Israeli researchers at Ben-Gurion University have come up with a model that says that hackers, for a modest amount of money, could disable the 911 service in a state, and, for a little more money, the entire United States.
While you might think it would be hard to do that, it really is not.
Many of you have heard of a denial of service attack or distributed denial of service attack (DoS or DDos), but probably less of you are familiar with a TDoS or telephone denial of service attack.
In the case of a TDoS, you just initiate enough phone calls to tie up all the lines that are available plus some and no one can contact 911. Send enough calls to one 911 call center and the call center crashes.
We have actually seen this happen, both intentionally and accidentally. Hackers have initiated TDoS attacks on targets and those attacks have made the news. We have also seen the general public take out entire phone company switching offices due to call volume. I can recall one incident where I live where there was a large power outage and enough people called the power company to take down the central office that served that company. AT&T had problems in the early days with callers voting on Dancing with the Stars, so this is not far fetched.
What is amazing is that the researchers say that with just 6,000 phones you could take out an entire state’s 911 service and with 200,000 phones you could do serious damage to the entire US 911 service.
Part of this is because the law requires phone companies to complete 911 calls even if the caller doesn’t have a cellular service subscription, so you could buy those 6,000 phones and you don’t even have to activate them.
Alternatively, you could hack a bunch of phones and use them as zombies to call 911.
What the researchers say is harder to to find all the 911 call centers, technically known as PSAPs or Public Safety Answering Points. There are about 3,700 counties in the US and around 7,500 PSAPs.
These phones could dial, answer, hangup and redial until the PSAPs figured out what was going on and attempted to mitigate the problem.
Attackers would likely do this on a day and at a time when the PSAPs are under stress anyway. – at a time when the system doesn’t have much margin. Even if they had enough phone lines, they would not have enough operators, so the calls would queue up. Denver has a problem with 911 callers being placed on hold during busy times without a TDoS attack going on.
Recently, there have been reports of hackers attacking the baseband radio inside the phone – at a layer below the OS – whether Android or iPhone. If the attackers were able to do this, at least in the case of an iPhone – and some Androids – the user wouldn’t be able to stop the attack other than to literally destroy the phone – run it over with their car. On some Android phones, you could pull the battery which would, we think, stop the attack.
The researchers say that to buy 200,000 phones, the attackers would have to spend a bit over $3 million. Small change for a nation state.
If you did the attack during a time of emergency, it would likely cause the police and fire to not receive important information and people would likely die.
If they were to do it during a regional emergency, they could probably do the attack for a few hundred grand. Pocket change.
Maybe we need to go back to those black, metal, rotary dial phones that were screwed to the wall in the front hall. If anyone can remember those.
Information for this post came from Softpedia.