Researchers have demonstrated that a botnet powered by only 6,000 smartphones is enough to cause serious disruption to the 911 emergency services of a U.S. state via what is known as a telephony denial-of-service (TDoS) attack.
When people in the United States dial the 911 emergency number, their telecom provider connects them to the enhanced 911 (E911) network, which routes the call to the nearest public safety answering point (PSAP), the call center responsible for dispatching police, firefighting and ambulance services.
According to researchers of the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel, emergency services can be easily disrupted by malicious actors with a fairly small distributed denial-of-service (DDoS) botnet.
One major problem is that the FCC requires wireless carriers to forward 911 calls to PSAP centers without going through the regular process of identifying callers and determining their subscriber status. This makes TDoS attacks launched from mobile devices more difficult to mitigate as attackers can randomize the phone’s identifiers in an effort to prevent blacklisting.
The attack scenario described by experts involves a botnet of Android phones infected with malware. As recent incidents have demonstrated, it is not difficult for malicious actors to infect even millions of smartphones, while the attack described by researchers only requires a few thousand phones to cause damage.
Once the smartphones are infected, the attackers can instruct the malware via command and control (C&C) servers to continuously call 911 from the compromised devices. There are three types of bots: non-anonymized, anonymized and persistent anonymized. Non-anonymized bots don’t make an effort to disguise the calling device’s IMSI and IMEI identifiers, making attacks more easy to block.
Anonymized and persistent anonymized bots hide IMSI and IMEI information, and they reside in the firmware of the infected device’s baseband processor. This makes the malware more difficult to detect and remove, and the attack more difficult to block. Each type of malware can inject audio content into the 911 calls they make in order to prevent the target from quickly distinguishing legitimate calls from automated ones.
Ben-Gurion University researchers created a small experimental cellular network that has allowed them to test TDoS attacks on 911 emergency services. They determined that a botnet of just 6,000 infected smartphones would be enough to seriously disrupt 911 services in a U.S. state such as North Carolina. A significant disruption across the United States can be accomplished with just 200,000 bots.
Emergency services is one of the United States’ critical infrastructure sectors and an attack could have serious consequences, but some experts are not very concerned.
“The research from Ben Gurion University in Israel certainly demonstrates there are issues within today’s 911 system, and we should absolutely fix them, but it does not mean the threat is imminent,” Rebekah Brown, threat intelligence lead at Rapid7, told SecurityWeek. “There is the potential that someone could execute this attack, but it would take time and effort, and a flood of calls after a natural disaster could have the same impact.”
“Historically, when we’ve seen real life attacks against emergency services, they have been for extortion or revenge (ex. angry ex-employees) and those type of actors do not typically have the time or skills to launch an attack of this kind,” Brown added. “With enough poking, we can find flaws in (nearly) any system, but that doesn’t mean that attackers will do what we think they can immediately.”
This is not the first time experts have warned about such attacks. In 2014, at the DefCon hacking conference, researchers disclosed potential vulnerabilities in the 911 emergency system and proposed solutions for addressing existing issues.
In 2013, the Department of Homeland Security (DHS) warned telecom providers of an increase in TDoS attacks against public safety communications. Last year, the University of Houston announced that it had been awarded $2.6 million by the DHS to develop technology designed to protect emergency response systems against DDoS attacks.