An 18-year-old teen from Arizona was arrested this week after one of his iOS exploits caused serious disruption to 911 emergency systems.
According to the Maricopa County Sheriff’s Office, Meetkumar Hiteshbhai Desai was booked on three counts of Computer Tampering, which in this case is a Class 2 felony, considered an extremely serious crime in Arizona and other states, due to the fact that it involved critical infrastructure.
The Maricopa County Sheriff’s Office Cyber Crimes Unit launched an investigation after being notified of disruption to the 911 service in the Phoenix metro area and possibly in other states.
Desai apparently learned of an iOS bug that can be exploited to manipulate devices, including trigger pop-ups, open email, and abuse phone features. The teen created several exploits and published one of them on a website, linking to it from his Twitter account in an effort to prank his followers.
While Desai claimed he wanted to publish a link to an exploit that only displayed pop-ups and caused devices to reboot, he mistakenly tweeted a link to an exploit that caused iPhones and iPads to continually dial 911 and hang up.
According to police, the link pointing to the exploit was shared with more than 12,000 followers and clicked over 1,800 times. The Maricopa County Sheriff’s Office ultimately managed to shut down the website hosting the exploit.
The police department in Surprise, Arizona, received more than 100 hang-up calls to its 911 service within minutes, which could have caused their switches to lose service. Agencies in California and Texas, the Peoria Police Department, and the Maricopa County Sheriff’s Office also received calls triggered by Desai’s exploit.
Desai claimed he was trying to find iOS vulnerabilities that he could report to Apple for monetary rewards and recognition. He said he did not mean to publish the exploit designed to call 911 as he knew it was illegal.
Researchers revealed last month that 911 emergency services in a U.S. state can be disrupted by a botnet powered by only 6,000 smartphones.
Security professionals sometimes get into a quarrel with the companies whose products and services they are analyzing. However, there are cases where experts have been charged and even convicted over their research.
One of the most well-known cases involves Andrew Auernheimer, who in 2013 was sentenced to 41 months in prison after he hacked into AT&T servers. A more recent case involves David Levin, owner of Vanguard Cybersecurity, who was arrested and later sentenced to 20 days in jail after exploiting a vulnerability he found on a Florida elections website.
