Three Israeli infosec researchers have shown how a botnet of infected smartphones could take out the United States' 911 emergency calling service in an entire state, and possibly the whole country, for days.
Mordechai Guri, Yisroel Mirsky and Yuval Elovici at the Negev Ben-Gurion University's cyber security research centre took advantage of the fact that current US regulations demand that calls to 911 must be immediately routed to emergency services, regardless of the caller's identifiers.
These identifiers could be the International Mobile Subscriber Identity (IMSI) and International Mobile Station Equipment Identity (IMEI) codes.
The researchers note in a paper [pdf] that by placing a so-called rootkit or persistent, low-level malware in mobile phones' baseband firmware (the code that operates the devices' radio processors), the identifiers could be masked and randomised.
This would render the devices effectively anonymous as the rootkit automatically places multiple 911 calls in a distributed denial of service (DDoS) attack , the researchers said.
The US 911 service must respond to all calls and the researchers found that it would take fewer than 6000 infected smartphones to take out the critical emergency response infrastructure in an entire state for days.
A laboratory test rig that simulated a small cellular network, and bot-infected Samsung Galaxy S3, S4 and S5 smartphones running Android 4.4 and 5.x provided the researchers practical verification of the feasibility and scalability of the attack.
Since nine out of ten American adults own smartphones, the researchers believe it would be relatively easy to recruit just a fraction of these into a botnet to swamp the emergency call service, taking it out at state-level, or even within the entire country.
The researchers estimated that it would take around 200,000 smartphone bots to jeopardise 911 for the whole of the United States.
Blocking such attacks is difficult currently. Public safety answering points (PSAPs) have no way to blacklist bogus calls, nor is blocking at the network level possible beyond selectively turning off cellular service in bot-infested areas.
Police could attempt to locate and collect the devices in the DDoS botnet, but this would take anywhere between 30 minutes to 30 hours per smartphone, the researchers said.
For a 6000-device botnet, such a locate-and-capture operation could take more than a week, the researchers calculated.
Disallowing anonymised emergency calls would prevent the DDoS attack described above, but would require a rewrite of current regulations.
Such a move also poses an ethical problem, as anonymised devices can be used by victims of domestic violence, for example.
Likewise, blocking 911 calls with no audio is unlikely to work as bots can inject recorded sounds into calls. Such a move could also hurt deaf people making emergency calls.
To prevent attacks device vendors could store IMEIs and other unique identifiers in trusted memory areas such as the ARM-processor design TrustZone, where they cannot be altered by malware; this is similar to how mobile payments systems utilise unique device identifiers to prevent fraud.
The researchers also proposed a mandatory device-level call firewall with trusted low-level components used to identify typical DDoS activities such as frequent 911 calls, as the most effective way to mitigate against attacks.