Is an attack on emergency services just one call away?
Connecting state and local government leaders
A recent study revealed how easy it would be for bad actors to overload and disable infrastructure for the 911 emergency services in the United States.
Emergency services providers got a wake-up call late last week when a study from a top overseas university revealed how easy it would be for bad actors to overload and disable infrastructure for the 911 emergency service in the United States, prompting concern from the industry.
Researchers at the Cyber-Security Research Center at Ben-Gurion University of the Negev in Israel outlined how attackers could relatively easily “exploit the cellular network protocols in order to launch an anonymized [distributed denial-of-service] attack on 911.” Specifically, the university’s penetration testing uncovered that cybercriminals or nation-states could launch a mobile phone-based botnet using masked (and therefore anonymous) cell phones to overload even a major emergency services operation and effectively block legitimate calls and services.
Cybersecurity insiders point out that similar hacks have already been perpetrated but not necessarily to the extent the research outlines as possible.
“911 DDoS conditions happen already -- often accidentally -- during high call volume times,” said Johannes Ullrich, dean of research at the SANS Technology Institute. “The conditions are usually limited in time [to an] hour or less. But the scarce resource is usually not the airwaves, as suggested by the [Ben-Gurion University] paper, but instead the human operators.”
In a mass casualty event, for example, callers already often overwhelm existing 911 centers. “There isn’t the ability to ‘geo filter’ calls and allow only a limited number of calls per area,” Ullrich said. Telephony denial-of-service (TDoS) attacks create a similar flood of illegitimate automated calls, which cannot be traced back to their points of origin.
Based on their tests, Ben-Gurion researchers discovered that nefarious parties with fewer than 6,000 bots (or mobile phones under their control via malware) in a state the size of North Carolina or 200,000 phones across the country could interrupt emergency services for days.
Trey Forgety, director of government affairs at the National Emergency Number Association, said he is not surprised by the results of the analysis and believes the researchers used an “accurate mathematic model to conceptualize how this would work.”
However, he did have a difference of opinion with the analysis. “I believe the researchers drastically underestimated the scale of the problem,” he said, adding that if attackers targeted a single 911 center, they could likely disable services with fewer than 6,000 controlled phones.
“The barrier to entry for an attacker to disrupt and degrade critical infrastructure is falling at a rapid pace,” said Jeff Pollard, a principal analyst at Forrester Research. “Our infrastructure often runs on systems that are designed and implemented with availability, not security, in mind.”
But not everyone in the cybersecurity community sees the recent news as a sign that emergency services are doomed to falter.
“The research from Ben-Gurion University in Israel certainly demonstrates there are issues within today’s 911 system, and we should absolutely fix them, but it does not mean the threat is imminent,” said Rebekah Brown, threat intelligence lead at Rapid7, a cybersecurity tools vendor. “There is the potential that someone could execute this attack, but it would take time and effort. And a flood of calls after a natural disaster could have the same impact.”
Similarly, Al Pascual, senior vice president and head of fraud and security research at Javelin Strategy and Research, said he believes that a TDoS attack on emergency services is “as likely as an attack on our power grid. It would serve much the same purpose in sowing confusion and overwhelming civil authorities.”
Another nation-state, like Russia, might conduct such an attack on a limited scale outside the United States as a way to send a message, according to Pascual. “But otherwise, the potential loss of life involved as civilians are unable to reach emergency assistance could incite a military response, and that would make such an attack against the U.S. very unlikely,” he said.
Despite the ongoing transition to a more modern and resilient Next Generation 9-1-1, the risk of TDoS attacks will remain viable for years to come, according to Forgety, because all the U.S. states and regions are in various stages of migration to updated systems. Another potential concern for Forgety: By hijacking an enterprise call manager, capable of thousands of outbound calls at once, a bad actor could incapacitate even more 911 centers in one fell swoop.
And even though virtually everyone in the country has come to depend on emergency communication through 911, its complex makeup means that mitigating the risk of TDoS attacks won’t happen fast.
“Given the distributed nature in which the nation’s emergency systems operate, we would need a coordinated response by various state agencies or a top-down, federally mandated change,” Pascual said. “Neither will happen quickly.”