Incident Details

Incident: 911 System Vulnerable to TDoS Attack Leading to Service Disruption

Published Date: 2016-09-09

Postmortem Analysis
Timeline	1. The software failure incident mentioned in the article likely happened before the article was published on September 9, 2016. The incident is not explicitly dated in the article, so the exact timeline is unknown.
System	1. 911 emergency phone system 2. Mobile phones infected with malware 3. Routers processing 911 calls 4. Call centers handling 911 calls 5. Firmware of mobile phones 6. Cell towers processing calls 7. International Mobile Subscriber Identity (IMSI) numbers 8. International Mobile Equipment Identity (IMEI) numbers 9. FCC regulations regarding 911 calls 10. Redundancy in 911 networks 11. Proposal by the FCC to address non-service plan phones making 911 calls 12. Phone hardware security measures such as preventing IMSI and IMEI number changes
Responsible Organization	1. The group of researchers at Ben Gurion University in Israel discovered the vulnerability in the 911 system and presented their findings to the Department of Homeland Security [47969]. 2. Attackers who could potentially exploit the vulnerability in the 911 system by launching TDoS attacks were also responsible for causing the software failure incident [47969].
Impacted Organization	1. The 911 emergency phone system and call centers across the United States were impacted by the software failure incident involving a TDoS attack [47969].
Software Causes	1. The software cause of the failure incident was a TDoS attack, specifically involving infecting mobile phones to automatically make bogus 911 calls, clogging call-center queues and preventing legitimate callers from reaching operators [47969].
Non-software Causes	1. Lack of redundancy in 911 networks, particularly in North Carolina, where many call centers rely on a single router [47969]. 2. Vulnerability of the 911 system due to the limited call capacity of 911 systems, with just three to five circuits processing all 911 calls for a center [47969]. 3. The requirement for carriers to process every 911 call that comes through their cell towers, regardless of whether the call is made by a subscriber, due to FCC regulations [47969].
Impacts	1. The software failure incident, a TDoS attack on the 911 emergency system, could potentially disable the 911 system across an entire state for an extended period of time by clogging call-center queues with bogus calls from infected smartphones, preventing legitimate callers from reaching operators [47969]. 2. The attack could cause 33 percent of the nation's legitimate callers to give up in reaching 911, leading to a significant disruption in 911 services across the nation [47969]. 3. The limited call capacity of 911 systems, with just three to five circuits processing all calls for a 911 center, makes it trivial to overwhelm the system, potentially leading to prolonged outages [47969]. 4. The attack could be prolonged for days using techniques that prevent authorities from halting the bogus calls, exacerbating the problem as legitimate callers trying to get through make repeated calls that further clog the lines [47969]. 5. The attack could affect more than 50 percent of wireless callers in a state like North Carolina with just 6,000 infected phones, in addition to impacting a good percentage of landline callers [47969].
Preventions	1. Implementing redundancy in 911 networks to ensure that a single router doesn't become a major point of failure during an attack [47969]. 2. Federal authorities could consider not requiring carriers to process calls from phones that aren't attached to a service plan, which could help mitigate the issue of pranksters making bogus 911 calls and potentially prevent TDoS attacks [47969]. 3. Altering phone hardware to prevent attackers from changing the IMSI and IMEI numbers on smartphones and replacing them with random ones, or installing firewalls on devices to detect and block repeated 911 calls with botnet activity characteristics could also help prevent such attacks [47969].
Fixes	1. State authorities could ensure redundancy in 911 networks to prevent a single router from becoming a major point of failure during an attack [47969]. 2. Federal authorities could consider telling carriers not to process calls from phones not attached to a service plan to mitigate the issue of bogus 911 calls [47969]. 3. Altering phone hardware to prevent attackers from changing IMSI and IMEI numbers or installing firewalls on devices to detect and block botnet activity related to repeated 911 calls could be potential solutions [47969].
