US 911 Emergency System Can Be Crippled By a Mobile Botnet (helpnetsecurity.com) 44
An anonymous reader writes: What would it take for attackers to significantly disrupt the 911 emergency system across the US? According to researchers from Ben-Gurion Univerisity of the Negev's Cyber-Security Research Center, as little as 200,000 compromised mobile phones located throughout the country. The phones, made to repeatedly place calls to the 911 service, would effect a denial-of-service attack that would made one third (33%) of legitimate callers give up on reaching it. And if the number of those phones is 800,000, over two thirds (67%) would do the same.
Phones shouldn't be able to auto dial a number (Score:3)
pocket dial 911 has done it (Score:2)
http://www.cnn.com/2015/10/05/... [cnn.com]
http://www.koamtv.com/story/25... [koamtv.com]
http://www.lex18.com/story/330... [lex18.com]
Re: (Score:2)
I remember one of the first cellphones we had if you held down the 1 button it dialed 911 so this has been a problem for years and no one seems to care to fix it.
That particular phone got stuffed in the back of a seat when we found it it had been connected to 911 for two and a half hours.
There was no one on the line though.
Re: (Score:2)
I think we are forgetting how Malware and the nastier viruses work. Malware can and will override the OS's function which requires user input and instead returns a jump to its own code, which may do things like paint a fake image on the screen or otherwise make the user think nothing out of the ordinary is happening. Meanwhile your phone is initiating a call or text to E911.
Welcome to 1980's phreaking all over again.
-dk
Re: (Score:2)
How can the phone, ultimately, be certain that a call was or was not user-initiated? If it's compromised, any number of methods could be used to fake it out and cause it to dial a number.
It seems to me the phone OS shouldn't allow itself to be compromised. There, solved it!
Re: (Score:2)
It seems to me the phone OS should require user input to initiate a call or send a text, even from an app, as the way to secure this issue.
You use the term "user input" as if cellular devices still maintain physical buttons.
As others have pointed out, it's not hard to spoof "soft" interfaces.
Re: (Score:2)
And you believe a hard button can protect you. It can't - because it leads eventually to the same software that makes the phone call. In fact, an emergency call is really either a special command you send to the phone modem (which is really just an AT command - Hayes commands lives), or you do ATDT911 and there you go.
At a higher level, the phone is handle
Open Season, No Bag Limit (Score:3)
It really should be Open Season with No Bag Limit on people running botnets of any kind.
Robocallers need to die (Score:2)
They are already doing an effective DDOS attack on everyone's phones. I'd guess over 2/3 of people don't even answer the phone unless the number is already in their contact list. They just let it go to voicemail.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Hell, most of the time I don't even answer my work phone. Almost every call that comes in is from the same telemarketing firm trying to sell me something.
Re: (Score:2)
They are already doing an effective DDOS attack on everyone's phones. I'd guess over 2/3 of people don't even answer the phone unless the number is already in their contact list. They just let it go to voicemail.
Worse, actually.
HR Departments typically set up "phone rings". Call HR idiot #1, and it says "for immediate service, call HR idiot #2. Call HR idiot #2, and the message sends you to HR idiot #3.
I have, on occasions of writing complaint letters, followed the chain all the way through to discover and document that idiot #nn refers me to HR idiot #1. That completes the loop, and is a good basis for a written complaint to the C-levels. Just be certain to record each call––it is a recording that
Uhm... yes? (Score:1)
So what's the news here?
Also, saying that people wouldn't try reaching 911 is WRONG. The linked article states that it outright wouldn't be POSSIBLE for those percentages to get a call taker. It's not that people "give up". It's that people can't reach the emergency line!
Unrelated: Why can't I tag something as !story anymore? Slashdot is getting worse every day.
Oh! That's what it's called! (Score:2)
I finally have the appropriate term for those times that I get a busy signal! Denial of service attack!
Re: (Score:2)
How will they know who is infected? Release a botnet of their own that finds exploited handsets and phones home to flag them?
They are wrong, it takes far fewer calls (Score:3, Informative)
The article is full of errors, due to the researchers not understanding how the 9-1-1 system works. It only takes a handful of calls, perhaps 3-4 to tie up all the trunks from one call source into the switch that handles 9-1-1 (the switch is called a "Selective Router"). By design, the total number of trunks into the 9-1-1 call center (PSAP) is greater than that, so a single call source can't tie up all the trunks. However, all the wireless carriers use the same two companies to connect their networks to the 9-1-1 networks, and the total number of trunks into the PSAP is usually less than the sum of the trunks from each of these sources. As a result, you need far fewer calls to tie up all the call takers. In a large city, these numbers are bigger, but it's still less than 100. Once you have all the call takers on calls, the next call get's a busy indication. When the call taker hangs up, a new call is presented to them. In the scenario given, if the number of TDoS calls is much greater than the number of legitimate calls, then the probability of a legitimate call getting through is small.
There isn't anything magic about running a DDoS/TDoS attack from a mobile network - they just imagined it would be easy to introduce malware into the Android/iOS systems. You could do it by attacking enterprise PBXs, or VoIP phones, or a cable phone network. Just about anywhere that there is a connection between the phone network and the Internet.
There is a redesign of the system, called NG9-1-1, that has mechanisms to address TDoS/DDoS. It's starting to be deployed, but the mechanisms that are defined aren't being implemented very well and they wouldn't be effective even if uniformly implemented well until we get a decent percentage of PSAPs on the new system.
Re: (Score:2)
The BIGGEST problem is not this pie-in-the-sky DDoS attack, but the actual problem of hiring bored, couldn't-care-less call takers who sometimes get the call details right and if they don't...eh, somebody might figure it out while they're running down the road trying to find the incident. You know, people who are more interested in bitching about not getting the vacation time they wanted, not getting that shiny new headset that SHE has over in the next cubicle, and other things that are much more important
Shocked! (Score:2)
It has already started (Score:2)
Bet it takes a smaller botnet for Israel (Score:3, Insightful)
A trivial exploit (Score:2)
no shit, sherlock (Score:2)
Did someone pay researchers to determine that calling operators takes up operators' time?
It's already happening! (Score:1)
I was on hold for hours with Comcast customer service. It's obvious that was due to a DDOS attack on their phone system.
edit! (Score:2)
It usually works? (Score:2)
I have had to call 911 before –for a good and appropriate reason.
911 didn't work then.
How can anyone tell whether 911 is working as usual, or is crippled by a DDOS attack?!?
Follow the money both ways (Score:2)
The money made keeping old systems working is worth more than any new replacement that would have good quality hardware and software in place but need less service calls.
Why see a new system in place and more staff for real calls when that cash will be lost from local support costs.
Thats the local