It only takes 6,000 smart phones to take down our Public Emergency Response System?

There are fewer scenarios which illustrate an evildoer’s heart than those designed for mass carnage.

We are all familiar with the false alarm (human mistake) of the Public Emergency Broadcast system in Hawaii earlier this year, which wreaked havoc throughout the archipelago. However, do we realize how fragile our nation’s emergency communications are and how vulnerable it is to cyber-attacks?

Recent research published by the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel reveals that it only takes about 6,000 smartphones infected with malware to launch a DDoS attack capable of shutting down 9-1-1 emergency services or public service answering points (PSAPs) in a single U.S. state.

Why is the situation so fragile? Well, ironically one reason is the law.

Federal Communications Commission (FCC) regulations stipulate that wireless carriers must forward all 9-1-1 calls to a PSAP, regardless of caller validation, giving a malicious hacker the perfect opportunity to exploit this ruling with an anonymized form of a distributed denial-of-service (DDoS) attack.

Public Emergency Response is the safety net of any economy and the recognized value of a government’s role in protecting the circulatory system of modern day societies.  From police 9-1-1 systems, to snow and weather alerting processes, to health, fire and police systems, to the alerting of the imminent threat from those who wish to harm us, Public Emergency Response is one of the core achievements in a highly functioning society. It includes everything around the entire communication system including airwaves, technology involved (satellites, cell phones, internet, etc.) and includes basic-tech methods including sirens, signage and inclusion into radio and television broadcasts.  Of course, the transportation system in general plays a role in this broadcast system and defined broader could include roads, shipping ports and airports, and publicly-available train and bus systems, which are largely funded and maintained by public investments.

[You might also like: Today’s Cyber Security Threats in the Telecom Industry]

Many people realize that modern day conveniences are fleeting and assumptions are made every day about things we need to make a living. The availability and sanctity of a modern day emergency broadcast system is one of those assumptions. So given this, how safe are Public Emergency Response System(s) from cyberattacks and is there evidence that hackers up to no good could cripple this system?

By placing a rootkit within the baseband firmware of a mobile phone, a hacker can mask and randomize a mobile phone’s identifiers, essentially resulting in a device that has no identity in the cellular network.

“Such anonymized phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally,” researchers Mordechai Guri, Yisroel Mirsky and Yuval Elovici wrote in the report that was passed to the Department of Homeland Security before being released to the public.

“We found that with less than 6K bots (or $100K of hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days. In this scenario, a caller would wait an additional 45 seconds-3 minutes and call an average of three times to get emergency services.”

To launch a cyberattack affecting the entire country, researchers found that just 200,000 infected phones distributed across the U.S. would be enough to significantly disrupt 9-1-1 services nationwide.

There is strong evidence that the Public Emergency Response system needs dramatic investments in order to stay safe and sound from cyberattacks, and the following examples serve as real-life examples of what already exists and has occurred:

Example One:  Zombie Apocalypse in Montana – Public Emergency Response System Hacked

The zombie apocalypse hasn’t happened yet, but a few thousand people in Great Falls, Montana, are to be forgiven if they thought it was. In February of 2013, the emergency alert system at KRTV-TV in Great Falls was hacked during the “The Steve Wilkos Show” to send out a message that “dead bodies are rising from their graves” in several counties.

The warning also told those watching not to try and apprehend the dangerous individuals, only to get to shelter and stay safe, Gizmodo.au reported. Just in case you did not know, there was not actually a zombie outbreak. Nevertheless, KRTV-TV felt obliged to let viewers know both on the air and online that the earlier report of zombies rising out of their graves was not accurate.

“This message did not originate from KRTV, and there is no emergency,” the station explained. “Our engineers are investigating to determine what happened and if it affected
other media outlets.”

Example Two: Cook County, Illinois Public Warning of TDoS against PSAPs

One month later, in March 2013, the Cook County, IL Department of Homeland Security issued a “Situational Awareness Update” message warning the public of the following:

“Information received from multiple jurisdictions indicates the possibility of attacks targeting the telephone systems of public sector entities. Dozens of such attacks have targeted the administrative PSAP lines (not the 9-1-1 emergency line). The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls. This type of attack is referred to as a TDoS or Telephony Denial-of-Service attack. These attacks are ongoing. Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications.”

