The female caller was frantic. Why, she asked 911 dispatchers, hadn’t paramedics arrived to her home? She’d already called once to say her husband was writhing on the floor in pain. “Hurry up!,” she’d pleaded, as she gave the operator her address. And then she hung up and waited for help to arrive, but it never did. By the time she called back, her husband had turned blue. “He’s dying!” she cried helplessly into the phone.

But the paramedics had gone to the wrong address and couldn’t find her home. When the dispatcher cited the intersection they were currently passing, it was nowhere near her home.

When Christian Dameff and Jeff Tully set out four years ago to determine how to provide the best medical care to patients between the time a 911 call was made and the patient arrived to the emergency room, they were focused on things like the CPR coaching 911 operators sometimes provided over the phone. But as they listened to thousands of recordings of 911 calls, they discovered something equally critical to patient care: The 911 system itself. The system operates nationwide 24 hours a day, assuring the public that help is just a phone call away. But sometimes it doesn’t work as planned.

To direct first responders to a caller’s location, the emergency call system relies on a database of addresses tied to phone numbers or, in the case of wireless phones, to the location coordinates sent by the phone’s GPS chip and the cell phone tower that processes the call.

But Dameff and Tully discovered that the 911 system has several vulnerabilities that make it susceptible to failure. Dameff is an emergency room physician and Tully is a pediatric doctor. But they’re also white hat hackers who decided to team up with Peter Hefley, an IT security manager for Sunera, to identify problems within the 911 system. The trio recently presented their findings at the Def Con hacker conference in Las Vegas.

Aside from software glitches that can sometimes prevent medical help from being dispatched on time, they were concerned about the security of the address databases, populated by subscriber information from telecoms, that first responders rely on to locate victims. If a hacker could obtain access to the databases, he could alter or delete critical information that could prevent help from arriving on time. They were also concerned that a hacker might launch a denial-of-service attack preventing calls from getting through at all. Earlier this year in Washington state, the 911 system inexplicably went down statewide for six hours, preventing more than 4,000 calls from reaching dispatchers. Although the the outage wasn’t caused by an intentional attack—just an overloaded system—the consequences of an intentional hack, they realized, would be the same.

“When [911] fails or doesn’t work as optimally as it should—either through glitches or something else—the demonstrable harm is that people die,” Dameff says. “This isn’t, ‘Oh my credit card got stolen and someone charged $600 at Target.’ These are systems … designed and implemented to save peoples’ lives. It’s the definition of a critical infrastructure system.”

The minutes between a 911 call and the arrival of help are particularly critical for people in cardiac arrest. Research shows it takes an average of six minutes for first responders to arrive after such a call is placed, during which time the victim has a 50 percent chance of survival without CPR. The survival rate drops drastically with each subsequent minute that passes without help.

“We could see that that patient didn’t get timely medical care because of the glitch,” Dameff says of the call from the woman whose husband collapsed. “During that window is the most impactful time … to save their life.”

911 Call From Woman Whose Husband Collapsed http://www.wired.com/wp-content/uploads/2014/08/Call_1_1.mp3 Follow-up Call to 911 http://www.wired.com/wp-content/uploads/2014/08/Call_1_2.mp3

How 911 Works

When a call gets made to 911 from a landline, the caller’s telecom appends the phone number to the call data and forwards it on to a router that determines the nearest PSAP, or public safety answering point, based on the caller’s location. A dispatcher at the PSAP answers the call while a computer searches a database for the caller’s address. The database, which contains a billing address provided by the telecom, tells the dispatcher where to send help, and assists the operator in determining which first responders are closest to the location.

Although dispatchers are trained to also ask callers for their address, the person on the other end may not know the address, or may not be able to respond. In such cases, an outdated or altered database can prevent help from arriving on time.

But the problems that can occur with the system aren’t only about response times. Dameff and his team found that swatters could bypass the database lookup altogether to make a 911 operator believe he’s somewhere he’s not. Swatting calls often involve phoning 911 using a spoofed phone number or caller ID to make a bogus report of a home invasion or hostage threat, sending police—often with guns drawn—to the address of an enemy or other target. This is how a 12-year-old boy got SWAT teams dispatched to the homes of Ashton Kutcher and Justin Bieber last year and how a serial swatter in Los Angeles last week got police to lock down an elementary school while officers in tactical gear searched for a gunman who didn’t exist.

But a swatter doesn’t need to use the target’s phone number to get a SWAT team dispatched to the target’s address; he could simply call a PSAP directly instead of dialing 911, since calls made directly to PSAPs don’t use the address database to determine the caller’s location. Instead, the operator simply asks the caller for his address.

