Email
Password
Remember meForgot password?
    Log in with Twitter

article imageAmerica's 911 system could be crippled by 400,000 infected phones

By James Walker     Sep 13, 2016 in Technology
Researchers have outlined how attackers could disable America's nationwide 911 emergency line using a botnet of 400,000 infected smartphones. The number would be sufficient to cripple the network and leave it overloaded, preventing people from dialling.
As The Next Web reports, the idea is explained in a paper from the Ben-Gurion University of the Negev. The team completed a research project assessing the feasibility of a distributed denial-of-service (DDoS) attack to take out America's 911 system. It found that handling 400,000 phones simultaneously would render the network unable to respond to legitimate callers, leaving people without access to emergency assistance.
All an attacker would need is smartphone malware capable of making outside calls. This could then be pushed through usual malware distribution channels until 400,000 phones are infected. At this point, the hacker would send out a wake-up call to the phones, forcing them to simultaneously dial 911 continually. The resulting waiting times for legitimate callers would be so unbearable that most people would simply hang up. Even if they stayed on the line, their chances of getting connected to an operator would be very slim.
The problem is caused by a lack of a blacklist system on 911's network. Because the emergency services are available to all, it doesn't make sense for operators to be able to block individual phones. However, this leads to a major weakness. 911 is vulnerable to DDoS attacks and cannot protect itself in the event one occurs.
According to the researchers, doubling the number of phones to 800,000 would even more dramatically knock out the network. On the other end of the scale, only a few thousand devices would be required to disable service in a single state. If an attacker wanted to knock out 911 in North Carolina, they'd need to hijack just 6,000 phones.
"In 2015 over 90 percent of American adults owned a cell phone, and 64 percent of the devices were smartphones," the researchers said. An attacker that recruits even a fraction of these devices to a botnet would give this attacker has the potential to deny 911 services to an entire state, or possibly the entire country."
The paper draws attention to an issue that has been quietly present for many years. The ease of exploit is comparatively high, the only major challenge for the hackers being the initial malware distribution. Millions of Android phones run software versions that are years-old and can be easily compromised. These devices would be key targets in such an attack.
If successfully accomplished, the attackers could cause havoc across states or the entire country. Legitimate callers would be unable to contact operators. For their part, operators would have no choice but to pick up every call, on the off chance that it's a human on the other end. There's no way to tell in advance whether a botnet is dialling the phone.
While the report concentrates specifically on America, it's likely that emergency hotlines across the world are vulnerable to similar attacks. The lack of blacklists combined with widespread public access could make them key targets for future criminals.
There's no easy fix to the problem either. 911 could stop taking calls from unregistered devices but this would leave people at risk if they have no SIM in their phone. Alternatives include automated mechanisms to detect the presence of humans or using the police to confiscate infected phones. Neither of these have simple implementations though and there's currently no sign that any firm protection will be arriving soon.
More about 911, Emergency calls, Smartphones, Mobile, Botnet
 
Latest News
Top News