References	1. Researchers at Ben Gurion University in Israel 2. Trey Forgety, director of government affairs for the National Emergency Number Association 3. Department of Homeland Security 4. Federal government 5. DHS and the FBI 6. FCC 7. Public safety groups 8. Kim Zetter, the author of the article [47969]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	unknown	a) The software failure incident related to the 911 emergency system being disrupted by a TDoS attack has not been reported to have happened again within the same organization or with its products and services [47969]. b) The article mentions that denial-of-service attacks against 911 systems have been discussed as a concept at hacker conferences for years, and there have been instances where TDoS attacks were launched against the administrative lines of various 911 call centers as part of extortion plots [47969]. However, there is no specific mention of similar incidents happening at other organizations or with their products and services.
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase can be seen in the article. The incident involves a vulnerability in the 911 emergency phone system that could be exploited by attackers to disrupt the system. Researchers found a way to disable the 911 system across an entire state by launching a TDoS attack, which involves infecting mobile phones to make bogus 911 calls and overwhelm call-center queues [47969]. (b) The software failure incident related to the operation phase is also evident in the article. The 911 system's limited call capacity and the potential for overwhelming call centers with just a small increase in call volume highlight operational vulnerabilities. The article mentions that the call capacity of 911 systems is exceptionally limited, with just three to five circuits processing all calls for a 911 center, making it trivial to overwhelm them [47969].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident described in the articles is primarily within the system. The failure involves a TDoS (telephony denial-of-service) attack on the 911 emergency phone system, which disrupts the system's ability to route calls to emergency responders. The attack is initiated by infecting mobile phones with malware that automatically makes bogus 911 calls, overwhelming call-center queues and preventing legitimate callers from reaching operators [47969]. The attack targets the infrastructure and operation of the 911 system itself, exploiting vulnerabilities in the call centers, routers, and network setup to disrupt the service. (b) outside_system: The software failure incident also involves factors originating from outside the system. The attack is launched by external malicious actors who infect mobile phones with malware to create a botnet of phones, which is used to carry out the TDoS attack on the 911 system [47969]. The attackers exploit weaknesses in the design and operation of the 911 network, taking advantage of the limited call capacity and the lack of robust security measures to disrupt the service.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: The software failure incident described in the articles is related to a telephony denial-of-service (TDoS) attack on the 911 emergency phone system. This attack involves infecting mobile phones with malware to automatically make bogus 911 calls, which clog call-center queues and prevent legitimate callers from reaching operators. The attack can disrupt the 911 system across an entire state or even the nation by overwhelming the call capacity of the system. The attack is facilitated by infecting mobile phones to create a botnet that silently makes repeated 911 calls without the phone owners' knowledge, thus causing a denial-of-service situation [47969]. (b) The software failure incident occurring due to human actions: The failure due to human actions in this incident involves the deliberate launching of TDoS attacks by attackers who infect mobile phones with malware to disrupt the 911 system. The attackers take advantage of vulnerabilities in the system and exploit the limited call capacity of 911 centers to overwhelm them with bogus calls. Additionally, the attackers use techniques to prevent authorities from halting the bogus calls, exacerbating the situation. The attack was also used as part of an extortion plot, where attackers demanded money and launched high volumes of calls against the target network when turned down [47969].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident occurring due to hardware: The article discusses a potential software failure incident related to hardware in the context of infecting mobile phones with malware to launch a TDoS attack on the 911 emergency system. The attackers could infect phones by sending malware through email attachments, text messages, or embedding malicious code in applications. The malware infects the phone's firmware, allowing the attacker to control the devices and command them to make repeated 911 calls silently in the background without the phone owner's knowledge. Additionally, the malware changes the International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) numbers with each call to thwart blacklisting attempts by carriers [47969]. (b) The software failure incident occurring due to software: The software failure incident discussed in the article primarily originates from software-related factors. The attack involves infecting mobile phones with malware that manipulates the phone's firmware to make bogus 911 calls, leading to a denial-of-service situation for the 911 system. The malware created by the researchers for their TDoS test infects the phone's firmware, allowing the attacker to control the devices and command them to repeatedly call 911 without the phone owner's awareness. The software aspect of this incident involves the creation and deployment of malicious code to exploit vulnerabilities in the 911 system's call processing mechanisms [47969].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident described in the articles is malicious in nature. The incident involves a TDoS (telephony denial-of-service) attack on the 911 emergency phone system, where attackers infect mobile phones to automatically make bogus 911 calls, clogging call-center queues and preventing legitimate callers from reaching operators [47969]. The attack is intentional and aimed at disrupting the 911 system, potentially causing harm by preventing emergency calls from getting through. The attackers exploit vulnerabilities in the system to launch the attack, indicating a malicious intent to disrupt critical infrastructure and emergency services.
