The 911 emergency phone system was first implemented in 1968 and saves thousands of lives through its ability to quickly route calls to emergency responders closest to a caller. A group of researchers say they’ve found a way to effectively disable the 911 emergency system across an entire state for an extended period of time by simply launching what’s known as a denial-of-service attack (DoS attack) against 911 call centers. The tactic involves infecting mobile phones to cause them to automatically make bogus 911 calls — without their owners’ knowledge — thereby clogging call-center queues and preventing legitimate callers from reaching operators.
The researchers say it would take just 6,000 infected smartphones in a geographical area — something hackers could easily accomplish — to launch an attack sufficient to disrupt the 911 system throughout the entire state of North Carolina, and just 200,000 infected phones distributed across the U.S. to significantly disrupt 911 services around the nation.
The researchers at Ben Gurion University in Israel wrote in a paper, “Under these circumstances, an attacker can cause 33 percent of the nation’s legitimate callers to give up in reaching 911.”
The call capacity of 911 systems is exceptionally limited, and in many cases just three to five circuits process all 911 calls for a 911 center, Forgety said. “Three to five circuits is trivial to overwhelm. I can do it with a pocketful of cellphones.”
The federal government considers the 911 system to be part of the nation’s critical infrastructure on par with the power grid, water treatment plants and dams. Americans make more than 240 million calls annually to more than 7,000 call centers scattered across the country. About 70 percent of these calls now come from mobile phones. But the technology used to process these calls hasn’t kept pace with security needs, experts say.
An attack could be prolonged for days using techniques that would prevent authorities from halting the bogus calls. The problem would be exacerbated as legitimate callers trying to get through made repeated calls that further clogged the lines.
Countermeasures and mitigation
The researchers say state authorities could resolve the problem in part by making sure they have redundancy in 911 networks so that a single router doesn’t become a major point of failure in an attack.
Federal authorities could also address the problem by telling carriers they no longer have to process calls from phones that aren’t attached to a service plan. The FCC introduced a proposal last year to consider doing this, since such phones are already a problem for a different reason — many pranksters use these phones to make bogus 911 calls, since the calls can’t be traced to them.
Public safety groups expressed support for the FCC proposal to eliminate the requirement, but the movement stalled this year because the FCC only plans to eliminate the requirement that carriers process such calls, not ban carriers from processing them, which would give them legal protection.
Another way to address the problem would be to alter phone hardware in a way that would prevent attackers from changing the IMSI and IMEI numbers on smartphones and replacing them with random ones. Or hardware makers could install a firewall on their devices that would detect and block repeated 911 calls that have the characteristics of botnet activity. Both of these solutions, however, would take time to implement and require the cooperation of phone manufacturers.