Quantcast
Connect with us

This shocking report shows hackers can make it impossible for you to dial 911

Published

on

It’s not often that any one of us needs to dial 911, but we know how important it is for it to work when one needs it. It is critical that 911 services always be available – both for the practicality of responding to emergencies, and to give people peace of mind. But a new type of attack has emerged that can knock out 911 access – our research explains how these attacks occur as a result of the system’s vulnerabilities. We show these attacks can create extremely serious repercussions for public safety.

In recent years, people have become more aware of a type of cyberattack called “denial-of-service,” in which websites are flooded with traffic – often generated by many computers hijacked by a hacker and acting in concert with each other. This happens all the time, and has affected traffic to financial institutions, entertainment companies, government agencies and even key internet routing services.

A similar attack is possible on 911 call centers. In October, what appears to be the first such attack launched from a smartphone happened in Arizona. An 18-year-old hacker was arrested on charges that he conducted a telephone denial-of-service attack on a local 911 service. If we are to prevent this from happening in more places, we need to understand how 911 systems work, and where the weaknesses lie, both in technology and policy.

Understanding denial of service

Computer networks have capacity limits – they can handle only so much traffic, so many connections, at one time. If they get overloaded, new connections can’t get through. The same thing happens with phone lines – which are mostly computer network connections anyway.

So if an attacker can manage to tie up all the available connections with malicious traffic, no legitimate information – like regular people browsing a website, or calling 911 in a real emergency – can make it through.

This type of attack is most often done by spreading malware to a great many computers, infecting them so that they can be controlled remotely. Smartphones, which are after all just very small computers, can also be hijacked in this way. Then the attacker can tell them to inundate a particular site or phone number with traffic, effectively taking it offline.

ADVERTISEMENT

Many internet companies have taken significant steps to guard against this sort of attack online. For example, Google Shield is a service that protect news sites from attacks by using Google’s massive network of internet servers to filter out attacking traffic while allowing through only legitimate connections. Phone companies, however, have not taken similar action.

Addressing the 911 telephone system

Before 1968, American emergency services had local phone numbers. People had to dial specific numbers to reach the fire, police or ambulance services – or could dial “0” for the operator, who could connect them. But that was inconvenient, and dangerous – people couldn’t remember the right number, or didn’t know it because they were just visiting the area.

The 911 system was created to serve as a more universal and effective system. As it has developed over the years, a 911 caller is connected with a specialized call center – called a public safety answering point – that is responsible for getting information from the caller and dispatching the appropriate emergency services.

These call centers are located in communities across the country, and each provides service to specific geographic regions. Some serve individual cities, while others serve wider areas, such as counties. When telephone customers dial 911 on their landlines or mobile phones, the telephone companies’ systems make the connection to the appropriate call center.

ADVERTISEMENT

To better understand how denial-of-service attacks could affect 911 call systems, we created a detailed computer simulation of North Carolina’s 911 infrastructure, and a general simulation of the entire U.S. emergency-call system.

Investigating the impact of an attack

After we set up our simulation, we attacked it to find out how vulnerable it is. We found that it was possible to significantly reduce the availability of 911 service with only 6,000 infected mobile phones – just 0.0006 percent of the state’s population.

Using only that relatively small number of phones, it is possible to effectively block 911 calls from 20 percent of North Carolina landline callers, and half of mobile customers. In our simulation, even people who called back four or five times would not be able to reach a 911 operator to get help.

Nationally, a similar percentage, representing just 200,000 hijacked smartphones, would have a similar effect. But this is, in a certain sense, an optimistic finding. Trey Forgety, the director of government affairs for the National Emergency Number Association, responded to our findings in the Washington Post, saying, “We actually believe that the vulnerability is in fact worse than [the researchers] have calculated.”

ADVERTISEMENT

Policy makes the threat worse

These sorts of attacks could, potentially, be made less effective if malicious calls were identified and blocked at the moment they were placed. Mobile phones have two different kinds of identifying information. The IMSI (International Mobile Subscriber Identity) is the phone number a person must call to reach that phone. The IMEI (International Mobile Station Equipment Identity) is used to track the specific physical device on the network.

A defense system could be set up to identify 911 calls coming from a particular phone that has made more than a certain number of 911 calls in a given period of time – say more than 10 calls in the last two minutes.

This raises ethical problems – what if there is a real and ongoing emergency, and someone keeps losing phone reception while talking to a dispatcher? If they called back too many times, would their cries for help be blocked? In any case, attackers who take over many phones could circumvent this sort of defense by telling their hijacked phones to call less frequently – and by having more individual phones make the calls.

