The researchers say it would take just 6,000 infected smartphones in a geographical area — something hackers could easily accomplish — to launch an attack sufficient to disrupt the 911 system throughout the entire state of North Carolina, and just 200,000 infected phones distributed across the U.S. to significantly disrupt 911 services around the nation.
“Under these circumstances, an attacker can cause 33 percent of the nation's legitimate callers to give up in reaching 911,” the researchers at Ben Gurion University in Israel wrote in a paper they recently passed to the Department of Homeland Security and are releasing publicly today.
Because call centers and routers around the country often operate at near capacity under normal conditions, increasing the volume of calls by just a small percentage can overwhelm them, said Mordechai Guri, head of R&D at the university's Cyber Security Center and chief scientist at Morphisec Endpoint Security. Guri conducted the work with researcher Yisroel Mirsky and Professor Yuval Elovici, head of the center.
"We believe the researchers have accurately characterized the problem" with the 911 system, said Trey Forgety, director of government affairs for the National Emergency Number Association, who received a copy of the researchers' paper from DHS. He says his group has long been aware of the potential for a TDoS attack and brought it to the attention of DHS four years ago. "We actually believe that the vulnerability is in fact worse than [the researchers] have calculated."
The call capacity of 911 systems is exceptionally limited, and in many cases just three to five circuits process all 911 calls for a 911 center, Forgety said. "Three to five circuits is trivial to overwhelm. I can do it with a pocketful of cellphones."
The federal government considers the 911 system to be part of the nation's critical infrastructure on par with the power grid, water treatment plants and dams. Americans make more than 240 million calls annually to more than 7,000 call centers scattered across the country. About 70 percent of these calls now come from mobile phones. But the technology used to process these calls hasn't kept pace with security needs, experts say.
An attack could be prolonged for days using techniques that would prevent authorities from halting the bogus calls, Guri and his colleagues say. The problem would be exacerbated as legitimate callers trying to get through made repeated calls that further clogged the lines.
Denial-of-service attacks against 911 systems have been discussed as a concept at hacker conferences for years, although it's not known if any 911 outage has ever been caused by a TDoS attack. But in 2013, something occurred that indicated that attackers have 911 call centers in their sights. DHS and the FBI issued a warning to states about several TDoS attacks that had been launched against the administrative lines of various 911 call centers. Although these attacks didn’t target the 911 emergency lines themselves, they demonstrated the potential danger from TDoS attacks against the 911 system. The perpetrators launched the attacks as part of an extortion plot — after first demanding money and being turned down, they “launched high volume of calls against the target network, tying up the system from receiving legitimate calls,” according to the DHS alert.
How an attack works
The 911 call centers don’t run on a single, unified network; instead each state operates its own facilities, often managed at the county level, with calls being directed to centers by telecom providers or third-party companies contracted by telecoms.
When a caller dials 911, the call gets sent to a network dedicated to processing emergency calls. A router first determines the caller's location by consulting an address database if the call is coming from a landline. If it's a mobile call, the router determines the location based on coordinates sent from the mobile phone’s GPS chip or from the cellphone tower that picks up the call. Based on the caller's location, the router sends the call to the nearest Public Safety Answering Point where operators dispatch appropriate responders — fire, police, or ambulance.
To disrupt a 911 network, an attacker could infect mobile phones to create a botnet of phones — which is a network of computers or phones infected with the same malware that allows a hacker to control the devices. The attacker can infect phones either by sending malware to them as an email attachment or text message or embedding malicious code in an application that users are enticed to download and install on their phone.
How easy is it to infect a mobile phone through an app? Last year, researchers discovered malware for the iPhone operating system embedded in popular consumer apps distributed through Apple's App Store. And in 2011, a survey of Android apps distributed through Google's Play store found more than 10,000 apps contained malware or spyware of one sort or another.
Malware that the researchers created for their TDoS test infects the phone’s firmware — software beneath the operating system that makes the phone work. The attacker then sends a command to infected phones over the Internet or via covert text messages to call 911 repeatedly. Because the calls are initiated by the firmware and not the operating system, they occur silently in the background without the phone owner’s notice. No record of the calls appears in the phone’s call log either.
A carrier or 911 system could theoretically halt an attack by blacklisting phones that make repeated 911 calls, either by blocking the phones based on the International Mobile Subscriber Identity (IMSI) number stored in the phone’s SIM card or the unique International Mobile Equipment Identity (IMEI) number assigned to every mobile phone during manufacturing. But the malware the researchers created causes the phones to send random IDs to cell towers instead, changing the IDs with each call the phone makes to thwart blacklisting.
Theoretically, changing the IMSI with a random one should cause a mobile phone carrier to drop the call once it recognizes that the IMSI does not belong to a legitimate subscriber. But FCC regulations require carriers to process every 911 call that comes through their cell towers, regardless of whether the call is made by a subscriber. This is because many legitimate 911 calls come from phones that are not currently on a carrier service plan. Domestic violence shelters and retirement centers, for example, often provide non-service phones to battered women so they can make emergency calls.
The Carolina test
To test their TDoS attack, the Israeli researchers built a simulated cellular network in their lab based on the 911 network in North Carolina. They chose North Carolina because the state has published extensive information about its 911 network. It has, for example, 20 routers and 188 call centers that handle more than 23,000 emergency calls daily and more than 8 million annually.
But North Carolina has a problem shared by many other states — many of its call centers rely on a single router to process 911 calls. By overwhelming one router, an attacker can affect many call centers. One North Carolina router known as the Rocky Mount SR, for example, feeds 64 call centers — more than half the state’s call centers.
The researchers found that with just 6,000 infected phones, they could prevent more than 50 percent of wireless callers in the state from reaching 911, in addition to a good percentage of landline callers.
Countermeasures and mitigation
The researchers say state authorities could resolve the problem in part by making sure they have redundancy in 911 networks so that a single router doesn’t become a major point of failure in an attack.
Federal authorities could also address the problem by telling carriers they no longer have to process calls from phones that aren't attached to a service plan. The FCC introduced a proposal last year to consider doing this, since such phones are already a problem for a different reason — many pranksters use these phones to make bogus 911 calls, since the calls can't be traced to them.
Public safety groups expressed support for the FCC proposal to eliminate the requirement, but the movement stalled this year because the FCC only plans to eliminate the requirement that carriers process such calls, not ban carriers from processing them, which would give them legal protection. Without the latter protection, Forgety says, carriers are too afraid of the liability they could face if they opt to block a legitimate call and that leads to a death or injury.
Another way to address the problem would be to alter phone hardware in a way that would prevent attackers from changing the IMSI and IMEI numbers on smartphones and replacing them with random ones. Or hardware makers could install a firewall on their devices that would detect and block repeated 911 calls that have the characteristics of botnet activity. Both of these solutions, however, would take time to implement and require the cooperation of phone manufacturers.
Whatever occurs, Guri and his colleagues say authorities need to act soon since it will only be a matter of time before attackers target 911 systems — if they haven't already.
Kim Zetter is an award-winning journalist who has covered cybersecurity for more than a decade and is the author of "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon."