When 911 Is Busy

portable

As you're driving into work, you witness a horrific crash in the lane next to you. Quickly, you grab your cell phone and dial 911. Expecting to hear the 911 call center, you're confused by the busy signal you receive instead. Assuming you misdialed, you quickly press end, and redial. Again, a busy signal. And suddenly you are paralyzed, not certain what to do or how to get the help you need.

Over the past eight to 10 years, across the U.S., many Public Safety Answering Points (PSAP) -- including fire departments, 911 call centers, and other emergency services -- have come under attack through the launch of Telephony Denial of Service (TDoS) attacks. Although unknown to many, these attacks have become a huge threat to public safety. In fact, this threat has become so real, that the Department of Homeland Security and other federal agencies have stepped in to attempt to mitigate the risk.

Like its well-known older brother -- distributed denial-of-service (DDoS) attacks -- TDoS attacks are on the rise, targeting and taxing the PSAP system more frequently than you would expect. While DDoS attacks have been well studied and do not warrant extensive review here, TDoS attacks are relatively new and as a result, come seemingly out of the blue and as a total surprise to the victims.

TDoS: How It Works and Motivations Behind Attacks

How does a TDoS attack work? By flooding voice systems to the point of them becoming overwhelmed. Bad actors have uncovered a multitude of ways to exploit PSAP vulnerabilities to send thousands of paralyzing inbound calls into local PSAP systems: Utilizing robo-dialing systems, exploiting access to inexpensive VoIP, and even unleashing bot-nets and zombie mobile phones armed with small lines of code gleaned from click links posted to popular Twitter feeds. The result? Unable to make or receive calls during the attack, the victim organization is suddenly cut off from those who rely on PSAP and emergency communications, often with life-threatening consequences.

What's the impetus behind launching a TDoS attack? It's often money. Using extortion, in 2013 cybercriminals launched multiple attacks, including one against a hospital system and at least one PSAP. Each attack came with the promise to cease only if a handsome ransom was paid. (Side note, in the 2013 attack, no ransom was paid, but countless days were lost to rectify and restore the systems).

Yet, the reasons are not always financial. In 2016, a Phoenix, Ariz. teenager launched an incredibly successful attack against the 911 call centers and PSAPs in multiple states, using only simple code distributed through his network of social media followers via Twitter and YouTube. His motivation appeared to be more braggadocio and bravado rather than financial.

This 2016 "just because" attack appeared to be particularly chilling to the Department of Homeland Security (DHS). The ease with which the attack was deployed, as well as the ensuing chaos, publicly exposed the risk to the emergency communications network across the country -- and concerns over TDoS attacks being used by radical groups as a form of disruption suddenly became very real. Yet, how could these attacks be stopped?

Efforts to Mitigate

Blocking these attacks isn't as simple as one might think. Emergency services and PSAPs are designed -- by law -- to accept all incoming calls to ensure public safety. That means that repeated autodialing, inbound mobile calls (including those that are unidentified or unassociated with any provider plan), and even spoofing are the weapons of choice for those launching TDoS attacks. That soon could change.

In its April 2017 Science and Technology Bulletin, "Snapshot: Stopping Attacks that Disrupt Voice Communications", the Cyber Security Division (CSD) of Homeland Security shared that it was doubling down to find ways to mitigate these risks.

Convening multiple task forces and seeking the advice and counsel of numerous telephony experts, CSD began funding two research projects including software-based caller threat score analyzation and suspicious call redirection. Additionally, CSD and its vendor-research team is working to develop an "integrated defense mechanism that is cost-effective, easy-to-manage, TDoS-defense capable, and customizable for the unique characteristics of varying 911 infrastructures." Designed as a platform, this mechanism provides metadata monitoring, reviews call signaling, and quickly analyzes voice contents to determine the validity of a call. Combined, these two projects in particular will provide powerful tools in the TDoS mitigation arsenal.

Until then, the threat is still very high that a TDoS attack could disrupt services to PSAP and emergency call centers. Yet, the recognition that this vulnerability exists has brought a keen focus on longer-term solutions as well as near-term monitoring for impact mitigation.

"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.

Related content: