[David Strom's Web Informant] Hacking 911 systems: an update

David Strom david at strom.com
Tue Nov 22 08:07:08 EST 2016

Web Informant, November 22, 2016: Hacking 911 systems: an update

It isn’t often that there is a very short trajectory from an academic
research paper to reality, but when it comes to hacking the 911 emergency
phone network this is indeed the case. The paper was written earlier this
year <https://arxiv.org/ftp/arxiv/papers/1609/1609.02353.pdf> and first
given to the Department of Homeland Security before being published online
this fall.

The researchers from Ben Gurion University in Israel describe how an
attacker could nock a 911 service offline
<http://thehackernews.com/2016/09/hacking-911-emegency.html> by launching a
distributed denial of service (DDoS) attack using a collection of just 6000
smartphones. While that is a lot of phones to gather in one place, it is a
relatively small number when this is compared to computer-based attacks.
And you don't really need to gather them together physically: you can
infect these phones with some malware and control them all remotely.

Like other DDoS attacks, phones (rather than computers) make repeated calls
to 911, thereby blocking the system from getting legit emergency calls. It
is a chilling concept, because unlike other DDoS attacks, the hackers
aren’t just bringing down a website with large bursts of traffic: they
could prevent someone from getting life-saving assistance.

In the paper, the researchers simulated a cellular network modeled after
the 911 network in North Carolina and then showed how attackers could
exploit it.

Now 911 attacks aren’t new: indeed, the DHS issued this alert three years
ago <http://www.npstc.org/download.jsp?tableId=37&column=217&id=2699> and
mentioned that more than 600 such attacks have been observed over the
years. What is new is how easily the attacks could be launched, with just a
few thousand phones and some malware to make it all work. Also, these
previous attacks were launched against the administrative phone numbers of
the alternate 911 call center, not to the actual 911 emergency lines
themselves. If you are interested in how the 911 center operates, I posted
a piece many years ago <http://blog.strom.com/wp/?p=902> about this here.

There are other stories
hospitals and other businesses that have had their phone systems flooded
with calls, blocking any business calls from being connected. And where
there is fire, there is at least one security vendor to put it out or
protect <http://www.securelogix.com/products/etm_system_overview.htm> an
enterprise network from being exploited by telephone-based DDoS attacks.

The problem is in the design of the 911 call centers. These centers have no
built-in way of blacklisting or blocking callers: they want to be able to
answer any call from anyone who has an emergency. Therefore, in the face of
a large attack, they would have no choice but to answer each and every
call. But let’s say we could implement such a service: that would prevent
an unintentional owner of an infected and blacklisted phone from making a
legitimate emergency call.

Well, that was the theory behind the paper. It didn’t take long before
someone actually did it “in the wild,” as they say when an actual attack
has been observed. Last month a teen was arrested for allegedly doing such
an attack and is facing three felony counts
The teen, Meetkumar Hiteshbhai Desai, discovered an iOS vulnerability that
was used for launching the attack and flooding a call center in Arizona.
Now his phone supposedly was the only one used and it made just 100 calls
in a matter of minutes. But that was enough to get the cops on his case.

It is distressing to be sure. But whether these attacks are done by script
kiddies or by professional criminals, certainly the opportunity is there
and very real indeed.

Comments always welcome: http://blog.strom.com/wp/?p=5686

Happy holidays!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20161122/57317890/attachment-0002.html>

More information about the WebInformant mailing list