Zombie Smartphones Take Out Entire 911 Call Centers

March 6, 2017 CyberCecurity Leave a comment

We tend to think of 911 as ubiquitous across the United States. In reality, the thousands of PSAPs, as 911 contact centers are formally known, are a patchwork of aged technology that makes many of us cringe.

A Public Safety Answering Point is run locally by a city or county and dispatches fire, police, ambulance and other emergency services for a local jurisdiction.

One overnight last October saw the biggest ever attack on PSAPs nationwide that we have ever seen. Unfortunately, it was trivial to launch the attack and very difficult to defend against.

In Olympia, Washington that night, dispatcher Jennifer Rodgers watched the calls stack up by the dozens instead of the normal 1 or 2 calls that she would normally see on their dispatch screen.

As calls went unanswered, alarms went off alerting dispatchers of the problem, but there was nothing that they could do about it.

People were calling 911, then hanging up, then calling again, Dispatchers had no way to know what was happening and no way to do anything about it.

Finally, after 15 minutes, the dispatcher was able to get a caller to stay on the phone long enough for them to begin to understand what was going on. She told the teenager to have her dad call from a landline – where the dispatcher would instantly get a name, number and address. The caller said that she did not mean to call 911 and wasn’t even touching the phone.

For at least 12 hours in the overnight of October 25-26, contact centers in a dozen states from California to Texas to Florida were being hammered.

In Surprise, Arizona, near Phoenix, the call center received 174 calls in the hour between 10 PM and 11 PM, instead of the normal 24 calls.

Due to the limitations of cellular services, 911 dispatchers cannot pinpoint the location of wireless callers, but even if they could, if they are getting thousands of calls across dozens of states, there is no way that they could dispatch police to find the phones in question. And then what would they do? For SOME Android phones you could remove the battery to stop the malware, but for the rest of the phones, it isn’t so easy. I suppose we could equip first responders with RFID shielding bags to put these phones in. Sure. Right!

As of 2105, only around 400 out of over 6,000 PSAPs had a cybersecurity plan. In 38 states, according to the FCC, no money was spent on cybersecurity for 911 call centers.

According to Rear Admiral David Simpson, who oversaw emergency management and cybersecurity at the FCC during the Obama administration, this is an emerging crisis.

As I reported months ago, last year researchers at Israel’s David Ben Gurion University concluded that as few as 6,000 smartphones infected with malware could take down the 911 PSAP call centers in an entire state for days.

If Russia wanted to cause some real panic in the United States, all it would take would be to infect, say a quarter of one percent of the smartphones in the U.S. with malware that continuously called 911 call centers and hang up. While it might not directly kill anyone, it would certainly make the lives of first responders very difficult.

It turns out that this “attack” was started by a guy who forwarded what he thought was a prank link in a Twitter message to a couple thousand of his Twitter followers.

What if the link was more subtle? What if it masqueraded as a call to action and was forward and refowarded to an audience of millions.

Many 911 PSAPs are still using old copper wire based “POTS” phones with no budget to upgrade.

Let’s hope the bad guys choose not to launch an attack because I am pretty convinced that if they attacked, they would succeed.

Information for this post came from TodayEVERY.