This document summarizes a talk on hacking 911 emergency response systems. It outlines various attacks on wired, wireless, and VoIP 911 systems, including initiating inappropriate responses, interfering with real emergencies, and conducting surveillance. Example attacks demonstrated modifying caller location data and overwhelming 911 systems with false calls. The document warns that successful attacks could negatively impact public health and safety by delaying emergency responses. It calls for technical and policy solutions like improved 911 network security standards, monitoring, and increased funding to address vulnerabilities.
Hacking 911: Adventures in Disruption, Destruction, and Death
1. Hacking 911:
Adventures in Disruption,
Destruction, and Death
quaddi, r3plicant & Peter Hefley
August 2014
2. Jeff Tully
Christian Dameff
Peter Hefley
Physician, MD
Emergency Medicine
Physician, MD
Pediatrics
IT Security, MSM, C|CISO, CISA, CISSP, CCNP, QSA
Senior Manager, Sunera
3. Jeff Tully
Christian Dameff
Peter Hefley
Open CTF champion sudoers- Defcon 16
Speaker, Defcon 20
Wrote a program for his TI-83
graphing calculator in middle school
Speaker, Defcon 20
Gun hacker, SBR aficianado
4.
5. This talk is neither sponsored,
endorsed, or affiliated with any of our
respective professional institutions or
companies.
No unethical or illegal practices were
used in researching, acquiring, or
presenting the information contained in
this talk.
Do not attempt the theoretical or
practical attack concepts outlined in
this talk.
Disclaimer
16. Research Aims
• Investigate potential vulnerabilities
across the entire 911 system
• Detail current attacks being carried out on
the 911 system
• Propose solutions for existing
vulnerabilities and anticipate potential
vectors for future infrastructure
modifications
19. Wireless Phase 1 Telephone Call
Mobile
Switching
Center
Selective
Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice
Voice + pANI/ESRK
Voice + pANI/ESRK
pANI/ESRK
ALI
Cell Tower
Voice
Callback#(CBN)
CellTowerLocation
CellTowerSector
pANI/ESRK
CBN, Cell Tower Location,
Cell Tower Sector, pANI / ESRKMobile
Positioning
Center
21. Wireless Phase 2 Telephone Call
Mobile
Switching
Center
Selective
Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice + pANI/ESRK Voice + pANI/ESRK
pANI/ESRK
ALI
Cell Tower
Voice
Callback#
CellTowerLocation
CellTowerSector
pANI/ESRK
Latitude and Longitude,
Callback #, Cell Tower Location,
Cell Tower Sector, pANI / ESRK
Position
Determination
Equipment
Mobile
Positioning
Center
Voice
28. NSI Emergency Calls
Mobile
Switching
Center
Selective
Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice +
pANI/ESRK
Voice +
pANI/ESRK
pANI/ESRK
ALI
Cell Tower
CBN?
CellTowerLocation
CellTowerSector
pANI/ESRK
CBN, Cell Tower Location,
Cell Tower Sector, pANI / ESRK
CBN = 911 + last 7 of
ESN/IMEI
Voice Voice
Mobile
Positioning
Center
29. Wireless Location Modification
Mobile
Switching
Center
Selective
Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice
Voice +
pANI/ESRK
Voice +
pANI/ESRK
pANI/ESRK
ALI
Cell Tower Callback#
CellTowerLocation
CellTowerSector
pANI/ESRK
!@#Lat/Long%%$,
Callback #, Cell Tower Location,
Cell Tower Sector, pANI / ESRK
Position
Determination
Equipment
Mobile
Positioning
Center
Voice
45. Bystander CCO CPR Improves Chance of
Survival from Cardiac Arrest
100%
80%
60%
40%
20%
0%
Time between collapse and defibrillation (min)
0 1 2 3 4 5 6 7 8 9
Survival(%)
Nagao, K Current Opinions in Critical Care 2009
EMS Arrival Time based on TFD 90% Code 3 Response in FY2008. Standards of Response Coverage 2008.
EMS Arrival
No CPR
Traditional
CPR
CCO CPR
46.
47. Strategic Threat Agents
• 6000 PSAPs taking a combined
660,000 calls per day
• Fundamental building block of
our collective security
• Potential damage extends beyond
individual people not being able
to talk to 911
49. Solutions
• Call-routing red flags
• Call “captchas”
• PSAP security
standardizations
• Increased budgets for
security services
• Open the Black Box