fbpx
 

A 911 Wake-Up Call

March 6, 2017

Homeland & Cyber Security

Excerpted From The Wall Street Journal — For at least 12 hours on October 25 and October 26, 2016, 911 centers in at least a dozen U.S. states from California to Texas to Florida were overwhelmed by what investigators now believe was the largest-ever cyber attack on the country’s emergency-response system.

A month before the attack, researchers at Ben-Gurion University concluded that fewer than 6,000 smartphones infected with malicious software could cripple the 911 system in an entire state for days. By directing phones to call all at once, the 911 systems would be overwhelmed and operators would be unable to answer legitimate calls.

911-call-center

During the cyber attack in Olympia, Washington, unanswered calls stacked up on computer screens. Photo: Ian C. Bates for The Wall Street Journal

As the investigation into the attack proceeded, many law enforcement officials and 911 experts became convinced the hack could have been far worse, and could happen again.

“If this was a nation-state actor that wanted to damage or disable 911 systems during an attack, they could have succeeded spectacularly,” says Trey Forgety, director of government affairs at the National Emergency Number Association. “This was a serious wake-up call.”

It was hard for investigators to trace the cyber attack which originated from a malicious Twitter link that, when clicked, caused a user’s phone to automatically start dialing 911. Twitter users would share the link with their followers, turning the malware into a runaway virus.

911 graph

The 911 call volume in Surprise, Arizona surged when iPhone users clicked on a malicious Twitter link in October 2016.

Investigators believe the link was clicked 117,502 times. Each click triggered the person’s iPhone to dial 911 numerous times. The phantom calls could be stopped only by turning off the phone. Smartphones not made by Apple and personal computers were not affected.

The origin of the attack was traced back to Meetkumar Desai, an 18-year-old computer science student in Phoenix, Arizona. According to an investigation report, Mr. Desai told police he meant no harm.

“He claimed he was doing this to get a bug bounty from Apple,” a detective says. Like many technology companies, Apple Inc. pays some developers if they are able to find and report security flaws.

About two weeks after the cyber attack, Mr. Desai was charged with four felony counts of computer tampering.

More From Ben-Gurion University — “An attacker can cause 33 percent of the nation’s legitimate callers to give up in reaching 911,” the researchers wrote in a paper that they shared with the U.S. Department of Homeland Security, a month before the attack took place.

“Because call centers and routers around the country often operate at near capacity under normal conditions, increasing the volume of calls by just a small percentage can overwhelm them,” says Dr. Mordechai Guri, head of research and development at the BGU Cyber Security Research Center.

Guri conducted the work with doctoral candidate Yisroel Mirsky and Prof. Yuval Elovici, head of the Center.

“The countermeasures that exist, or are possible, today are difficult and highly flawed,” says Guri. “Many of them involve blocking certain devices from calling 911, which carries the risk of preventing a legitimate call for help.

“Collaboration between researchers, telecommunication companies, regulators, and emergency personnel could yield useful breakthroughs. We must find ways to safeguard the 911 system, which protects us all.”