Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Bug IOS Iphone United States Apple

Teenager Accidentally Launches DDoS Attack On 911 Systems (softpedia.com) 152

A Phoenix teenager mistakenly tweeted a link to JavaScript exploit which forced iOS devices to automatically dial and re-dial 911. An anonymous reader quotes Softpedia: The teenager created several weaponized versions of this bug which would constantly dial a phone number, or show annoying popups. The teenager says he wanted to prank his friends, thinking it would be "funny," but when he shared the weaponized link online, he shared a version that instead of showing annoying popups, redialed a phone number, which in this case was 911.
In September researchers calculated just 6,000 smartphones can take down an entire state's 911 system, while more than 1,849 people clicked on this link, according to the article. Sheriff Joe Arpaio's office searched the teenager's home -- "several items were seized" -- and they've charged him with three felony counts for computer tampering.
This discussion has been archived. No new comments can be posted.

Teenager Accidentally Launches DDoS Attack On 911 Systems

Comments Filter:
  • Accidentally? (Score:5, Insightful)

    by danhuby ( 759002 ) on Saturday October 29, 2016 @12:39PM (#53175449) Homepage

    Accidentally? Seems really unlikely. I'd like to see the code to see how that was possible.

    • Re:Accidentally? (Score:5, Insightful)

      by Anonymous Coward on Saturday October 29, 2016 @12:48PM (#53175485)

      The difference between "accidental" and "just for fun" is that the perpetrator didn't think he'd be punished for his prank. Calling 911 in this manner is generally considered a crime.

    • Re:Accidentally? (Score:4, Insightful)

      by Dutch Gun ( 899105 ) on Saturday October 29, 2016 @01:25PM (#53175623)

      The "accident" was that he sent out malware links to a 911 dialer instead of an annoying popup generator to his friends, both of which he had created. Given that it would be blindingly obvious that he was the perpetrator, as he made no effort to conceal his identity, it seems improbable to me that he'd have sent out the 911 dialer deliberately. Besides which, one would assume you generally wouldn't want to cause trouble for your friends by forcing their phones to repeatedly call 911, unless you're a really terrible friend. I don't think anyone would dispute the weaponized code was created deliberately, of course.

      So, a rather stupid mistake, yes, but I doubt this was done maliciously.

      • by Calydor ( 739835 )

        The question is: Even though the weaponized code was created deliberately, is it any different than mixing a few chemicals in your backyard just to SEE them blow up, with no intent of ever bombing the local police station? Is it that hard to believe that he wrote the code to say "Hey, I could do that" and then just stashed it somewhere?

        • The question is: Even though the weaponized code was created deliberately, is it any different than mixing a few chemicals in your backyard just to SEE them blow up, with no intent of ever bombing the local police station? Is it that hard to believe that he wrote the code to say "Hey, I could do that" and then just stashed it somewhere?

          I would say it's a question of mens rea or was he criminally negligent. I think yu could argue he had no criminal attempt those possibly his "prank friends" comments could be taken as intent. I would argue he was negligent as he should have known the code would be used if he released it and failed to verify the code he did release was not the 911 version.

        • It's absolutely different. He was purportedly planning to turn this in to Apple for a bug bounty, and in order to claim a bounty, a viable proof-of-concept is actually required by Apple. Except in this case, the young man was foolishly careless with the software weapon he created. I'm certainly not advocating that he not be appropriately punished for a very dangerous mistake he made, but neither do I think it's fair to automatically assign ill motives to him.

      • by gweihir ( 88907 )

        I agree, but there were at least two stupid mistakes:

        1. Sending out the wrong link (simple stupid)
        2. Making it easy to send out the wrong link (pretty much an epic fail)

        • 3. Creating something that dials 911 instead of the number of a friend or yourself
          • 4. Publicly disclosing the vulnerability instead of responsibly disclosing it, thereby invalidating any chance of getting a bug bounty from Apple.

    • Accidentally? Seems really unlikely.

      Similar things have happened before [wikipedia.org].

    • to get a phone to dial a number. There's lots of APIs for it once you've got access and there's tonnes of 'sploit kits to get you that access. This is the very definition of a 'script kiddie'. Give 'em a slap on the wrist and so long as he doesn't do it again move on. Short of torturing him to death you're not gonna get enough notice out of this to make an 'example' out of it but you might ruin some dumb kid's life. Then again this is Joe Arpaio...

