It only takes 6,000 Smartphones.
Yes, you heard it right!
According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States, for days.
The attacker would only need 6,000 infected smartphones to launch automated Distributed Denial of Service (DDoS) attacks against 911 service in an entire state by placing simultaneous calls from the botnet devices to the emergency numbers.
However, as little as 200,000 infected mobile phones could knock the 911 emergency call system offline across the entire US.
Where does the Problem Lies?
Researchers from Ben-Gurion University of the Negev's Cyber-Security Research Center say the problem is in the fact that current US Federal Communications Commission (FCC) regulations demand all calls to 911 must immediately be routed to emergency services, regardless of the caller's identifiers.
In other words, mobile carriers re-route all 911 emergency calls to a local Public Safety Answering Point (PSAP) without even verifying the caller's identity or whether the caller is subscribers to the mobile network.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
These identifiers could be a phone's International Mobile Subscriber Identity (IMSI) and International Mobile Station Equipment Identity (IMEI) codes, which tell whether the caller is a subscriber to their service and identity of the mobile equipment, respectively.
How can Attackers Carry Out such Attacks?
All an attacker need is a mobile botnet to launch TDoS (Telephony Denial of Service) attacks. The attack can be carried out in two ways:
- By infecting smartphones with malware, or
- By buying the smartphones needed to launch the TDoS attack.
The rootkit can then mask and randomize all cellular identifiers, causing the cell phone to have no genuine identification within the cellular networks.
"Such anonymised phones [bots] can issue repeated  emergency calls that can not be blocked by the network or the emergency call centers, technically or legally," the team notes in the paper.Secondly, an attacker could simply buy 6,000 or 200,000 smartphones, which could cost $100,000 or $3.4 Million – a small sum for state-sponsored attackers – to jam 911 emergency system in an entire state or across the whole country respectively.
This TDoS attack should not come as a surprise, as during the 9/11 terror attack on the Twin Towers in New York City, thousands of legitimate callers collectively dialing 911 caused DDoS attacks on both telephony network as well as the emergency reporting system.
Of course, the team did not perform this attack in an actual, nationwide system. It created a small simulated cellular network based on North Carolina's 911 network and attacked it instead.
The team bot-infected Samsung Galaxy S3, S4 and S5 smartphones running Android 4.4 and 5.x operating system to test their work.
How can we prevent such DDoS campaign against our Emergency Services?
Such attacks are currently difficult to block, as PSAPs have no way to blacklist fake calls. Also, blocking at the network level is not possible beyond selectively turning off cellular service in bot-infested areas.
However, researchers suggest some countermeasures that can mitigate such attacks, which includes:
- Storing IMEIs and other unique identifiers in a phone's trusted memory region (like ARM-processor design TrustZone), where malware can not alter them.
- Implementing a mandatory "Call Firewall" on mobile devices to block DDoS activities like frequent 911 calls.
For in-depth and detailed information about the attack and possible mitigation procedures for US authorities, you can head on to the research paper [PDF] titled, '9-1-1 DDoS: Threat, Analysis and Mitigation.'