Teenager Accidentally Launches DDoS Attack On 911 Systems (softpedia.com)

← Back to Stories (view on slashdot.org)

Teenager Accidentally Launches DDoS Attack On 911 Systems (softpedia.com)

Posted by EditorDavid on Saturday October 29, 2016 @05:34AM from the think-different dept.

A Phoenix teenager mistakenly tweeted a link to JavaScript exploit which forced iOS devices to automatically dial and re-dial 911. An anonymous reader quotes Softpedia: The teenager created several weaponized versions of this bug which would constantly dial a phone number, or show annoying popups. The teenager says he wanted to prank his friends, thinking it would be "funny," but when he shared the weaponized link online, he shared a version that instead of showing annoying popups, redialed a phone number, which in this case was 911.
In September researchers calculated just 6,000 smartphones can take down an entire state's 911 system, while more than 1,849 people clicked on this link, according to the article. Sheriff Joe Arpaio's office searched the teenager's home -- "several items were seized" -- and they've charged him with three felony counts for computer tampering.

27 of 152 comments (clear)

Min score:

Reason:

Sort:

Accidentally? by danhuby · 2016-10-29 05:39 · Score: 5, Insightful

Accidentally? Seems really unlikely. I'd like to see the code to see how that was possible.
1. Re:Accidentally? by Anonymous Coward · 2016-10-29 05:48 · Score: 5, Insightful
  
  The difference between "accidental" and "just for fun" is that the perpetrator didn't think he'd be punished for his prank. Calling 911 in this manner is generally considered a crime.
2. Re:Accidentally? by Dutch+Gun · 2016-10-29 06:25 · Score: 3, Insightful
  
  The "accident" was that he sent out malware links to a 911 dialer instead of an annoying popup generator to his friends, both of which he had created. Given that it would be blindingly obvious that he was the perpetrator, as he made no effort to conceal his identity, it seems improbable to me that he'd have sent out the 911 dialer deliberately. Besides which, one would assume you generally wouldn't want to cause trouble for your friends by forcing their phones to repeatedly call 911, unless you're a really terrible friend. I don't think anyone would dispute the weaponized code was created deliberately, of course.
  So, a rather stupid mistake, yes, but I doubt this was done maliciously.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
3. Re:Accidentally? by ShanghaiBill · 2016-10-29 06:30 · Score: 2
  
  Accidentally? Seems really unlikely.
  Similar things have happened before.
4. Re:Accidentally? by Registered+Coward+v2 · 2016-10-29 07:11 · Score: 2
  
  The question is: Even though the weaponized code was created deliberately, is it any different than mixing a few chemicals in your backyard just to SEE them blow up, with no intent of ever bombing the local police station? Is it that hard to believe that he wrote the code to say "Hey, I could do that" and then just stashed it somewhere?
  I would say it's a question of mens rea or was he criminally negligent. I think yu could argue he had no criminal attempt those possibly his "prank friends" comments could be taken as intent. I would argue he was negligent as he should have known the code would be used if he released it and failed to verify the code he did release was not the 911 version.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
5. Re:Accidentally? by 93+Escort+Wagon · 2016-10-29 08:27 · Score: 4, Insightful
  
  What's supposed to happen (on iOS anyway) is that an attempt to do this triggers a popup asking you to confirm that you wish to dial the number - specifically because of past problems like this.
  So while I doubt his story with regards to "accidentally" doing this - he did deliberately sent out an exploit to 1400 of his dearest friends, just not the one he may have intended to send - he certainly did discover a significant bug.
  On a side note... instead of jumping right to pressing felony charges against the guy - whatever happened to making stupid kids perform lots of community service time as payback for doing stupid things? Two or three hundred hours of working hard would still accomplish "deterrence", and also accomplish some good for the kid's community, without likely screwing up the rest of his life.
  
  --
  #DeleteChrome
6. Re:Accidentally? by demonlapin · 2016-10-29 09:37 · Score: 2
  
  He did this in Phoenix. Maricopa County, Arizona. Sheriff Joe Arpaio. That's why.
  
