A weakness that affects the way 911 calls are handled can let hackers compromise emergency systems across entire states and potentially entire countries, researchers at Israel’s Ben-Gurion Univerisity warned in a report published Friday.
Only about 6,000 smartphones would need to be infected with malware in order for a hacker to wage an attack capable of crippling emergency services for all of North Carolina, according to the researchers’ findings.
Given the ubiquity of smartphones — as well as how easily they can be hacked — the likelihood of 911 systems becoming compromised is hardly slight, the researchers wrote in their first-of-its-kind report.
“We believe the researchers have accurately characterized the problem” with the 911 system, Trey Forgety, the director of government affairs for the National Emergency Number Association, told The Washington Post Friday upon reading the report.
“We actually believe that the vulnerability is in fact worse than [the researchers] have calculated,” he said.
Waging the attack requires a large number of smartphones to become infected with malware that randomizes the identifying information of each device, then silently forcing each one to repeatedly dial 911. If successful, this telephonic distributed denial-of-service (DDoS) attack floods the emergency systems with illegitimate requests and makes filing an actual emergency difficult-to-impossible to accomplish.
Federal Communications Commission guidelines requires all emergency calls to be immediately routed to the appropriate local call center “without regard to validation procedures,” or regardless of the devices’ unique identifiers, so masking this information with malware makes the attack resilient to blacklisting and blocking, according to the researchers.
Emergency-call systems are categorized as critical infrastructure by the federal government and are regarded as on par with the power grid and other utilities. Information concerning the various components of the system across the entire country are rarely published as a result, but the researchers used publicly available data regarding North Carolina’s 911 systems from 2008 to virtually reconstruct its infrastructure and successfully compromise it using a simulated attack.
As few as 6,000 phones would need to become infected to deny up to half of all calls placed across North Carolina, and as little as 200,000 infected devices are needed to “significantly disrupt 911 services across the U.S.,” according to the report.
The phones could become infected by delivering malware through seemingly innocuous smartphone apps, text message spam or other vector, and then an operator would just have to remotely tell this “botnet” of hacked smartphones to repeatedly dial 911.
Widespread infections aren’t impossible, either. The report notes that a September 2015 DDoS attack utilized about 650,000 Chinese smartphones that had been infected with malware in order to flood a website and render it inaccessible. A 2011 report determined that more than 10,000 apps available for Android devices through Google’s Play store contained malware of some sort.
“In 2015 over 90% of American adults owned a cell phone, and 64% of the devices were smartphones,” the researchers wrote. “An attacker that recruits even a fraction of these devices to a botnet would give this attacker has the potential to deny 911 services to an entire state, or possibly the entire country.”