Some more information about how TDoS affects 911 systems
Nov 11, 2016 •
There have been multiple articles describing a “botnet” of 1000’s of compromised smartphones, which all make calls to a 911 Public Safety Answering Point (PSAP) or some other target. A smartphone-based attack is the primary way to generate a TDoS attack against a PSAP. Using the classic Asterisk/SIP trunk/call generator type of attack, is unlikely to affect 911, since there is no guarantee that calls will be routed to the desired PSAP. An attack leveraging many smartphones in a local area is the most likely way to affect PSAP.
There is normally significantly more trunking available than there are PSAP attendants. This is logical and common in contact centers, as it allows callers to have their calls “answered” and put into a queue waiting for attendants. For a TDoS attack against 911 to have effect, it needs to “clog” or saturate these trunks. If the attacker can overwhelm the entire trunking capacity, then some legitimate callers won’t have their calls answered. Even if the attack does not overwhelm all trunking, it will still have an impact on attendants, because they will waste a small amount of time answering the TDoS calls. There are also multiple “trunk groups”, which are collections of physical channels into the PSAP. If an attack can overwhelm one of these trunk groups, the attack may not overwhelm the entire capacity of the PSAP, but it will affect legitimate calls coming from that trunk group. The biggest trunk group is normally mobile.
A large metro area PSAP will have multiple end offices switches, which provide landline access to various geographic areas. Each of these end offices has some amount of dedicated trunking for 911, which may be around 10 trunks. If an attack originates through one of these end offices, the most calls that will reach the PSAP is say 10 simultaneous calls. The attacker can’t overwhelm the PSAP unless they saturate the trunking from all or many of these end offices. However, there is a significant amount of trunking from the mobile network, since generally, the majority of calls to a PSAP, as much as 75%, are mobile. Therefore, this is where the overall PSAP capacity can be saturated. This is also where attacks from a smartphone-based botnet would arrive.
Furthermore, we also saw a recent actual attack, where a young hacker posted a link on Twitter, to a website with malicious code. There were over 10,000 followers of the Twitter account and of course, the link was obscured though bit.ly. When the link was clicked, the malicious code used the click-to-dial feature on iOS smartphones, in code that looped 1,000,000 times and continually made calls to 911. Most of the people who clicked on the link were in the Phoenix area. What is interesting about this attack is how simple the malicious code was. It wasn’t a sophisticated bit of malware, which leveraged some obscure feature of the smartphone – it simply used the click-to-dial feature in a loop. It wasn’t a botnet. Pretty much anyone could create this malware.
So in summary, we have a situation where the most vulnerable part of a PSAP is the mobile trunking, the easiest way to generate a TDoS attack on a PSAP is through compromised smartphones, the code needed to generate calls on smartphones is trivial, and we have had an “accidental” attack in the wild. Unfortunately, we expect to see more deliberate attacks in the future.