Moreover, the announcement also called for the following, “service providers to identify and mitigate the effects of a criminal Telephony Denial of Service (TDoS) against public safety communications, hospitals and ambulance services. This is for immediate dissemination to public safety answering points (PSAPs) and emergency communications centers and personnel.”

The report went on to describe the “extortion scheme” or what we today call, Ransom DoS (RDoS).

Excerpt from the public alert:

“Scheme: These recent TDoS attacks are part of an extortion scheme. This scheme starts with a phone call to an organization from an individual claiming to represent a collections company for payday loans. The caller usually has a strong accent of some sort and asks to speak with a current or former employee concerning an outstanding debt. Failing to get payment from an individual or organization, the perpetrator launches a TDoS attack. The organization will be inundated with a continuous stream of calls for an unspecified, but lengthy period of time. The attack can prevent both incoming and/or outgoing calls from being completed. It is speculated that government offices/emergency services are being “targeted” because of the necessity of functional phone lines.

What we know:
· The attacks resulted in enough volume to cause a rollover to the alternate facility.
· The attacks last for intermittent time periods over several hours. They may stop for several hours, then resume. Once attacked, the attacks can start randomly over weeks or months.
· The attacks followed a person with a heavy accent demanding payment of $5,000 from the company because of default by an employee who either no longer works at the PSAP or never did.”

As you can clearly see from this alert, a very powerful PSAP attack took place as early as 2013 and was alerted by the local government, forewarning of future attacks.

[You might also like: New Threat Landscape Gives Birth to New Way of Handling Cyber Security]

Example Three: Infected Teenager Phone Shuts Down Maricopa County PSAP and Others

In Oct / Nov 2016, Emergency 9-1-1 call centers located in at least 12 different U.S. states, including Arizona, Washington and California, were the target of a widespread distributed denial-of-service attack that disrupted normal services, Department of Homeland Security officials told reporters at CyberScoop.

While local media outlets in some cities reported the occurrence of separate emergency call center outages, it has been reported that multiple incidents are linked to a single actor.

DDoS attacks launched in late October 2016 and early November 2016 were aimed at public service answering points, or PSAPs, in multiple geographic areas. PSAPs are call centers responsible for police, firefighting, and ambulance services.

Several U.S. 9-1-1 emergency call centers said they were flooded with fake phone calls during the attack. The immense volume of connection requests nearly put authorities in Arizona “in immediate danger of losing service to their switches,” according to an official statement. Operators could not distinguish fake, incoming requests from genuine calls for help.

Each DDoS attack relied upon a network of infected iPhones. Once compromised, the smartphone would automatically and repetitively send calls to the nearest emergency call center.

A teenage hacker arrested in Arizona’s Maricopa County is supposedly responsible for originally creating and then sharing the malware used to infect the devices. This virus — which when downloaded would gain total access of a device — was spread through people sharing it on social media and several other websites, investigators said. One of the websites that hosted the computer virus had reached nearly 150,000 page views before being shut down.

Conclusion: How to Solve the Problem?

In the end, the threats to Public Emergency Response Systems are serious, real and numerous.   Although I chose to leverage some arcane and boutique attack examples which were widely publicized, there are scores of harder-hitting examples from traffic lights, to trains, to automobiles.

The key to understanding the solution is to understand that the threat is immeasurably more serious to this industry then many others which are only really concerned with business continuity and financial losses.  In this industry we must concern ourselves with the great possibility of loss-of-life scenarios.

In general, information security people have long understood these risks, but the transportation and manufacturing industries are just now waking from their mental slumber. The key to solving these problems is first to accelerate the awareness of the real possibilities of these dangers, then to assemble a well-orchestrated cyber security risk and mitigation strategy for each attribute of Public Emergency Response, whereby we rely on automation where human life can be placed in harm’s way.