Slashdot Mirror

← Back to Stories (view on slashdot.org)

US 911 Emergency System Can Be Crippled By a Mobile Botnet (helpnetsecurity.com)

Posted by msmash on from the server-overload dept.

An anonymous reader writes: What would it take for attackers to significantly disrupt the 911 emergency system across the US? According to researchers from Ben-Gurion Univerisity of the Negev's Cyber-Security Research Center, as little as 200,000 compromised mobile phones located throughout the country. The phones, made to repeatedly place calls to the 911 service, would effect a denial-of-service attack that would made one third (33%) of legitimate callers give up on reaching it. And if the number of those phones is 800,000, over two thirds (67%) would do the same.

44 comments

  1. Phones shouldn't be able to auto dial a number by PrescriptionWarning · · Score: 2

    It seems to me the phone OS should require user input to initiate a call or send a text, even from an app, as the way to secure this issue.

    1. Re:Phones shouldn't be able to auto dial a number by Anonymous Coward · · Score: 0

      A compromised phone gives it's self permission.

    2. Re:Phones shouldn't be able to auto dial a number by Anonymous Coward · · Score: 0

      And any botnet would simply present/spoof the request to the phones OS as if it was legitimate user input. So regardless of how they try to modify the phones OS the software placing the call will simply adapt to the expected input.

      What they would need to do is make changes on the service providers network to detect DDOS style attacks from compromised phones and have mechanisms in place to curtail them on a network level. Which probably won't happen until after the first few of these attacks take place as implementing a system to deal with them would cost money.

    3. Re:Phones shouldn't be able to auto dial a number by dknj · · Score: 1

      I think we are forgetting how Malware and the nastier viruses work. Malware can and will override the OS's function which requires user input and instead returns a jump to its own code, which may do things like paint a fake image on the screen or otherwise make the user think nothing out of the ordinary is happening. Meanwhile your phone is initiating a call or text to E911.

      Welcome to 1980's phreaking all over again.

      -dk

    4. Re:Phones shouldn't be able to auto dial a number by Anonymous Coward · · Score: 0

      We just have to make sure the phone has signed code so we can neither update the OS nor repair the system when it is compromised.

    5. Re:Phones shouldn't be able to auto dial a number by Anonymous Coward · · Score: 0

      And how will the OS distinguish between actual user input and the same signal/event/whatever-Google-calls-it emitted by an application that has already totally compromised your OS? Once an exploit is running as root, all bets are off.

      Now consider this: there are still a few Million Androids in the wild that can be exploited via MMS to gain root privileges. Because apparently we live in the Dark Ages where chroot and jails don't exist, and the entire media stack runs in root-space (you can thank Google for that clusterfuck).

      What you have here is a recipe for disaster. A resourceful enemy would have no problem whatsoever knocking down the USA's emergency services prior to an attack.

    6. Re:Phones shouldn't be able to auto dial a number by wonkey_monkey · · Score: 1

      How can the phone, ultimately, be certain that a call was or was not user-initiated? If it's compromised, any number of methods could be used to fake it out and cause it to dial a number.

      It seems to me the phone OS shouldn't allow itself to be compromised. There, solved it!

      --
      systemd is Roko's Basilisk.
    7. Re:Phones shouldn't be able to auto dial a number by geekmux · · Score: 1

      It seems to me the phone OS should require user input to initiate a call or send a text, even from an app, as the way to secure this issue.

      You use the term "user input" as if cellular devices still maintain physical buttons.

      As others have pointed out, it's not hard to spoof "soft" interfaces.

    8. Re:Phones shouldn't be able to auto dial a number by tlhIngan · · Score: 1

      You use the term "user input" as if cellular devices still maintain physical buttons.

      As others have pointed out, it's not hard to spoof "soft" interfaces.

      And you believe a hard button can protect you. It can't - because it leads eventually to the same software that makes the phone call. In fact, an emergency call is really either a special command you send to the phone modem (which is really just an AT command - Hayes commands lives), or you do ATDT911 and there you go.

      At a higher level, the phone is handled by a layer of code that abstracts out the actual phone radio modem hardware from the OS, and it ends up being an API like "Dial" or "Call" at the low level.

    9. Re:Phones shouldn't be able to auto dial a number by Anonymous Coward · · Score: 0

      "it is self"?

      I give you permission to use the word "itself".

    10. Re:Phones shouldn't be able to auto dial a number by Anonymous Coward · · Score: 0

      This should be implemented in the hardware not software, that way even a compromised phone wouldn't be able to DDOS 911.

  2. Robocallers need to die by danbert8 · · Score: 1

    They are already doing an effective DDOS attack on everyone's phones. I'd guess over 2/3 of people don't even answer the phone unless the number is already in their contact list. They just let it go to voicemail.

    --
    Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
    1. Re:Robocallers need to die by Anonymous Coward · · Score: 0

      Exactly. I stopped answering numbers I do not recognize years ago.