      On a completely unrelated note our 911 system is so fragi
      • bill him the cost of a new switching system. That should run 50K-100K in damages.

        • Yeah let's go right back to ruining some kids life again.

          • by murdocj ( 543661 )

            Having him understand now that there are consequences to actions will save his life. A slap on the wrist combined with lots of "wow, how clever" attention means he'll do it again

            • When do you get around to showing the people running the system that there are consequences to their actions?
            • Having him understand now that there are consequences to actions will save his life.

              Yeah we should cut his eyes out. He'll remember that and this will save his life in the future.

              I always thought it was the American government to blame for your truly bizarre ways you punish people, but no I realise now you have exactly the government you deserve. Put everyone in prison for a little while, make sure they are bankrupt before they even get to university then bankrupt them again for good measure, and thanks to

              • by murdocj ( 543661 )

                It always amuses me how slashdotters have to go from one extreme to another. There are punishments between "scott free" and "hanging by his balls".

    • by gweihir ( 88907 )

      I am willing to believe "accidentally". It may just have taken one typo. The kid is a moron nonetheless, as life exploit code needs to be treated with care, just like a sharp object or a weapon.

      Well, the US "legal" system will probably not let him forget this, ever, but the real failure is with the parents for not insisting on some measure of common sense in their kid before allowing him a cellphone.

    • by ChoGGi ( 522069 )

      He may have "accidentally" sent out the wrong exploit, but he deliberately choose 911 as the number (instead of say 311).

      I wouldn't say jail time, but the little shit should be doing some volunteer work at the dispatch office.

    • What are you talking about?

      He wanted to dial 912 in his code, but his finger slipped and he typed 911 instead.

      That was just an innocent mistake.

      • um no you clearly didn't read the article where he fully admitted he purposely make the exploit to dial 911. it was no mistake

        Meet stated he did manipulate the bug to include the phone number for emergency services 1+911. Meet stated that although he did add that feature to the bug he had no intention of pushing it out to the public, because he knew it was illegal and people would “freak out”. Meet stated that he may have accidentally pushed the harmful version of the (911) bug out to the Twit
    • Accidentally? Seems really unlikely. I'd like to see the code to see how that was possible.

      To me it seems unlikely that he would have sent out such a link from a Twitter account which could so easily be traced to him if he were doing this on purpose.

  • by davidwr ( 791652 ) on Saturday October 29, 2016 @12:45PM (#53175473) Homepage Journal

    After all, if it weren't for that bug bounty enticing him....

    Seriously, this guy needs a firm slap on the wrist and a year or two of probation, not prison time.

    When it comes to carelessness, this ranks up there with the Robert T. Morris Sendmail worm of 1988. Heck, I'd hold Morris to a higher standard than this guy since he (Morris) was a graduate student at the time and presumably knew what he was doing more than Desai.

    By the way, Morris was elected Fellow of the ACM in 2014.

    References:

    https://scholar.google.com/sch... [google.com]

    http://awards.acm.org/award_wi... [acm.org]

    And the not-always-reliable reference, Wikipedia:

    https://en.wikipedia.org/w/ind... [wikipedia.org]

    • by Tanman ( 90298 )

      Taking down 911 is no laughing "slap on the wrist" matter. People need 911 for actual emergencies. Shutting down that system is akin to sentencing people to die in certain circumstances.

    • Being charged with something and being convicted are two completely separate things.
      Law enforcement almost always charges kids with the maximum knowing full well that when it gets to court it will be plea bargained to a misdemeanor.

      In all likelihood this kid's parents will be required to pay damages ~$3000ish and the kid will get 120 hours of community service and a year or two probation.

    • Probation? He needs a "thank you" from both Apple and whatever IT department manages 911. If they can't handle a 6000-phone oops by some kid, WTF do I pay my taxes for? When ISIS and foreign governments launch such attacks, they will be much larger scale and at much less opportune times that really do cause lots of death and mayhem. He basically just walked into their wide open front door and said, "hey, you left the door open". If he happened to track a bit of mud on the carpet on his way out, that seems l

  • by Anonymous Coward
    911 is consider critical infraestructure for defense and security. attacking this number is a cibercrime according to US law. He must be put in JAIL
  • by Anonymous Coward

    Is that such an incredibly stupid bug is even possible.
    Thanks Apple.

