Hacking 911: Adventures in Disruption, Destruction, and Death

quaddi, r3plicant & Peter Hefley

August 2014

Jeff Tully

Christian Dameff

Peter Hefley

Physician, MD Emergency Medicine

Physician, MD Pediatrics

IT Security, MSM, C|CISO, CISA, CISSP, CCNP, QSA Senior Manager, Sunera

Jeff Tully

Christian Dameff

Peter Hefley

Open CTF champion sudoers- Defcon 16 Speaker, Defcon 20

Wrote a program for his TI-83 graphing calculator in middle school Speaker, Defcon 20

Gun hacker, SBR aficianado

This talk is neither sponsored, endorsed, or affiliated with any of our respective professional institutions or companies. No unethical or illegal practices were used in researching, acquiring, or presenting the information contained in this talk. Do not attempt the theoretical or practical attack concepts outlined in this talk.

Disclaimer

Outline

- Why This Matters (Pt. 1) - 911 Overview

- Methodology

- Attacks

- Why This Matters (Pt. 2)

Why This Matters (Pt. 1)

4/26/2003 9:57pm

Emergency Medical Services (EMS)

Research Aims

• Investigate potential vulnerabilities across the entire 911 system

• Detail current attacks being carried out on the 911 system

• Propose solutions for existing vulnerabilities and anticipate potential vectors for future infrastructure modifications

Methodology

• Interviews

• Regional surveys

• Process observations

• Practical experimentation

• Solution development

Wired Telephone Call

End Office

Selective Router

PSAP

ALI Database

Voice Only

Voice and Data

Data

Voice Voice + ANI Voice + ANI

ANI ALI

Wireless Phase 1 Telephone Call

Mobile Switching

Center

Selective Router

PSAP

ALI Database

Voice Only

Voice and Data

Data

Voice Voice + pANI/ESRK

Voice + pANI/ESRK

pANI / ESRK

ALI

Cell Tower

Voice

Callback # (CBN)

Cell Tower Location

Cell Tower Sector

pAN

I / E

SRK

CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK Mobile

Positioning Center

Wireless Phase 1 Data

Wireless Phase 2 Telephone Call

Mobile Switching

Center

Selective Router

PSAP

ALI Database

Voice Only

Voice and Data

Data

Voice + pANI/ESRK Voice + pANI/ESRK

pANI / ESRK

ALI

Cell Tower

Voice

Callback # Cell Tow

er Location Cell Tow

er Sector

pAN

I / E

SRK

Latitude and Longitude, Callback #, Cell Tower Location, Cell Tower Sector, pANI / ESRK

Position Determination

Equipment

Mobile Positioning Center

Voice

Wireless Phase 2 Data

VoIP Call

Emergency Services Gateway

Selective Router

PSAP

ALI Database

Voice Only

Voice and Data

Data

VoIP + CBN Voice + ESQK Voice + ESQK

ESQK ALI

VoIP Service

Provider

CBN

ESN

#, E

SQK

CBN, Location, ESQK

VoIP + CBN

VSP Database

The Three Goals of Hacking 911

• Initiate inappropriate 911 response

• Interfere with an appropriate 911 response

• 911 system surveillance

Wired – End Office Control

End Office

Selective Router

PSAP

ALI Database

Voice Only

Voice and Data

Data

Voice Voice + !%$# Voice + !%$#

!%$# ALI??

ALI Database

NSI Emergency Calls

Mobile Switching

Center Selective Router

PSAP

ALI Database

Voice Only

Voice and Data

Data

Voice + pANI/ESRK

Voice + pANI/ESRK

pANI / ESRK

ALI

Cell Tower

CBN?

Cell Tower Location

Cell Tower Sector

pAN

I / E

SRK

CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK

CBN = 911 + last 7 of ESN/IMEI

Voice Voice

Mobile Positioning Center

Wireless Location Modification

Mobile Switching

Center

Selective Router

PSAP

ALI Database

Voice Only

Voice and Data

Data

Voice Voice + pANI/ESRK

Voice + pANI/ESRK

pANI / ESRK

ALI

Cell Tower

Callback # Cell Tow

er Location Cell Tow

er Sector

pAN

I / E

SRK

!@#Lat/Long%%$, Callback #, Cell Tower Location, Cell Tower Sector, pANI / ESRK

Position Determination

Equipment Mobile Positioning Center

Voice

VSP Modification

Emergency Services Gateway

Selective Router

PSAP

ALI Database

Voice Only

Voice and Data

Data

VoIP + CBN

Voice + ESQK Voice + ESQK

ESQK #ALI@

VoIP Service

Provider

CBN

ESN

#, E

SQK

VSP Database

CBN, #%Location$@, ESQK

VoIP + CBN

Swatting Call

VoIP Service Providers

Service disruption attacks

• Line-cutting

• Cell phone jamming

• ALI database editing

• TDoS

• PSAP targeting

Resource exhaustion (virtual/personnel) Outdated system architectures Lack of air-gapping Privacy

Health Impacts

Bystander CCO CPR Improves Chance of Survival from Cardiac Arrest

100% 80% 60% 40% 20% 0%

Time between collapse and defibrillation (min) 0 1 2 3 4 5 6 7 8 9

Surv

ival

(%)

Nagao, K Current Opinions in Critical Care 2009 EMS Arrival Time based on TFD 90% Code 3 Response in FY2008. Standards of Response Coverage 2008.

EMS Arrival No CPR

Traditional CPR

CCO CPR

Strategic Threat Agents

• 6000 PSAPs taking a combined 660,000 calls per day

• Fundamental building block of our collective security

• Potential damage extends beyond individual people not being able to talk to 911

Reverse 911

Solutions

• Call-routing red flags • Call “captchas” • PSAP security

standardizations • Increased budgets for

security services • Open the Black Box

Q&A