Since most folks walk around with their mobile phones, and many have done away with their landline phone service at home, a good portion of calls made to 911 come from smartphones. Researchers from Ben Gurion University were the first to study what would happen if a mobile phone botnet were to launch a DDoS attack on 911 services. What they found, basically, is that such a telephony denial of service (TDoS) attack would cripple the 911 emergency system.
In the research paper “9-1-1 DDoS: Threat, Analysis and Mitigation” (pdf), the researchers said that it would take less than 6,000 “bots (or $100K hardware)” for attackers to “block emergency services in an entire state (e.g., North Carolina) for days.”
The bots would be the result of infected mobile phones. Phone owners would not realize their phones were infected, part of the botnet, and making 911 calls. Researchers said 50,000 infected smartphones could prevent 90% of all North Carolina wireless 911 callers from reaching an emergency call taker. If 200,000 smartphones were infected by attackers, then the resulting TDoS attack could “jeopardize” 911 services across America.
The team simulated a cellular network modeled after the 911 network in North Carolina and then showed how attackers could exploit it. For starters, the team described an anonymized “DDoS attack on 911 that cannot be blocked though conventional means.”
Attackers could exploit cellular network protocols by placing a rootkit “within the baseband firmware of a mobile phone;” the rootkit could “mask and randomize all cellular identifiers.” They explained that a “bot placed within the baseband firmware of a mobile phone can alter the internal protocol stack and render the device to have no genuine identification within the 2G, 3G, and 4G cellular networks. Such a bot can issue repeated emergency calls that cannot be blocked, technically or legally, by the network or the emergency call centers.”
A big part of the research included how many unanswered call attempts it would take for 911 callers to give up trying to reach the service. They determined that “at the country-level,” as “little as 200,000 bots distributed across the population of the US, is enough to significantly disrupt 911 services across the US. This means that an attacker only needs to infect ~0.0006% of the country’s population in order to successfully DDoS emergency services. … Under these circumstances, an attacker can cause 33% of the nations’ legitimate callers to give up in reaching 911.”
The report, which also proposed various prevention and mitigation measures, was handed over to DHS before being released to the public.
Past TDoS attacks resulted in DHS alert warning
Past examples of TDoS attacks include one done to a hospital’s intensive care unit phone system after an ICU nurse refused to pay payday loan scammers; another was crowd-sourced and launched against a financial firm after it gave a negative rating to a popular company. It happened enough that by 2013, Homeland Security issued an alert about TDoS attacks being used as part of an extortion scheme. At the time, there had been 600 such attacks against various victims with 200 of those aimed at “public safety” systems.
How realistic is the 911 mobile botnet hacking threat?
How realistic is the hacking threat? First, thousands of phones would have to be infected to pull this off.
It is true that people would only call 911 so many times during an emergency, hearing a busy signal as opposed to talking to 911 operators, before giving up and trying to give aid during life-threatening crises. Clearly the 911 system has security issues which should be resolved, especially since it is considered to be part of US critical infrastructure, however the same outcome could occur during or after a natural disaster.
A DDoS attack can knock a site offline, but the same thing can happen when the traffic is not malicious. Sometimes if a post goes popular on social networks, a site simply cannot stay up under the flood of legitimate traffic.
In much the same way, if a natural or other massive disaster were to occur, then 911 could go down during the emergency under the flood of legitimate, not TDoS, calls.
Nevertheless, the researchers told The Washington Post, “Authorities need to act soon since it will only be a matter of time before attackers target 911 systems — if they haven't already.”
Even if the hacking threat was eliminated, there are glitches which could take down 911. For example, an equipment failure was cited as the cause of knocking out DC’s 911 service for over 90 minutes in August.