  Sheriff Joe isn't a nice guy, and he doesn't much worry about civil liberties. OTOH, he sure does keep the crime rate down, which is why he keeps getting reelected.
7. Re:Accidentally? by 93+Escort+Wagon · 2016-10-29 10:13 · Score: 3, Informative
  
  Ooh... I didn't remember that imbecile's name, but I am well aware of the rampant stupidity of the powers-that-be in Maricopa County.
  I did a quick Google search, and came across something interesting. While Maricopa's overall crime rate is lower than average (for comparably-sized municipalities), its violent crime rate is actually higher than average. So it sounds like this Sheriff isn't very effective when it comes to the criminals you'd actually want him to be catching. But if you want your sheriff to be keeping the kids in line, he's your man!
  "From our analysis, we discovered that violent crime in Maricopa occurs at a rate higher than in most communities of all population sizes in America. The chance that a person will become a victim of a violent crime in Maricopa; such as armed robbery, aggravated assault, rape or murder; is 1 in 443. This equates to a rate of 2 per one thousand inhabitants.
  Moreover, the rate of property crime in Maricopa; burglary, larceny ($50 or more), grand theft auto, and arson; is 16 per 1,000 residents. This is about average for all cities and towns in America of all population sizes."
  But it's Arizona, so the voters are mostly old and probably don't actually look up stuff. I'm guessing he trots out press releases (with his photo as the watermark!) on a regular basis, and it makes the retirees feel safe.
  
  --
  #DeleteChrome
8. Re:Accidentally? by demonlapin · 2016-10-29 11:13 · Score: 2
  
  That article you linked says it's at about the 30th percentile for Arizona: "Maricopa's crime rate is lower than approximately 69% of Arizona communities."
  
  When you live in a really safe area, and it's not your civil rights that get trampled on to make it so...
9. Re:Accidentally? by 93+Escort+Wagon · 2016-10-29 13:03 · Score: 2
  
  Right - as it says, the overall crime rate is lower but the violent crime rate is not. So the sheriff is basically only effective at weeding out minor offenders.
  Since the violent crime rate is not lower, I don't think you can refer to that as a "really safe" area. Unless people are inordinately scared of litterers.
  
  --
  #DeleteChrome
10. Re:Accidentally? by DarkOx · 2016-10-29 23:55 · Score: 2
  
  No that isn't why. He committed behavior that was defined by law to be felonious is why, if it was a misdemeanor he probably would be looking at community service and or a fine.
  Also Sheriff Joe is not in a position to make the decision anyway the most he can is recommend to the prosecutor the kid be charged with this or that, the ultimate decision is not his. Its the local prosecutor who does that. The most Sheriff Joe can do is make him miserable while he is waiting to be formally charged and while he awaits trial. If the court decides he should serve any part of his sentence in county lockup rather than a prison or juvenile facility, than Sheriff Joe can make him miserable for the duration.
  Seriously if you are going to complain about the abuses Arpaio might be committing at least get your facts strait. Arpaio might indeed be over stepping with his apparently harsh treatment of people who in many cases have not even been convicted yet. When you get the basic facts wrong like this though the rest of us are forced to assume you have been brain washed with "conservatives == bad".
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Charge Apple with contributory neglegence? Morris by davidwr · 2016-10-29 05:45 · Score: 5, Informative

After all, if it weren't for that bug bounty enticing him....
Seriously, this guy needs a firm slap on the wrist and a year or two of probation, not prison time.
When it comes to carelessness, this ranks up there with the Robert T. Morris Sendmail worm of 1988. Heck, I'd hold Morris to a higher standard than this guy since he (Morris) was a graduate student at the time and presumably knew what he was doing more than Desai.
By the way, Morris was elected Fellow of the ACM in 2014.
References:
https://scholar.google.com/sch...
http://awards.acm.org/award_wi...
And the not-always-reliable reference, Wikipedia:
https://en.wikipedia.org/w/ind...

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
there is no almost by Luthair · 2016-10-29 06:05 · Score: 3, Insightful

How do you almost crash the system or almost take it offline. Sounds like bullshit.
1. Re:there is no almost by fahrbot-bot · 2016-10-29 06:23 · Score: 2, Funny
  
  How do you almost crash the system or almost take it offline. Sounds like bullshit.
  How does your girlfriend almost get pregnant? Condom breaks while you're taking it off. A few more operational minutes in the field (as it were) could have taken her system online. But you dodged a bullet 'cause your run-time never lasts "a few more minutes". :-)
  
  --
  It must have been something you assimilated. . . .
Punishing the wrong person. by Gravis+Zero · 2016-10-29 06:10 · Score: 4, Insightful

What this teenager did was bring attention to a bug that never should have existed to start with. If they want to blame anyone, they should be blaming Apple for allowing it even be possible. But hey, they didn't hire cops for their intelligence. -_-

--
Anons need not reply. Questions end with a question mark.
Is this a record? by Archtech · 2016-10-29 06:13 · Score: 3, Insightful

A huge safety-critical network that can be crashed ***by accident***! What a magnificent design achievement! Just imagine what could be done by someone competent who was actually trying to crash it...

