In the early morning hours of Wednesday, Oct. 26, 2016, an apparent Telephony Denial of Service (TDoS) attack was brought against several cities that brought 911 to a grinding halt.
The incident triggered a response from the Department of Homeland Security's National Cybersecurity & Communications Integration Center National Coordinating Center for Communications (NCIC/NCC) and a Watch Advisory for a TDoS attack on public-safety answering points (PSAP) was issued just after lunch.
Investigators were led to a web page created by 18-year-old, Phoenix-based Meetkumar Hiteshbhai Desai. Desai said he was merely looking for bugs in Apple's iOS in an attempt to capture a reward from Apple as part of its bug bounty program. Apple launched this long-awaited program in September, and the company is offering five different categories of reward prizes:
- $200,000 for vulnerabilities in secure boot firmware components
- $100,000 for vulnerabilities allowing extraction of confidential material
- $50,000 for executions of arbitrary or malicious code with kernel privileges
- $50,000 for access to iCloud account data on Apple servers
- $25,000 for access from a sandboxed process to user data outside the sandbox
Desai claimed this was the intent for his actions, not to compromise the 911 network with his exploit.
Most media reports on the incident mistakenly classified this incident as a bug, a virus, a hack or just about every other possible affliction. In reality, all indications point to an accidental exploit of pre-existing click-to-dial functionality, something very common in today's environment.
How the accidental TDoS attack happened
Detailed reports of the incident show Desai set up a web page that reused a snippet of code that would interact with the browser on a smartphone device. He claims that his intention was to get the victim to click a link and then display an annoying pop-up message on the phone. The program would then dial 911 and loop once the call terminated, therefore making another call to 911.
Apparently, it was difficult to break out of the cycle, and in many cases, the user was forced to shut the phone off or remove the battery. To Desai, this seemed fairly innocuous and certainly not a harmful practical joke. Obviously, he didn’t think about the consequences of 1,800 or more people pressing this link and generating simultaneous calls to 911, effectively creating a TDoS attack.
Desai claims he failed to realize and remove lines of code that caused the phone to dial the hard-coded number in the U.S.—the short code 911. Part of the problem was that the user didn’t realize the phone had called 911 and that it was continuing to redial until the browser session was killed by power cycling the phone. Phoenix was hit particularly hard because that’s where the bulk of Desai’s Twitter followers are from.
The interesting part of this is that the code could affect anyone no matter where in the world they were. In fact, if a user in the European Union would have clicked the link, the phone would have been provisioned by the European carrier to recognize 911 as an emergency number and would have launched a call to European 112 services, despite the user actually dialing 911.
In the end, instead of Desai displaying the technical prowess of an elite hacker, he merely demonstrated he wasn’t a thorough programmer who checks the functionality of what he writes before releasing it on the public.
What he did provide was a real-world demonstration of the frailty of the 911 network and how a simple accidental TDoS attack could be used to cripple the emergency telephone network’s ability to handle calls. An additional lesson learned was the seemingly difficult task of identifying the source of the attack and disable its capacity to generate this rogue traffic.
While the original site by Desai may not have had bad intentions, several “copycat” websites materialized, exploiting the same problem. As one expert said, “This is quickly becoming a big game of Whack-a-Mole” because sites were popping up as quickly as others were being taken down.
Can’t this be stopped?
Industry experts began sending emails, exploring ideas about how to prevent the current problem from happening and to stop the threat of future attacks using the same exploit. The biggest wake-up call to nearly everyone was that all indications pointed to this as an accident; however, this know-how could now be easily used by anyone with nefarious intent and a large-scale coordinated attack would be a matter of time.
The quick fix for this may be to require mobile phones and their operating systems to remove click-to-dial capabilities without prompting for secondary user interaction on the screen as confirmation, not just immediately launch a call. While this may complicate legitimate uses, it’s likely this secondary confirmation needs to be implemented to prevent a future attack that ultimately restricts the ability of our nation’s 911 network to process calls.
Much like SWATting, it’s nearly impossible to identify a real call from a false call, and until some mechanism of authenticated origination via a token is required and implemented, an easy fix for the solution may not be within view.