Swatter Call to 911 Center in Colorado http://www.wired.com/wp-content/uploads/2014/08/Swatting.mp3

About 6,200 PSAPs are scattered nationwide, with about 4,000 of these serving as primary 911 call centers where operators dispatch police directly or redirect the call to another center where help can be dispatched or where operators can provide CPR and first aid instruction.

Phone numbers for PSAPs are tightly held and are generally available only to emergency agencies. But Dameff’s team found they could uncover the numbers by listening to recorded 911 calls obtained via public records requests. When dispatchers transfer a call, the push-button tone for the redirect number is recorded as well. So the researchers used DTMF tone extraction to enumerate the PSAP phone numbers.

Trey Forgety, director of government affairs for the National Emergency Number Association, told WIRED the association is trying to get these numbers protected on 911 recordings so they can’t be extracted. “Those tones are very sensitive and it wouldn’t be good for folks to be able to get at those lines and tie them up,” he says.

Wireless Calls to 911

Wireless calls work according to a similar principle as landlines. They pass through a mobile switching center, which parses location data before sending the call to the PSAP closest to the phone. Meanwhile, the location data is temporarily placed in the address database so 911 operators will see the phone’s current location, rather than the owner’s billing address. The location is presented in latitude and longitude coordinates, given that the caller may be in a remote location where a proper address is unavailable.

But the researchers found that callers can spoof this system by using a non-serviced burner, or pre-paid, phone to make the call. Non-serviced burner phones can be old phones or new ones that are not currently enabled and linked to a cellular account. Although such phones are not activated, federal law requires they still be able to call 911. Because there is no telecom account associated with the phone, however, there is no phone number for authorities to call back or to track. A swatter can make a credible call to 911 and have police dispatched to an address he provides as long as it’s near the cell tower that handled the call. The only location data authorities will see is that of the tower, and possibly data estimating the distance and direction of the phone from the tower. This is precisely the technique used by the serial swatter in LA last week who reported gunmen at an elementary school.

“That can make it very hard to locate someone making repeated harassing calls to 911,” says Forgety.

Beyond being a nuisance and a waste of resources—the FBI estimates that swatting calls cost about $10,000 each—such calls limit the ability of authorities to respond to true emergencies. There is also concern that they could be used by criminals or terrorists as a diversionary tactic to occupy authorities.

In addition to using non-serviced burner phones for swatting, an attacker could also use them to conduct a denial-of-service attack against the 911 system. A presentation at Def Con this year described how a hacker could alter the firmware in a burner phone to launch a denial-of-service attack against targeted phones; Dameff notes that someone could easily place modified phones strategically throughout a county or state to take down 911 call centers over large geographical areas.

Landlines and cell phones aren’t the only vulnerability when it comes to the 911 system. The researchers found that calls made from VoIP devices also have unique problems. In order to call 911, VoIP users have to manually place their address in a database maintained by their VoIP provider and configure their systems so that 911 calls are routed to a local PSAP, wherever they may be when they place the call. But if subscribers have the ability to alter these databases, Dameff suggests that others might be able to alter them as well, in order to direct calls to the wrong PSAP or have dispatchers send help to the wrong address. He and his team didn’t test this hypothesis, however, for fear of breaking any hacking laws.

But Forgety recalls a 2007 call that illustrates what can occur when the database isn’t correct. In March that year a PSAP in Illinois received a call from a woman who was screaming for help, after her husband went on a rampage and attacked her. Police arrived at the address listed in her VoIP provider’s database, only to find the house dark and vacant. It turned out the VoIP phone belonged to a military couple who had taken it with them when they deployed to South Korea. Because the VoIP database still listed their Illinois address, her call was routed to a public safety answering point near her old home.

Authorities recognize this is a problem, and are now trying to correct it. “VoIP phones rely right now solely on the registered address of the user,” says Forgety. “That’s the sort of thing that can be easily abused. We’re trying to change that with the next-generation 911 system [so that] we can query the device for its location.”

But the next-generation 911 system is slowly being deployed across the country and only exists in a few states so far. And while it may eventually address the VoIP problem once its deployed more broadly, it won’t solve some of the other shortcomings of the 911 system, particularly the problem with swatters. Dameff and his team have suggested other solutions that might resolve these issues, such as a system of red flags for suspicious call routing as well as developing security standards for call centers. Forgety, who flew to Las Vegas specifically to attend their Def Con talk, has been talking with them about ways to address the issues with 911.

“The good thing about [the researchers] is that they are interested in finding ways to fix the problems,” he says, not finding ways to exploit them.