--
I am sure that there are many other solipsists out there.
1. Re:Is this a record? by F.Ultra · 2016-10-29 06:43 · Score: 3, Insightful
  
  A lot of our infrastructure relies on people being honest, and it actually works most of the time. Call the police, fire department or ambulance enough times and you will DDoS all of them since there are a limited number of such units to send.
2. Re:Is this a record? by xlsior · 2016-10-29 07:19 · Score: 2, Interesting
  
  It's not so much that it 'crashes' 9-11, it simply ties up all the available operators so there won't be anyone available to answer the *real* emergency call coming in at the same time -- there's only so many dispatchers available to answer calls, after all. Too many calls is too many calls, regardless of how competent the initiator is.
  
  Other than prioritizing certain calls (e.g. the ones that haven't been calling you a thousand times already today) there's not a whole lot you can do to mitigate this while remaining available to everyone.
  
  (There often already are other call routing prioritizations in place, e.g. if there is an incoming landline and cellphone call at the same time and only one dispatcher available, they'd typically answer the landline first -- A single car accident on a busy freeway can generate dozens of incoming cellphone calls reporting the same accident, while a landline call is more likely to be a new incident that needs action.)
Lessons learned. by fahrbot-bot · 2016-10-29 06:14 · Score: 2

Friends don't let friends enable JavaScript.
(Man, if only is was that easy. Seems a LOT of sites use and/or require JS when they really don't need to -- and I'm looking at you too /.)

--
It must have been something you assimilated. . . .
Re:Send him to gitmo by Black+Parrot · 2016-10-29 06:36 · Score: 3, Funny

He's probably a Linux hacker. This domestic terrorism must be dealt with in the harshest way possible.
Make him use a Linux desktop?

--
Sheesh, evil *and* a jerk. -- Jade
Is it worth it? by liquid_schwartz · 2016-10-29 07:01 · Score: 3, Interesting

I always felt that one question that should be asked is it is worth jailing this person for three felonies worth? With prison costs of $60K a year I don't think it's worth this much taxpayer money unless someone actually got hurt. Make him agree not to do it again, give him probation and community service, and threaten to not be so nice next time should someone else duplicate this.
Apple released a patch by ChadSmith4920 · 2016-10-29 07:01 · Score: 2

Users are now required to dial 0118 999 881 99 9119 7253
Re: Charge Apple with contributory neglegence? Mor by Joe_Dragon · 2016-10-29 07:18 · Score: 2

before 9/11 you where able to get away with that. Now days he will lucky get in to the juvenile system.
Re:Charge Apple with contributory neglegence? Morr by thegarbz · 2016-10-29 07:54 · Score: 2

The amazing thing about making examples out of carelessness is that it doesn't work. If he actually didn't intend to bring down 911 then making an example of him would be zero deterrence to other people who also don't actually intend to bring it down.
What you would do is fuck up someone's life, but that's the American way right. White picket fence for the law abiding Christians going around in the rat race, and completely fucking the lives up of everyone else, imprisonment, joblessness, homelessness, dependency on handouts, etc. Yeah that's much better.
Re:Off topic but... by BitterOak · 2016-10-29 08:46 · Score: 2

Fuck Sheriff Joe Arpaio. That's all I have to say, and it's not related to this article
There are a lot of legitimate reasons why people may dislike Sheriff Arpaio, but as far as I can tell, he acted appropriately in this instance.

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Re:Absurd -- charge the device maker instead by anegg · 2016-10-29 09:29 · Score: 3, Insightful

(1) He's 18 years old - that's an adult with the right to vote, the ability to make contracts, etc., despite the fact that he can be described as a "teenager."
(2) The fact that it was "easy" doesn't excuse the behavior, in my opinion. It's "easy" to drive an automobile recklessly and hurt someone. It's "easy" to take a gun and start plinking in a residential neighborhood. Its "easy" to fool around and knock someone off of a cliff while out hiking. It's "easy" to play with matches and start a fire in a building. The world isn't structured so that actions that can do significant damage are "hard" to initiate; we depend upon people being aware of the consequences of their actions and acting accordingly. We don't excuse people for actions just because they were "easy" to undertake. His behavior was at best extremely careless, and at worst was deliberate and only regretted when it went really sideways.
This individual engaged in actions that predictably had serious consequences. The court will determine whether he was thoroughly aware of the consequences, and act accordingly. Most of us manage to avoid requiring that level of government oversight. Some of us, especially in our early adulthood, need the administration of corrective discipline.
Re:Absurd -- charge the device maker instead by sjames · 2016-10-29 11:01 · Score: 2

(1) He's 18 years old - that's an adult with the right to vote, the ability to make contracts, etc.
But not old enough to drink, so clearly under law he has diminished responsibility.