    2. Re:Robocallers need to die by stealth_finger · · Score: 1

      I usually answer 'Hello, Burger King' or something, when they start talking about ppi or that car accident I was years ago I tell them it's a work phone and they hang up. If it's someone legit you take the call.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    3. Re:Robocallers need to die by stealth_finger · · Score: 1

      I also put the same false name on everything that needs a name but isn't an important thing so if they ask for him I know immediately it's a crap call.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    4. Re:Robocallers need to die by NormalVisual · · Score: 1

      I'd guess over 2/3 of people don't even answer the phone unless the number is already in their contact list. They just let it go to voicemail.

      Hell, most of the time I don't even answer my work phone. Almost every call that comes in is from the same telemarketing firm trying to sell me something.

      --
      Please stand clear of the doors, por favor mantenganse alejado de las puertas
    5. Re: Robocallers need to die by Anonymous Coward · · Score: 0

      What? Now legit people think you work at Burger King. :(

    6. Re:Robocallers need to die by Sir+Holo · · Score: 1

      They are already doing an effective DDOS attack on everyone's phones. I'd guess over 2/3 of people don't even answer the phone unless the number is already in their contact list. They just let it go to voicemail.

      Worse, actually.

      HR Departments typically set up "phone rings". Call HR idiot #1, and it says "for immediate service, call HR idiot #2. Call HR idiot #2, and the message sends you to HR idiot #3.

      I have, on occasions of writing complaint letters, followed the chain all the way through to discover and document that idiot #nn refers me to HR idiot #1. That completes the loop, and is a good basis for a written complaint to the C-levels. Just be certain to record each call––it is a recording that does not respond when you state that "this call will be recorded."

  3. Uhm... yes? by andreas.hummelbrunne · · Score: 1

    So what's the news here?
    Also, saying that people wouldn't try reaching 911 is WRONG. The linked article states that it outright wouldn't be POSSIBLE for those percentages to get a call taker. It's not that people "give up". It's that people can't reach the emergency line!

    Unrelated: Why can't I tag something as !story anymore? Slashdot is getting worse every day.

  4. Oh! That's what it's called! by The-Ixian · · Score: 1

    I finally have the appropriate term for those times that I get a busy signal! Denial of service attack!

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re: Oh! That's what it's called! by Anonymous Coward · · Score: 0

      Mam, being stuck in an elevator is not an emergency. I suggest you call your superintendent.

      **calls again**

      Mam, this number is for emergencies only, prank calling 911 is a federal offense. I am blocking this number.

      - archer

      Can't they just temp block all the infected numbers? Until it's rangled back in and under control.

    2. Re: Oh! That's what it's called! by jeffmeden · · Score: 1

      How will they know who is infected? Release a botnet of their own that finds exploited handsets and phones home to flag them?

  5. LIKUD planning their next false flag attack... by Anonymous Coward · · Score: 0

    To re-enable US warfighting on their behalf, after the lull.

  6. pocket dial 911 has done it by Joe_Dragon · · Score: 1

    http://www.cnn.com/2015/10/05/...

    http://www.koamtv.com/story/25...

    http://www.lex18.com/story/330...

    1. Re:pocket dial 911 has done it by sims+2 · · Score: 1

      I remember one of the first cellphones we had if you held down the 1 button it dialed 911 so this has been a problem for years and no one seems to care to fix it.

      That particular phone got stuffed in the back of a seat when we found it it had been connected to 911 for two and a half hours.

      There was no one on the line though.

      --
      Minimum threshold fixed. Thanks!
    2. Re: pocket dial 911 has done it by Anonymous Coward · · Score: 0

      Holding down the 9 button will still do that in nearly every phone out there. It's a feature.

  7. They are wrong, it takes far fewer calls by Anonymous Coward · · Score: 3, Informative

    The article is full of errors, due to the researchers not understanding how the 9-1-1 system works. It only takes a handful of calls, perhaps 3-4 to tie up all the trunks from one call source into the switch that handles 9-1-1 (the switch is called a "Selective Router"). By design, the total number of trunks into the 9-1-1 call center (PSAP) is greater than that, so a single call source can't tie up all the trunks. However, all the wireless carriers use the same two companies to connect their networks to the 9-1-1 networks, and the total number of trunks into the PSAP is usually less than the sum of the trunks from each of these sources. As a result, you need far fewer calls to tie up all the call takers. In a large city, these numbers are bigger, but it's still less than 100. Once you have all the call takers on calls, the next call get's a busy indication. When the call taker hangs up, a new call is presented to them. In the scenario given, if the number of TDoS calls is much greater than the number of legitimate calls, then the probability of a legitimate call getting through is small.

    There isn't anything magic about running a DDoS/TDoS attack from a mobile network - they just imagined it would be easy to introduce malware into the Android/iOS systems. You could do it by attacking enterprise PBXs, or VoIP phones, or a cable phone network. Just about anywhere that there is a connection between the phone network and the Internet.

    There is a redesign of the system, called NG9-1-1, that has mechanisms to address TDoS/DDoS. It's starting to be deployed, but the mechanisms that are defined aren't being implemented very well and they wouldn't be effective even if uniformly implemented well until we get a decent percentage of PSAPs on the new system.

