Skip to main content

Swatting - 911 and telephony systems are defective

Several publications are running stories this week about Swatting, an extension of a prank phone call, which has the aim of eliciting response from emergency response teams, including SWAT (Special Weapons and Tactics) teams. The prank calls are made to 911 operators, who are tricked into dispatching SWAT, police, or other response units on the basis of false information. Obviously social engineering is peformed as well, operators are told of bomb threats, killings or hostages. According to some accounts, some type of caller id spoofing might be used in some of the Swatting calls, which have been directed at 911 operators in over 60 cities by the five people arrested thus far. Several stories make a point to state that 911 systems are not defective, such as this otherwise excellent story, Swatting - a dangerous new game by KSBW TV in California which reports that the masochistic pranksters are not "exploiting any real technical flaws in the 911 system" and that these systems "are actually OK". It isn't necessary to know the intimate details to make a pretty safe bet that serious defects in the security of these systems do exist. Many of the calls were apparently placed using the assistance of computer systems, and the 911 operators were led to believe that the calls were local, despite their origin hundreds of miles away. That sure waddles and quacks like a defect. It's certainly possible that the defects exploited are in the underlying telephony systems, such as the Caller ID system, and not in the 911 system itself. However, if it can result in the 911 operator being unable to reliably determine the local vs. non-local origin of the call, it's a defect directly relevant to the 911 system as a functioning whole, and certainly a defect with the potential of being significantly reduced or eliminated, given some thought and effort. See this Wikipedia article for more information about Caller ID Spoofing. According to widely publicized accounts, FBI agent Kevin Kolbye in Dallas indicated that Swatting seems at present to be a game played for bragging rights. The FBI and the Justice Department arrested and indicted folks a few months ago in Dallas, and made another announcement today. DOJ - Swatters plead guilty to conspiracy FBI Catches Five Swatters Swatting has the potential to be much more dangerous. As it stands, innocent people might be killed if they open their door to investigate suspicious noises with a weapon in their hand. It's a very short step from Swatting as a misguided or perverted game, to Swatting as a Denial of Service attack on emergency response units. A terrorist attack or other illicit activity might be coordinated with Swatting attacks, designed to slow response to the actual emergency, and thereby maximize damage, injury, and death from the attack, or increase the chances of a successful heist. I'm reminded of a scene from the movie Air Force One, where POTUS (President of the United States) played by Harrison Ford, must use an ordinary phone line to call into the White House from an "outside" line into the public switchboard. The operator doesn't believe it is the POTUS and he finally convinces her not of his identity, but to run her "standard" security procedure and trace the call, which works in record time and reveals that he is in fact calling from Air Force One. In our current telephony universe, things don't always work quite that smoothly. Imagine how much more difficult 911 calls would be, if you needed to convince the operator of your identity, location, and the fact that the emergency was real, before assistance was dispatched. Some of my colleagues design and build 911 systems. Undoubtedly Swatting will soon join the ranks of all-too-familiar terms in the field of information security.

Comments

Peter said…
Interesting... There has never really been any authentication of phone calls other than the fact that there used to be a physical route from A to B. Now that point C can be something like SkypeOut, I'm sure you're right that these sorts of things will happen more frequently.

Skype spam has gotten pretty bad these days. We're constantly getting authorization requests from all sorts of bogus sources. I guess I should expect all that to spill over to traditional phone networks and the 911 systems.

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber

Jailbreaking iOS is a Dead Man Walking

Rumor has it that Apple will include a new security feature (possibly known to the developers in Apple as "Rootless") in the upcoming releases iOS 9 and OS X 10.11. Although details are sparse, it looks like Apple may have implemented what other UNIX systems call "namespaces" (See this nice discussion of namespaces on Linux ). Most of the public speculation about the rumor concerns a possible end to jailbreaking , a sport which has fallen on hard times with successful jailbreaks coming fewer and farther between. Since the defects which enable jailbreaking are inherently open to malware, Apple's ongoing efforts to find and fix these bugs with the LLVM/Clang compiler's ever-more-diligent static analyzer make it harder for the jailbreak community to find a toehold. However, a namespaces-like security architecture might fix one of the biggest issues that leads people to desire a jailbroken iPhone. When iOS was created, the system extension features were