Researchers from the Negev Cyber-Security Research Center at Ben-Gurion University recently released a terrifying piece of news. It explains that if a malicious entity decided to craft malware that infected only a few thousand mobile phones, it would be possible to cripple an entire 911 system. That means legitimate calls couldn't make it through, and staffers manning the lines would be inundated with fake calls.
The research published last week reveals that in most states, if as few as 6,000 mobile phones were infected with malware that serves no other purpose but to ring 911 repeatedly, it could cripple the entire operation in that state. If the number of infected phones jumps to 200,000, then the entire nation's 911 system could suffer downtime.
The mere idea of this kind of DDoS attack is beyond scary. Imagine being in a situation where you need to call 911 and are simply unable to get through. Obviously, such an attack would inevitably lead to death and all sorts of other mayhem, all potentially caused by a malicious piece of software.
Something else to consider is that most phones can call 911 even without a carrier plan, due to laws that require any phone to be able to contact emergency services if the need arises. That means old, decommissioned phones could even be re-purposed for malicious intent, in this particular scenario.
If that sounds outlandish, maybe it is if we're talking about a single, rouge hacker. But for organized, state-sponsored attackers it would be a different matter altogether. Even if they didn't launch the malware into the wild, with the hopes of infecting unsuspecting users' phones, the price of 6,000 or even 200,000 old phones could be easily justified if it meant bringing down the emergency services of an enemy nation.
Unfortunately, there's no easy fix to this problem, although there are possible ways to mitigate such an attack. Implementing a feature in future phones that prevents rouge software from dialing 911 in the first place would help, although that won't aide in situations where older devices are used. Similarly, storing IMEIs and other relevant information could be done in trusted memory regions where modification is impossible by malware. Wireless carriers could also use smart algorithms on their network to detect fraudulent calls.
Whatever the solution, this is an area that needs attention -- quickly. The potential for mayhem and loss of life is too great to ignore.