    1. Re:They are wrong, it takes far fewer calls by Anonymous Coward · · Score: 0

      Even if you solve the DOS issue at the channel level you're still limited by the number of call takers. Short of blacklisting a call source you cannot help that, and if you block all callers from a mobile network you're blocking a lot of legitimate traffic too as there's no way to distinguish them.

    2. Re:They are wrong, it takes far fewer calls by FrankHaynes · · Score: 1

      The BIGGEST problem is not this pie-in-the-sky DDoS attack, but the actual problem of hiring bored, couldn't-care-less call takers who sometimes get the call details right and if they don't...eh, somebody might figure it out while they're running down the road trying to find the incident. You know, people who are more interested in bitching about not getting the vacation time they wanted, not getting that shiny new headset that SHE has over in the next cubicle, and other things that are much more important than public safety.

      To say nothing of the gag order placed on Broward County, Florida call takers so that their new regional call centers appear to be totally flawless to the general public.

      But please, worry about this DDoS attack vector since it's techy and sexy.

      --
      slashdot: A failed experiment.
    3. Re:They are wrong, it takes far fewer calls by Anonymous Coward · · Score: 0

      Wow, I didn't know that was true of 911 operators. I worked in a private call center and can definitely say that true of our operators, but I figured that was because their pay was shit, there was no opportunity for advancement, their supervisors were petty and unfair, and in general the work was shit. (In other words, the only people who stayed operators as anything other than a temporary job literally could not do any other job, including flipping burgers.) I'd heard 911 actually paid decently.

  8. Shocked! by Chelloveck · · Score: 1

    Wow, abuse of a limited resource can overwhelm said resource? The hell you say!

    --
    Chelloveck
    I give up on debugging. From now on, SIGSEGV is a feature.
  9. It has already started by paulatz · · Score: 1

    We already have three botnets attacking the 911 system right now!! They are called the toddlers, the idiots and the butt-dialers

    --
    this post contain no useful information, no need to mod it down
  10. Bet it takes a smaller botnet for Israel by Righ · · Score: 3, Insightful

    Perhaps it's time for some American 'researchers' to publicise details on how simple it would be to DoS the Israel 100/101/102 emergency services.

  11. A trivial exploit by kheldan · · Score: 1

    Considering how much so-called 'smartphone' security resembles a colander more than it does a locked box, seems to me that compromising and taking control of even millions of them to use for such an attack would be relatively trivial to execute.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  12. Open Season, No Bag Limit by sycodon · · Score: 2

    It really should be Open Season with No Bag Limit on people running botnets of any kind.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  13. no shit, sherlock by YesIAmAScript · · Score: 1

    Did someone pay researchers to determine that calling operators takes up operators' time?

    --
    http://lkml.org/lkml/2005/8/20/95
  14. It's already happening! by Anonymous Coward · · Score: 1

    I was on hold for hours with Comcast customer service. It's obvious that was due to a DDOS attack on their phone system.

  15. edit! by blackomegax · · Score: 1

    "that would made"

  16. Yeah, except... by Anonymous Coward · · Score: 0

    ... On mobile, 911 calls in my location get dispatched to a regional center who then obtains the location from the person and connects to the proper local 911 center (may be county, may be a particular city, maybe next county over in some cases.)

    Landline callers get ported straight to the appropriate 911 center as defined for that landline's location.

    So no, a mobile botnet won't stop my being able to get an ambulance in an emergency.

  17. robots by Anonymous Coward · · Score: 0

    Anyone really interested in bringing down the entire US 911 phone system would probably be willing to invest in whatever physical button pushing robots where required to accomplish the task.

    Nice try.

  18. wake me up when sms/email 911 works by Anonymous Coward · · Score: 0

    Go ahead and wake me up when the pigs start answering their public email addresses. Methinks the problem is a little bigger than just voice.

  19. It usually works? by Sir+Holo · · Score: 1

    I have had to call 911 before –for a good and appropriate reason.

    911 didn't work then.

    How can anyone tell whether 911 is working as usual, or is crippled by a DDOS attack?!?

  20. Follow the money both ways by AHuxley · · Score: 1

    Who gets to set up 911 locally? Who gets to keep it all working? Who got the contracts to be on call for support? Who is very slowly upgrading the 911 networks at any cost to the tax payers over a long time?
    The money made keeping old systems working is worth more than any new replacement that would have good quality hardware and software in place but need less service calls.
    Why see a new system in place and more staff for real calls when that cash will be lost from local support costs.
    Thats the local good news stories about keeping the existing tech working.
    Other multinationals and international telco brands want equal tender consideration to rebuild the US 911 systems and will do anything to show the US public issues with the existing systems.
    Multinational sales reps pushing for changes to get access to the decades of new sensitive telco contracts at all levels of governments.

    --
    Domestic spying is now "Benign Information Gathering"
  21. Easy by Anonymous Coward · · Score: 0

    Stop taxing every line to pay for free emergency service calls.