911 calls vulnerable to hackers; researchers find no good way to prevent attacks

© Max Whittaker
When people call 911, they expect a fast response to their emergencies. Hackers can use networked cellphones to attack and disrupt the 911 system for the entire US, however ‒ and do it using less than $3.5 million worth of hardware, a new study has found.

Researchers at Israel’s Ben Gurion University tested just how vulnerable the US 911 system is to anonymized distributed denial of service (DDoS) attacks launched from a mobile phone botnet by launching just such an attack in North Carolina.

“We found that with less than 6K bots (or $100K hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days,” they wrote in a paper that they previously passed to the US Department of Homeland Security and released publicly on Friday. “In this scenario, a caller would wait an additional 45sec-3min... and call an average of three times to get emergency service.”

It wouldn’t take much to go from affecting the state to affecting the entire US, either.

“At the country-level, we found that as little as 200,000 bots, distributed across the population of the US, is enough to significantly disrupt 911 services across the US,” the researchers wrote. “This means that an attacker only needs to infect ~0.0006% of the country’s population in order to successfully DDoS emergency services... Under these circumstances, an attacker can cause 33% of the nations’ legitimate callers to give up in reaching 911.”

The result would be similar to what the residents of New York City faced during the September 11, 2001 terrorist attacks due to the large volume of calls to 911, they noted, “which, in effect, caused the population to generate a DDoS attack on New York City’s telephony network by collectively dialing 911.”

In their paper, the researchers discussed ways in which “an anonymous, unblockable 911-DDoS attack from mobile phones” might be launched. They then proceeded to carry out such an attack “on a small cellular network,” followed by a simulated attack “on a reconstruction of actual E911 infrastructure,” which they based on “real call volume statistics, network topologies, and configurations.” From there, they analyzed the weaknesses of the current 911 network and measured the number of bots required to accomplish such an attack.

They also discussed ways in which a DDoS attack might be prevented or, at the very least, its effects lessened. The biggest problems with the current set up ‒ including rules put in place by the Federal Communications Commission (FCC) ‒ are that 911 call centers, called public-safety answering points or PSAPs, “have no built-in way of blacklisting callers. Therefore, in the face of a large attack, they would have no choice but to answer each and every call,” the researchers wrote. “Even with a blacklisting system in place, the owner of an infected device would be blocked from legitimately receiving emergency services, even in a time of need.”

So even if PSAPs had the technology to prevent such an attack, there would be ethical and legal reasons not to do so. People must be able to get through to 911 from their mobile phones, even if their cells are infected with a bot performing a DDoS attack, for instance. Making sure there is a human on the other end by having the caller press certain buttons ‒ similar to ‘captcha’, a process used on the internet to make sure a purchaser or commenter isn’t a bot ‒ is an already-existing preventative measure, but “may still lead to an overload in the network if there are too many bots.”

Of the mitigating measures that the researchers tried, “Call Firewall was the most effective since it minimizes the load on the network and the consumption of PSAP trunks. However, this solution must be implemented in a trusted layer of the mobile phone,” they wrote. Other options, like blocking “callers who abuse 911 (e.g. prank callers) by implementing and enforcing a Blacklist DDoS of Callers” won’t work because prank callers can still have legitimate emergencies, while silence detection is problematic for the deaf community or for people in unsafe situations who can’t respond to questions from the call center.

“As a last resort, law enforcement can Locate [and] Collect the DDoS Devices,” the researchers wrote. “This approach is not effective because locating a device is a joint effort between the police and the PSAP staff that can take anywhere between 30 minutes and 30 hours requiring a lot of the police and PSAP staff’s time.”

In North Carolina alone, they estimated, it would take law enforcement more than a week to capture the majority of an attack based on 6,000 bots.