A latest research published in the last week reveals that an attacker only need to have 6,000 smartphones to launch a DDoS (distributed denial of service) attack against a US state’s 911 service.
The malicious attacker can even knock the 911 service offline by making simultaneous calls from this botnet of devices to the emergency number.
The researchers who found this scenario say that this can be done by infecting the smartphones with malware, or even by buying the smartphones to carry out the attack which would only cost $100,000, a small sum for a state level attack.
The attacker can also scale the attack to the entire US 911 service. To achieve this, attacker need to have control over a botnet of 200,000 devices, which is relatively hard to accomplish in a little time period, but this can be done. This would cost the attacker around $3.4 million, if he decided to buy the devices instead of having a botnet.
Attacking the 911 call centers is possible because the mobile carriers are rerouting these calls to a nearby Public Safety Answering Point (PSAP) without actually verifying the caller’s identity or subscriber status.
An attacker can place calls to specific Public Safety Answering Point center with spoofed identity and flood the emergency center with something called a TDoS, or a telephony denial of service attack.
The attack can be done more effectively if coordinated during the time of day when the 911 call centers are usually under traffic, or even during real world disasters.
Call redialing means, devices can be reused until the attack is detected and attacking bots are blacklisted. This countermeasure on behalf of 911 services can be skirted by hiding IMEI and IMSI information. Researchers say this can be done by placing malware within the baseband firmware of a mobile device.
The hardest part of the attack would be to map all PSAP centers across the US. At the end of December 2015, the FCC listed minimal information on 7,227 PSAP centers across the US.
The researcher paper titled 9-1-1 DDoS: Threat, Analysis and Mitigation offers more information about the attack and possible mitigation procedures for US authorities. The study was put together by scientists from the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel.