Ben-Gurion University of the Negev (BGU) researchers, who exposed vulnerabilities in 911 systems due to distributed denial of service attacks (DDoS) back in 2016, say the next generation of 911 systems that now accommodate text, images and video still have the same or more severe issues.
Denial-of-service attacks against 911 systems have been discussed as a concept at hacker conferences for years. And in 2013, something occurred that indicated that attackers have 911 call centers in their sights. DHS and the FBI issued a warning to states about several DDoS attacks that had been launched against the administrative lines of various 911 call centers. Although these attacks didn’t target the 911 emergency lines themselves, they demonstrated the potential danger from DDoS attacks against the 911 system. The perpetrators launched the attacks as part of an extortion plot — after first demanding money and being turned down, they “launched high volume of calls against the target network, tying up the system from receiving legitimate calls,” according to the DHS alert.
In 2018, A court sentenced Randall Charles Tucker to 20 months in prison for launching DDoS attacks against city websites, including damaging attacks against Madison, Wisconsin. As well as taking down the city’s website, the attacks”crippled” its emergency communication system to the point where first responders struggled to reach the 911 center. It also hampered the automatic dispatching for emergency crews.
In the new study, BGU researchers evaluated the impact of DDoS attacks on the current (E911) and next generation 911 (NG911) infrastructures in North Carolina. The research was conducted by Dr. Mordechai Guri, head of research and development, BGU Cyber Security Research Center (CSRC), and chief scientist at Morphisec Technologies, and Dr. Yisroel Mirsky, senior cyber security researcher and project manager at the BGU CSRC.
In recent years, organizations have experienced countless DDoS attacks, during which internet-connected devices are flooded with traffic – often generated by many computers or phones called “bots” that are infected by malware by a hacker and act in concert with each other. When an attacker ties up all the available connections with malicious traffic, no legitimate information – like calling 911 in a real emergency – can make it through.
“In this study, we found that only 6,000 bots are sufficient to significantly compromise the availability of a state’s 911 services and only 200,000 bots can jeopardize the entire United States,” Dr. Guri explains.
When telephone customers dial 911 on their landlines or mobile phones, the telephone companies’ systems make the connection to the appropriate call center. Due to the limitations of original E911, the U.S. has been slowly transitioning the older circuit-switched 911 infrastructure to a packet-switched voice over IP (VoIP) infrastructure, NG911. It improves reliability by enabling load balancing between emergency call centers or public safety answering points (PSAP). It also expands 911 service capabilities, enabling the public to call over VoIP, transmit text, images, video, and data to PSAPs. A number of states have implemented this and nearly all other states have begun planning or have some localized implementation of NG911.
Many internet companies have taken significant steps to safeguard against this sort of online attack. For example, Google Shield is a service that protects news sites from attacks by using Google’s massive network of internet servers to filter out attacking traffic, while allowing through only legitimate connections. However, phone companies have not done the same.
To demonstrate how DDoS attacks could affect 911 call systems, the researchers created a detailed simulation of North Carolina’s 911 infrastructure, and a general simulation of the entire U.S. emergency-call system. Using only 6,000 infected phones, it is possible to effectively block 911 calls from 20% of the state’s landline callers, and half of the mobile customers. “In our simulation, even people who called back four or five times would not be able to reach a 911 operator to get help,” Dr. Guri says.
The countermeasures that exist today are difficult and not without flaws. Many involve blocking certain devices from calling 911, which carries the risk of preventing a legitimate call for help. But they indicate areas where further inquiry – and collaboration between researchers, telecommunications companies, regulators, and emergency personnel – could yield useful breakthroughs.
For example, cellphones might be required to run a monitoring software to blacklist or block themselves from making fraudulent 911 calls. Or 911 systems could examine identifying information of incoming calls and prioritize those made from phones that are not trying to mask themselves.
“Many say that the new NG911 solves the DDoS problem because callers can be connected to PSAPs around the country, not just locally,” Dr. Mirsky explains. “Nationally, with complete resource sharing, the rate that callers give up trying — called the ‘despair rate’ — is still significant: 15% with 6,000 bots and 43% with 50,000 bots.
“But the system would still need to communicate locally to dispatch police, medical and fire services. As a result, the despair rate is more likely to be 56% with 6,000 bots –worse than using the original E911 infrastructure.”
In 2016, BGU researchers found a way to effectively disable the 911 emergency system across an entire state for an extended period of time by simply launching what’s known as a TDoS attack, or telephony denial-of-service attack, against 911 call centers.
Trey Forgety, director of government affairs for the National Emergency Number Association said at the time that the BGU researchers had “accurately characterized the problem with the 911 system”. He said his group has long been aware of the potential for a TDoS attack and brought it to the attention of DHS as long ago as 2012. “We actually believe that the vulnerability is in fact worse than [the researchers] have calculated,” he added.
Now, Dr. Guri believes the new research will assist the respective organizations, lawmakers and security professionals in understanding the scope of this issue and aid in the prevention of possible future attacks on the 911 emergency services. “It is critical that 911 services always be available – to respond quickly to emergencies and give the public peace of mind,” Dr. Guri concluded.
Also contributing to the latest NG911 research is Prof. Yuval Elovici, director of the BGU CSRC and Telekom Innovation Labs at BGU.