Security Experts:

Connect with us

Hi, what are you looking for?


Security Infrastructure

Hackers Can Disrupt 911 Services With Small Smartphone Botnet

Researchers have demonstrated that a botnet powered by only 6,000 smartphones is enough to cause serious disruption to the 911 emergency services of a U.S. state via what is known as a telephony denial-of-service (TDoS) attack.

Researchers have demonstrated that a botnet powered by only 6,000 smartphones is enough to cause serious disruption to the 911 emergency services of a U.S. state via what is known as a telephony denial-of-service (TDoS) attack.

When people in the United States dial the 911 emergency number, their telecom provider connects them to the enhanced 911 (E911) network, which routes the call to the nearest public safety answering point (PSAP), the call center responsible for dispatching police, firefighting and ambulance services.

According to researchers of the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel, emergency services can be easily disrupted by malicious actors with a fairly small distributed denial-of-service (DDoS) botnet.

One major problem is that the FCC requires wireless carriers to forward 911 calls to PSAP centers without going through the regular process of identifying callers and determining their subscriber status. This makes TDoS attacks launched from mobile devices more difficult to mitigate as attackers can randomize the phone’s identifiers in an effort to prevent blacklisting.

The attack scenario described by experts involves a botnet of Android phones infected with malware. As recent incidents have demonstrated, it is not difficult for malicious actors to infect even millions of smartphones, while the attack described by researchers only requires a few thousand phones to cause damage.

Once the smartphones are infected, the attackers can instruct the malware via command and control (C&C) servers to continuously call 911 from the compromised devices. There are three types of bots: non-anonymized, anonymized and persistent anonymized. Non-anonymized bots don’t make an effort to disguise the calling device’s IMSI and IMEI identifiers, making attacks more easy to block.

Anonymized and persistent anonymized bots hide IMSI and IMEI information, and they reside in the firmware of the infected device’s baseband processor. This makes the malware more difficult to detect and remove, and the attack more difficult to block. Each type of malware can inject audio content into the 911 calls they make in order to prevent the target from quickly distinguishing legitimate calls from automated ones.

Ben-Gurion University researchers created a small experimental cellular network that has allowed them to test TDoS attacks on 911 emergency services. They determined that a botnet of just 6,000 infected smartphones would be enough to seriously disrupt 911 services in a U.S. state such as North Carolina. A significant disruption across the United States can be accomplished with just 200,000 bots.

Emergency services is one of the United States’ critical infrastructure sectors and an attack could have serious consequences, but some experts are not very concerned.

“The research from Ben Gurion University in Israel certainly demonstrates there are issues within today’s 911 system, and we should absolutely fix them, but it does not mean the threat is imminent,” Rebekah Brown, threat intelligence lead at Rapid7, told SecurityWeek. “There is the potential that someone could execute this attack, but it would take time and effort, and a flood of calls after a natural disaster could have the same impact.”

“Historically, when we’ve seen real life attacks against emergency services, they have been for extortion or revenge (ex. angry ex-employees) and those type of actors do not typically have the time or skills to launch an attack of this kind,” Brown added. “With enough poking, we can find flaws in (nearly) any system, but that doesn’t mean that attackers will do what we think they can immediately.”

This is not the first time experts have warned about such attacks. In 2014, at the DefCon hacking conference, researchers disclosed potential vulnerabilities in the 911 emergency system and proposed solutions for addressing existing issues.

In 2013, the Department of Homeland Security (DHS) warned telecom providers of an increase in TDoS attacks against public safety communications. Last year, the University of Houston announced that it had been awarded $2.6 million by the DHS to develop technology designed to protect emergency response systems against DDoS attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Incident Response

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations...

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.