But federal rules to ensure access to emergency services mean this issue might be moot anyway. A 1996 Federal Communications Commission order requires mobile phone companies to forward all 911 calls directly to emergency dispatchers. Cellphone companies are not allowed to check whether the phone the call is coming from has paid to have an active account in service. They cannot even check whether the phone has a SIM card in place. The FCC rule is simple: If anyone dials 911 on a mobile phone, they must be connected to an emergency call center.

ADVERTISEMENT

The rule makes sense from a public safety perspective: If someone is having (or witnessing) a life-threatening emergency, they shouldn’t be barred from seeking help just because they didn’t pay their cellphone bill, or don’t happen to have an active account.

But the rule opens an vulnerability in the system, which attackers can exploit. A sophisticated attacker could infect a phone in a way that makes it dial 911 but report it does not have a SIM card. This “anonymized” phone reports no identity, no phone number and no information about who owns it. Neither the phone company nor the 911 call center could block this call without possibly blocking a legitimate call for help.

The countermeasures that exist, or are possible, today are difficult and highly flawed. Many of them involve blocking certain devices from calling 911, which carries the risk of preventing a legitimate call for help. But they indicate areas where further inquiry – and collaboration between researchers, telecommunications companies, regulators and emergency personnel – could yield useful breakthroughs.

For example, cellphones might be required to run a monitoring software to block themselves from making fraudulent 911 calls. Or 911 systems could examine identifying information of incoming calls and prioritize those made from phones that are not trying to mask themselves. We must find ways to safeguard the 911 system, which protects us all.

ADVERTISEMENT

The Conversation

By Mordechai Guri, Head of R&D, Cyber Security Research Center; Chief Scientist, Morphisec endpoint security, Ben-Gurion University of the Negev; Yisroel Mirsky, Ph.D. Candidate in Information Systems Engineering, Ben-Gurion University of the Negev, and Yuval Elovici, Professor of Information Systems Engineering, Ben-Gurion University of the Negev

This article was originally published on The Conversation. Read the original article.

Report typos and corrections to [email protected].
READ COMMENTS - JOIN THE DISCUSSION
Continue Reading

Breaking Banner

Senator Elizabeth Warren leads Democrats in spirited first 2020 debate

Published

on

Ten Democrats clashed in the first debate of the 2020 presidential race Wednesday with Elizabeth Warren cementing her status as a top-tier candidate and several underdogs using the issue of immigration to clamor for the limelight.

The biggest American political debate since the 2016 presidential campaign is occurring over two nights in Miami, climaxing Thursday with former vice president Joe Biden squaring off against nine challengers, including number two candidate Bernie Sanders.

But Wednesday's first take was a spirited encounter between Democrats like ex-congressman Beto O'Rourke, Senator Cory Booker, former San Antonio mayor Julian Castro and New York Mayor Bill de Blasio on subjects as varied as health care, economic inequality, climate action, gun violence, Iran and immigration.

Continue Reading

Breaking Banner

Here are 4 winners and 9 losers from the first 2020 Democratic primary debate

Published

on

With ten candidates on stage Wednesday, the opening debate of the 2020 Democratic primary in Miami was a packed mess. And this was only the first course in a two-part event — 10 more candidates will debate on the following night.

A crowded field makes it difficult to stand out, and that means that even after a big night like a debate, the most likely result is that not much changes. But the debate was still significant, giving candidates the chance to exceed, meet, or fall below expectations for their performances.

Here's a list — necessarily subjective, of course — of the people who came out on the top when the dust was settled, and those who came out on the bottom.

Continue Reading
 

Breaking Banner

Here are 3 ways Julián Castro stood out in the first Democratic Debate

Published

on

There were many predictions going into the first Democratic debate on MSNBC, but no one predicted that Julián Castro would break out from the crowd.

Check out the top three ways Castro stood out from the crowd.

Immigration:

The former Secretary of Housing and Urban Development was the outright winner of the immigration section of the debate

It should "piss us all off," Castro said about the father and his little girl who were found face-down in the shores of the Rio Grande River this week. “It’s heartbreaking."

Castro is a second generation American who got into specifics on immigration policy, calling for an outright "Marshall Plan" style of action for Guatemala and Honduras. He joined with other Democrats calling for an end to President Donald Trump's family separation policy, but he then suggested ending the "metering" of legitimate asylum seekers.

Continue Reading
 
 

Copyright © 2019 Raw Story Media, Inc. PO Box 21050, Washington, D.C. 20009 | Masthead | Privacy Policy | For corrections or concerns, please email [email protected]

I need your help.

The 2020 election needs you. There are 18 months until the election, and the Supreme Court is on the line. I'm trying to add journalists to do more exclusive reports. Let me get rid of the ads for you, and put your support toward 100% progressive reporting. Want to ensure your voice is heard? Join me and restore the power of hard-hitting progressive journalism.

HELP TAKE BACK AMERICA
close-link