911 emergency services can be knocked down by a mobile botnet

911 can only take so many emergency calls, especially when they’re fake.

Researchers at the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel have demonstrated that a theoretical botnet powered by 6,000 smartphones is enough to jeopardize the availability of 911 emergency services across the United States via telephony denial-of-service (TDoS) attack. Though this type of attack has yet to be seen, it could have catastrophic consequences were it ever carried out.

When people in U.S. dial the 911 emergency number, their telecom provider connects them to the enhanced 911 (E911) network, which routes the call to the nearest public safety answering point (PSAP) which is the call center responsible for dispatching police, firefighting and ambulance services.

Mordechai Guri, Yisroel Mirsky, Yuval Elovici of Ben-Gurion University have determined that bad actors can leverage botnet to launch a distributed denial-of-service (DDoS) attack against 911 services.

To do so, attackers need only exploit the FCC’s E911 First Report and Order (1996), which states wireless carriers must transmit all emergency calls to PSAP regardless of whether they are subscribers to a mobile network.

Each 911 call placed by a wireless phone is picked up by a cell tower linked to a base station controller (BSC). The BSC transfers the call to a mobile switching center (MSC), which is connected to a selective router (SR). The SR delivers the call to a PSAP.

In the scenario described by researchers, a network of android phones infected with a specific type of malware (malicious SMS/MMS, malvertising campaigns, or malicious apps) would be triggered via command and control (C&C) servers to automatically call 911 on repeat. The volume of calls would quickly overwhelm one or multiple public answering points and essentially make it impossible for anyone else to contact emergency responders to request assistance.

There are three types of bots: non-anonymized, anonymized and persistent anonymized. Non-anonymized bots don’t make an effort to disguise the calling device’s IMSI and IMEI identifiers, making attacks easier to block.

The researchers accomplished particular bot implementations by infecting the baseband firmware with a rootkit.

The researchers estimated only 6,000 infected phones were enough to disrupt services statewide in an area of the size of North Carolina while it would only take an estimated 200,000 phones to disrupt the entire nationwide network.

Recognizing and stopping this type of attack is a challenge due to specific FCC regulations that require wireless carriers to automatically forward 911 calls without first identifying the caller and verifying their subscription status. This makes TDoS attacks launched from mobile devices more difficult to mitigate as attackers can randomize the phone’s identifiers in an effort to prevent blacklisting.

More bots mean more firepower, so with a botnet numbering in the hundreds of thousands of infected devices, an attacker could potentially wreak havoc across the United States’ entire 911 framework, but some experts are not very concerned. This is not the first time this type of attack has been acknowledged. In 2014, at the DefCon hacking conference, researchers disclosed potential vulnerabilities in the 911 emergency system and proposed solutions for addressing existing issues.

The Department of Homeland Security awarded the University of Houston a $2.6 million grant last year to develop technology designed to insulate emergency responder networks from DDoS attacks.

Motivated attackers would need to carry out a coordinated long-term strategy in order to make it viable.

Leave a Reply