Intent (Poor/Accidental Decisions)	unknown	The intent of the software failure incident described in the articles is related to poor_decisions. The incident involves a deliberate attack strategy known as a TDoS (telephony denial-of-service) attack, where attackers infect mobile phones to automatically make bogus 911 calls, clogging call-center queues and disrupting legitimate emergency calls [47969]. The attack is intentional and aimed at disrupting the 911 system, showcasing a malicious intent rather than accidental decisions or mistakes.
Capability (Incompetence/Accidental)	unknown	(a) The software failure incident occurring due to development incompetence: The incident described in the articles is not related to development incompetence. Instead, it focuses on the potential vulnerability of the 911 emergency system to TDoS attacks, which are deliberate actions by attackers to disrupt the system by infecting mobile phones and causing them to make bogus 911 calls, overwhelming the call centers and preventing legitimate callers from reaching operators [47969]. (b) The software failure incident occurring accidentally: The incident described in the articles is not related to accidental software failure. It specifically discusses the intentional nature of TDoS attacks on the 911 emergency system, where attackers deliberately infect mobile phones to disrupt the system's operations [47969].
Duration	temporary	The software failure incident described in the articles is more aligned with a temporary failure rather than a permanent one. The incident involves a potential TDoS (telephony denial-of-service) attack on the 911 emergency system, which could disrupt the system for an extended period of time but is not a failure due to contributing factors introduced by all circumstances. The attack involves infecting mobile phones to make bogus 911 calls, clogging call-center queues and preventing legitimate callers from reaching operators. The attack could be prolonged for days using techniques that would prevent authorities from halting the bogus calls, and the problem would be exacerbated as legitimate callers trying to get through made repeated calls that further clogged the lines [47969].
Behaviour	other	(a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. Instead, the incident involves a telephony denial-of-service (TDoS) attack on the 911 emergency system, which disrupts the system's functionality by overwhelming it with bogus calls, preventing legitimate callers from reaching operators [47969]. (b) omission: The incident does not involve a failure due to the system omitting to perform its intended functions at an instance(s). Instead, the attack involves flooding the 911 system with bogus calls, which leads to the omission of legitimate calls being able to reach operators [47969]. (c) timing: The software failure incident is not related to a timing failure where the system performs its intended functions correctly but too late or too early. The incident is about disrupting the 911 system's operations by clogging call-center queues with bogus calls, affecting the system's ability to route legitimate emergency calls to responders in a timely manner [47969]. (d) value: The incident does not involve a failure due to the system performing its intended functions incorrectly. Instead, the attack aims to disrupt the 911 system's value in quickly routing calls to emergency responders by overwhelming the system with bogus calls, causing a significant impact on the system's effectiveness [47969]. (e) byzantine: The software failure incident does not exhibit a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The incident involves a deliberate attack on the 911 system through a TDoS attack, which disrupts the system's normal operations by flooding it with fake calls, leading to a denial of service for legitimate emergency callers [47969]. (f) other: The behavior of the software failure incident can be categorized as a deliberate cyber attack aimed at disrupting the 911 emergency system's operations by overwhelming it with bogus calls. This behavior falls under the category of a security threat rather than a traditional software failure such as a crash, omission, timing issue, or value error [47969].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	theoretical_consequence	(a) death: People lost their lives due to the software failure - The article discusses the potential consequences of a TDoS attack on the 911 emergency system, which could lead to significant disruptions in emergency services, potentially causing delays in reaching emergency responders. While the article does not directly mention any deaths resulting from such an attack, the disruption in emergency services could potentially lead to fatal outcomes if individuals are unable to reach help in time [47969]. (b) harm: People were physically harmed due to the software failure - The article does not specifically mention individuals being physically harmed due to the software failure incident discussed, which involves the potential disruption of the 911 emergency system through a TDoS attack [47969]. (c) basic: People's access to food or shelter was impacted because of the software failure - The article does not mention any impact on people's access to food or shelter as a consequence of the software failure incident discussed [47969]. (d) property: People's material goods, money, or data was impacted due to the software failure - The article primarily focuses on the potential disruption of the 911 emergency system and the implications of a TDoS attack on emergency services. It does not mention any direct impact on people's material goods, money, or data as a consequence of the software failure incident [47969]. (e) delay: People had to postpone an activity due to the software failure - The article discusses how a TDoS attack on the 911 system could lead to delays in reaching emergency services due to call center queues being clogged with bogus calls. While it does not mention specific activities being postponed, the disruption in emergency services could potentially cause delays in receiving help during emergencies [47969]. (f) non-human: Non-human entities were impacted due to the software failure - The article does not mention any impact on non-human entities as a consequence of the software failure incident discussed [47969]. (g) no_consequence: There were no real observed consequences of the software failure - The article highlights the potential consequences of a TDoS attack on the 911 emergency system, indicating significant disruptions in emergency services and the potential for legitimate callers to be unable to reach operators. While the described incident is a theoretical scenario, the consequences discussed are severe, suggesting that there could be real observed consequences if such an attack were to occur [47969]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article discusses the theoretical consequences of a TDoS attack on the 911 system, including the disruption of emergency services, potential delays in reaching help, and the challenges in mitigating such attacks. While these consequences have not been observed in the specific incident discussed, they are theoretical scenarios based on the vulnerability of the 911 system to such attacks [47969]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The article primarily focuses on the potential consequences of a TDoS attack on the 911 emergency system, highlighting the disruption in emergency services, the challenges in mitigating such attacks, and the vulnerabilities of the 911 system to malicious activities. While specific direct consequences such as deaths or physical harm are not mentioned, the overall impact of such a software failure incident could lead to severe disruptions in critical emergency services, potentially endangering lives in emergency situations [47969].
Domain	information, government	(a) The failed system was related to the industry of information, specifically the 911 emergency phone system. The system is critical for quickly routing calls to emergency responders closest to a caller, and it has been in place since 1968. The incident involved a potential TDoS attack that could disrupt the 911 system across an entire state or even the nation, as reported by researchers at Ben Gurion University in Israel [47969]. The 911 system is considered part of the nation's critical infrastructure, similar to the power grid and other essential services, and it handles over 240 million calls annually from mobile phones [47969]. (b) The transportation industry was not directly related to the software failure incident reported in the articles. (c) The natural resources industry was not directly related to the software failure incident reported in the articles. (d) The sales industry was not directly related to the software failure incident reported in the articles. (e) The construction industry was not directly related to the software failure incident reported in the articles. (f) The manufacturing industry was not directly related to the software failure incident reported in the articles. (g) The utilities industry was not directly related to the software failure incident reported in the articles. (h) The finance industry was not directly related to the software failure incident reported in the articles. (i) The knowledge industry was not directly related to the software failure incident reported in the articles. (j) The health industry was not directly related to the software failure incident reported in the articles. (k) The entertainment industry was not directly related to the software failure incident reported in the articles. (l) The government industry was indirectly related to the software failure incident as the 911 system is considered part of the nation's critical infrastructure, and the Department of Homeland Security was involved in receiving the researchers' paper on the potential TDoS attack on the 911 system [47969]. (m) The failed system was not related to an industry outside of the options provided.

Sources

How America's 911 emergency response system can be hacked - The Washington Post - Published on: 2016-09-09
Article ID: 47969

Back to List