Smartphone
Israeli cybersecurity experts have warned that malicious software hidden in mobile phones could be used to disable the US's 911 emergency calls network. iStock

Researchers have warned that the 911 emergency response phone system used in the US is vulnerable to cyberattacks, which could disrupt the network across the nation. According to a

Researchers at Israel's Ben-Gurion University say they have discovered a way to disable the emergency system across an entire state for an extended period using a telephony denial-of-service (TDoS) attack targeting 911 call centres.

Since the 911 emergency number was first instituted in the US in 1968, the emergency infrastructure relies on routing and connecting 911 calls to nearby public call centres, known as public safety answering points (PSAP).

But a hacker could cause mobile phones to call 911 automatically without a user's knowledge, essentially clogging up the PSAP's queues and preventing legitimate callers from reaching the service.

Federal Communications Commission (FCC) regulations stipulate that wireless carriers must forward all 911 calls to a PSAP, regardless of caller validation, giving a malicious hacker the perfect opportunity to exploit this ruling with an anonymized form of a distributed denial of service (DDoS) attack.

By placing a rootkit within the baseband firmware of a mobile phone, a hacker can mask and randomise a mobile phone's identifiers, essentially resulting in a device that has no identity in the cellular network.

"Such anonymised phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centres, technically or legally," researchers Mordechai Guri, Yisroel Mirsky and Yuval Elovici wrote in the report that was passed to the Department of Homeland Security before being released to the public.

"We found that with less than 6K bots (or $100K hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days. In this scenario, a caller would wait an additional 45sec-3min and call an average of three times to get emergency service."

To launch a cyberattack affecting the entire country, researchers found that just 200,000 infected phones distributed across the US would be enough to significantly disrupt 911 services nationwide.

What are DDos and DoS attacks?

During a denial of service (DoS) or a distributed denial of service (DDoS) attack, hackers attempt to overload a website's connections by sending in data requests from multiple sources.

Most often hackers use a 'botnet' – internet-connected PCs that are compromised by malware – to send in the requests to visit the site, without the users' knowledge.

The huge number of requests, which can reach thousands per second, overload the ability of a website's server to respond, eventually causing an error message to appear instead of the site's pages.

Making a DDoS attack – known as 'dosing' – is relatively simple. Botnets are available to hire on websites not reachable via search engines (deep web) or on encrypted websites (the dark web).

"This means that an attacker only needs to infect ~0.0006% of the country's population in order to successfully DDoS emergency services," they note. "Under these circumstances, an attacker can cause 33% of the nations' legitimate callers to give up in reaching 911.

The researchers note that this call volume could disrupt the telephone network itself, preventing legitimate 911 calls from reaching a PSAP – a dangerous situation that was "evident during the 9/11 terror attack which, in effect, caused the population to generate a DDoS attack on New York City's telephony network by collectively dialing 911".

Discussing possible solutions and preventative measures to minimise the impact of a possible attack, the researchers said a mandatory "call firewall" could be implemented to identify and block DDoS activities, such as frequent 911 calls.

Another solution would have PSAPs implement "Priority Queues" that would prioritise callers with more reliable identifiers when connecting someone to a call-taker.

However, they say that the biggest issues lie in the current regulations set in place by the FCC.

"Generally, PSAPs have no built-in way of blacklisting callers. Therefore, in the face of a large attack, they would have no choice but to answer each and every call," they wrote. "Even with a blacklisting system in place, the owner of an infected device would be blocked from legitimately receiving emergency services, even in a time of need."

The FCC estimates that about 70% of the more than 240 million calls Americans place to 911 call centres are placed from mobile phones – a figure that is consistently growing.

In April 2013, the FBI released a warning about the risk of TDoS attacks effecting US emergency services and private businesses. These TDoS attacks appeared to be linked to a fraud, in which a caller who pretended to be from a payday loan company called a representative of the organisation targetted. If the caller failed to extract money from the target, a TDoS was launched, tying up the institute's phone lines for an extended period.