What would it take for attackers to significantly disrupt the 911 emergency system across the US? According to researchers from Ben-Gurion Univerisity of the Negev’s Cyber-Security Research Center, as little as 200,000 compromised mobile phones located throughout the country.

The phones, made to repeatedly place calls to the 911 service, would effect a denial-of-service attack that would made one third (33%) of legitimate callers give up on reaching it. And if the number of those phones is 800,000, over two thirds (67%) would do the same.

Naturally, the researchers – Mordechai Guri, Yisroel Mirsky, and Yuval Elovici – haven’t performed such an attack on the actual, nationwide system. Instead, they have created a simulated cellular network based on North Carolina’s 911 network (as information about it is widely available) and attacked it instead.

According to their findings, the 911 system in North Carolina could be partially overwhelmed by mere 6,000 infected devices.

“At the state-level, we found that as little as 6,000 bots (0.0006% of NC’s population) is enough to deny 20% and 50% of wireline and wireless callers from ever reaching 911 services (after 4-5 attempts each per caller). This is even more significant considering that 70% of 911 calls are wireless,” they noted. “With 50K bots (0.0054% of NC’s population) nearly 90% of all wireless 911 callers never reach a call taker.”

From these results, they extrapolated the number of bots needed to partially cripple the nation-wide system.

How can this happen?

The problem, the researchers say, rests in the fact that current FCC regulations require that wireless carriers must immediately route all emergency calls to local public safety answering points, regardless of the mobile phone’s available identifiers (like IMSI and IMEI, which tell if the caller is a subscriber to their service and identify the mobile equipment, respectively).

“A rootkit placed within the baseband firmware of a mobile phone can mask and randomize all cellular identifiers, causing the device to have no genuine identification within the cellular network. Such anonymized phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally,” they pointed out.

That the emergency reporting system is vulnerable to Telephony Denial of Service (TDoS) should not come as a surprise. During the 9/11 attack on the Twin Towers in New York, when thousands of legitimate callers collectively dialled 911, both the telephony network and the emergency reporting system were effectively DoSed.

This could happen again if attackers leverage a mobile botnet to target the 911 service.

Possible solutions

There are several countermeasures that can mitigate such an attack, including implementing “call firewalls” on mobile devices, and public safety answering points implementing “priority queues” that would give precedence to callers with more reliable identifiers.

Attack prevention options include the disallowing of 911 calls from NSI devices, and trusted device identification.

The former would block calls from mobile phones that are unable to register to the network. There can be many reasons for this: the subscription associated with the SIM is inactive, the subscriber has not paid the telephone bill, the device has been stolen so its IMEI has been blacklisted, etc. But, this option is (currently) illegal and, the researchers note, unethical.

The second option would force the device to send a trusted unaltered identifier to the network.

“The identifier such as IMEI, must be stored in a trusted memory region (e.g., ARM TrustZone) so it cannot be changed by malware at any level,” they explained.