Imagine that suddenly disaster strikes! You pick up the phone, dial 911 (or use internet calling to dial E911)—and nothing happens. Too many panicked callers have overloaded the emergency phone system. This is a pretty common trope from disaster movies, but a nasty new kind of cyberattack has the ability to knock out a 911 call center even without mass calling taking place.
Late last year, we discussed how trolls affiliated with Donald Trump supporters were able to affect phone banks leading get-out-the-vote efforts for Hillary Clinton. While this kind of hacking didn't move the needle for the election, it definitely proved that a small group of individuals could affect phone service for a large number of people. Were this kind of attack to occur during an emergency, the consequences could be extremely serious.
We're Not Talking About Hypotheticals
Here's the bad news: at least one cyberattack affecting 911 services has already occurred in the real world. Last October, an 18-year-old man began publishing links on a YouTube channel and daring people to click on them as part of a prank. When clicked, these links would cause users' phones to automatically and repeatedly dial 911.
These links caused the phones in 911 call centers across the country to ring and then hang up over a hundred times within a few minutes, nearly causing them to lose access to their switches. The man responsible claimed that this was part of a prank, and also an attempt to find bugs within Apple's iOS operating system. Authorities did not find this amusing, and he was arrested and charged with tampering with the 911 phone system, a Class 2 felony.
The E911 and physical 911 Infrastructure is More Fragile than We'd Like to Think
Let's take a look at the details of this attack one more time. It took just over 100 calls to nearly knock out a 911 call center. These calls weren't VoIP calls with misconfigured packet headers, incidentally (those are what were used to attack the Clinton campaign phone banks during the election). Rather, they were ordinary phone calls going out over standard 3G or 4G other way. In other words, the relative simplicity of the attack—plus the ease with which it nearly crippled critical infrastructure—is rather alarming.
Experts say that an attack of this nature would require only 6,000 phones, constantly dialing 911, to drop emergency services across an entire state. The continental United States would require 200,000 phones, a drop in the bucket for a country with over 300 million citizens. More worrisome, mobile malware that can control phones is noticeably on the rise.
Does the rise of Mobile Malware Portend Telephone DDoS Attacks?
Does infecting 200,000 phones sound like a lot? Well, in 2015 a piece of mobile malware known as XcodeGhost was able to infect literally ten times as many people. Hackers released a fake copy of a development kit for iPhone apps. When developers downloaded this kit, the apps they created with it contained a backdoor that allowed hackers to control users' phones remotely. Similarly, an app commonly used by the Ukrainian army was infected in the same way, and was downloaded over 9,000 times. The infected app appears to have transmitted GPS data to Russian-backed separatist forces.
E911 provides robust guidelines for VoIP service providers to enable emergency calls—but those standards won't work if the call center itself is down. Although this kind of phone-based DDoS attack appears to be relatively infrequent, this means it's the best time for service providers to start protecting their customers. Edgewater Networks Intelligent Edge solutions offer built-in protection against DDoS attacks—the perfect defense for emergency contact centers. To learn more, check out our white paper, "The Four Pillars of VoIP Security."