  • there is no almost (Score:4, Insightful)

    by Luthair ( 847766 ) on Saturday October 29, 2016 @01:05PM (#53175547)
    How do you almost crash the system or almost take it offline. Sounds like bullshit.
    • Re: (Score:3, Funny)

      by fahrbot-bot ( 874524 )

      How do you almost crash the system or almost take it offline. Sounds like bullshit.

      How does your girlfriend almost get pregnant? Condom breaks while you're taking it off. A few more operational minutes in the field (as it were) could have taken her system online. But you dodged a bullet 'cause your run-time never lasts "a few more minutes". :-)

  • by Gravis Zero ( 934156 ) on Saturday October 29, 2016 @01:10PM (#53175565)

    What this teenager did was bring attention to a bug that never should have existed to start with. If they want to blame anyone, they should be blaming Apple for allowing it even be possible. But hey, they didn't hire cops for their intelligence. [politicalblindspot.com] -_-

  • Is this a record? (Score:4, Insightful)

    by Archtech ( 159117 ) on Saturday October 29, 2016 @01:13PM (#53175575)

    A huge safety-critical network that can be crashed ***by accident***! What a magnificent design achievement! Just imagine what could be done by someone competent who was actually trying to crash it...

    • by F.Ultra ( 1673484 ) on Saturday October 29, 2016 @01:43PM (#53175693)
      A lot of our infrastructure relies on people being honest, and it actually works most of the time. Call the police, fire department or ambulance enough times and you will DDoS all of them since there are a limited number of such units to send.
    • Re: (Score:3, Interesting)

      by xlsior ( 524145 )
      It's not so much that it 'crashes' 9-11, it simply ties up all the available operators so there won't be anyone available to answer the *real* emergency call coming in at the same time -- there's only so many dispatchers available to answer calls, after all. Too many calls is too many calls, regardless of how competent the initiator is.

      Other than prioritizing certain calls (e.g. the ones that haven't been calling you a thousand times already today) there's not a whole lot you can do to mitigate this while
    • Yeah whatever dude, like you've ever built something that can't be DDOSed. Some security flaws are sloppy but this is hard stuff.
  • by fahrbot-bot ( 874524 ) on Saturday October 29, 2016 @01:14PM (#53175577)

    Friends don't let friends enable JavaScript.

    (Man, if only is was that easy. Seems a LOT of sites use and/or require JS when they really don't need to -- and I'm looking at you too /.)

  • When something happens in a crowded area, and hundreds of people whip out their smartphones to dial 911, the system gets regularly DDoSed anyway.

    I wonder if anybody is thinking about some protection on the cell level. Like, when there are already ten 911 call originating from one cell, additional ones need some confirmation form the caller that they really want to make an additional one.

  • Is it worth it? (Score:4, Interesting)

    by liquid_schwartz ( 530085 ) on Saturday October 29, 2016 @02:01PM (#53175765)
    I always felt that one question that should be asked is it is worth jailing this person for three felonies worth? With prison costs of $60K a year I don't think it's worth this much taxpayer money unless someone actually got hurt. Make him agree not to do it again, give him probation and community service, and threaten to not be so nice next time should someone else duplicate this.
    • The calculation on this punishment is; Does it embarrass the police or authority? Does it do so publicly? This equals harsh penalties.

      It seems like using a computer to do a slight bit of damage, is treated with harsher penalties than someone holding up a liquor store. Of course harsher than ripping off thousands and ruining lives when running a bank -- but well, that's a different story.

      Some kid was doing a prank, and it got out of hand. The fact that it accidentally caused more damage because of the shortc

  • Users are now required to dial 0118 999 881 99 9119 7253
  • Fuck Sheriff Joe Arpaio. That's all I have to say, and it's not related to this article
    • Fuck Sheriff Joe Arpaio. That's all I have to say, and it's not related to this article

      There are a lot of legitimate reasons why people may dislike Sheriff Arpaio, but as far as I can tell, he acted appropriately in this instance.

  • I thought the 911 referred to the amount of systems he launched attacks on.
  • Stoned or stupid?

  • Surely if anyone is at fault here it is apple for deploying buggy code and the department responsible for a 911 system that crashes under 6000 calls...
  • Children are never responsible for anything anymore.

  • Man, that kid is going to have a hell of a time. No nonsense sheriff. Sheriff will put him into his famous jail, in pink underwear, outside in a jail tent city where it's frickin' hot! I bet that kid won't do that again. He better hope he works out a deal to not go there.

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Working...