006. Stateless Multipath Overlays,” Proc. ACM Conf. Computer and
[19] J. Gambrell, “School Shooting Text Rumours Emptied Elementary Comm. Security (CCS), 2005.
School by 10 am,” http://www.washingtonpost.com/wp-dyn/ [47] The 109th Senate of the United States of Am., “Warning, Alert,
content/article/2007/12/29/AR20071, 2007. and Response Network Act,” http://thomas.loc.gov/cgi-bin/
[20] L. Ganosellis, “UF to Test Texting Alerts After LSU Glitch,” http:// query/z?c109:H.R.1753:, 2005.
www.alligator.org/news/uf_administration/article_3c1a9de6- [48] P. Traynor, “Characterizing the Security Implications of Third-
670e-54fe-a882-c7e71309f83e.html, 2008. Party EAS over Cellular Text Messaging Services,” Proc. Second
[21] D. Geer, “Wireless Victories, Sept. 11th, 2001,” Wireless Business IEEE Int’l Conf. Security and Privacy in Comm. Networks (Secur-
Technology, 2005. eComm), 2010.
[22] J. Hedden, “Math::Random::MT::Auto - Auto-Seeded Mersenne [49] P. Traynor, W. Enck, P. McDaniel, and T. La Porta, “Exploiting
Twister PRNGs,” http://search.cpan.org/~jdhedden/Math- Open Functionality in SMS-Capable Cellular Networks,”
Random-MT-Auto-6.18/lib/Math/Random/MT/Auto.pm, Ver- J. Computer Security, vol. 16, no. 6, pp. 713-742, 2008.
sion 5.01, 2011. [50] P. Traynor, W. Enck, P. McDaniel, and T. La Porta, “Mitigating
[23] HTC Corporation, “HTC Tattoo Specifications,” http://www.htc. Attacks on Open Functionality in SMS-Capable Cellular Net-
com/europe/product/tattoo/specification.html, 2009. works,” IEEE/ACM Trans. Networking, vol. 17, no. 1, pp. 40-53, Feb.
2009.
[24] Inspiron Logistics, “Inspiron Logistics Corporation WENS -
[51] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, T. La Porta, and
Wireless Emergency Notification System for Emergency Mobile
P. McDaniel, “On Cellular Botnets: Measuring the Impact of
Alerts,” http://www.inspironlogistics.com, 2008.
Malicious Devices on a Cellular Network Core,” Proc. ACM Conf.
[25] Jakarta Post, “INDONESIA: Police Question Six More over SMS Computer and Comm. Security (CCS), 2009.
Hoax,” http://www.asiamedia.ucla.edu/article-southeastasia. [52] P. Traynor, P. McDaniel, and T. La Porta, “On Attack Causality in
asp?parentid=50410, 2006. Internet-Connected Cellular Networks,” Proc. USENIX Security
[26] E. Jaramillo, “UT Director: Text Alerts Effective,” http://www. Symp., 2007.
dailytexanonline.com/1.752094, 2008. [53] TXTLaunchPad, “TXTLaunchPad Provides Bulk SMS Text Mes-
[27] A. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure Overlay sage Alerts,” http://www.txtlaunchpad.com, 2007.
Services,” Proc. ACM SIGCOMM, 2002. [54] Voice Shot, “Automated Emergency Alert Notification Call -
[28] C. Luders and R. Haferbeck, “The Performance of the GSM VoiceShot,” http://www.voiceshot.com/public/urgentalert.asp?
Random Access Procedure,” Proc. Vehicular Technology Conf. ref=uaemergencyalert, 2008.
(VTC), pp. 1165-1169, June 1994. [55] M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S.
[29] R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and Shenkar, “DDoS Offense by Offense,” Proc. ACM SIGCOMM,
S. Shenker, “Controlling High Bandwidth Aggregates in the 2006.
Network,” Computer Comm. Rev., vol. 32, no. 3, pp. 62-73, July [56] Wikipedia, “Virginia Polytechnic Institute and State University,”
2002. http://en.wikipedia.org/wiki/Virginia_Tech, 2008.
[30] A. Mahimkar, J. Dange, V. Shmatikov, H. Vin, and Y. Zhang, [57] X. Yang, D. Wetherall, and T. Anderson, “TVA: A DoS-Limiting
“dFence: Transparent Network-Based Denial of Service Mitiga- Network Architecture,” IEEE/ACM Trans. Networking (TON),
tion,” Proc. USENIX Conf. Networked Systems Design and Imple- vol. 16, no. 6, pp. 1267-1280, Dec. 2008.
mentation (NSDI), 2007.
[31] K. Maney, “Surge in Text Messaging Makes Cell Operators :-),” Patrick Traynor received the PhD degree from
http://www.usatoday.com/money/2005-07-27-text-messaging_ The Pennsylvania State University in 2008. He is
x.htm, July 2005. an assistant professor in the School of Computer
[32] J. McAdams, “SMS Does SOS,” http://www.fcw.com/print/ Science at the Georgia Institute of Technology
12_11/news/92790-1.html, 2006. and is also a member of the Georgia Tech
[33] J. Mirkovic and P. Reiher, “A Taxonomy of DDoS Attacks and Information Security Center (GTISC). In addition
DDoS Defense Mechanisms,” ACM SIGCOMM Computer Comm. to serving on a number of program committees,
Rev., vol. 34, no. 2, pp. 39-53, 2004. he is also a member of the editorial board for the
[34] Nat’l Comm. System, “SMS over SS7,” technical report, Technical Encyclopedia of Cryptography and Security. His
Information Bull. 03-2 (NCS TIB 03-2), Dec. 2003. research is focused in areas including telephony
[35] Nat’l Notification Network (3n), “3n InstaCom Campus Alert - security and provenance, security for mobile phones, and the systems
Mass Notification for Colleges and Universities,” http://www. issues associated with applied cryptography.
3nonline.com/campus-alert, 2008.
[36] C. Nettles, “iPhone 3 to Have Broadcom BCM4329, 802.11N/
5GHz Wireless, FM Transmitter/Receiver,” http://www. . For more information on this or any other computing topic,
9to5mac.com/broadcom-BCM4329-iphone-802.11n-FM, 2009. please visit our Digital Library at www.computer.org/publications/dlib.
[37] M. Nizza, “This Is Only a (Text Messaging) Test,” http://thelede.
blogs.nytimes.com/2007/09/25/this-is-only-a-text-messagi, 2007.
[38] Nyquetek, Inc., “Wireless Priority Service for National Security,”
http://wireless.fcc.gov/releases/da051650PublicUse.pdf, 2002.
[39] Oregon State Police, “False Amber Alerts Showing up on Cell
Phones,” http://www.katu.com/news/local/26073444.html,
2008.
[40] B. Parno, D. Wendlandt, E. Shi, A. Perrig, and B. Maggs,
“Portcullis: Protecting Connection Setup from Denial of Capability
Attacks,” Proc. ACM SIGCOMM, 2007.
[41] Reverse 911, “Reverse 911 - The Only COMPLETE Notification
System for Public Safety,” http://www.reverse911.com/index.
php, 2008.
[42] Roam Secure, “Roam Secure,” http://www.roamsecure.net, 2008.
[43] shelbinator.com, “Evacuate! or Not,” http://shelbinator.com/
2007/11/08/evacuate-or-not, 2007.
[44] Simon Fraser Univ., “Special Report on the Apr. 9th Test of SFU
Alerts,” http://www.sfu.ca/sfualerts/april08_report.html, 2008.