Uploaded byPriyanka Aash
Defcon 22-quaddi-r3plicant-hefley-hacking-911
This document summarizes a talk on hacking 911 emergency response systems. It outlines various attacks on wired, wireless, and VoIP 911 systems, including initiating inappropriate responses, interfering with real emergencies, and conducting surveillance. Example attacks demonstrated modifying caller location data and overwhelming 911 systems with false calls. The document warns that successful attacks could negatively impact public health and safety by delaying emergency responses. It calls for technical and policy solutions like improved 911 network security standards, monitoring, and increased funding to address vulnerabilities.
More Related Content
Similar to Defcon 22-quaddi-r3plicant-hefley-hacking-911
Defcon 22-quaddi-r3plicant-hefley-hacking-911
- 1. Hacking 911: Adventures inDisruption, Destruction, and Death quaddi, r3plicant & Peter Hefley August 2014
- 2. Jeff Tully Christian Dameff PeterHefley Physician, MD Emergency Medicine Physician, MD Pediatrics IT Security, MSM, C|CISO, CISA, CISSP, CCNP, QSA Senior Manager, Sunera
- 3. Jeff Tully Christian Dameff PeterHefley Open CTF champion sudoers- Defcon 16 Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle school Speaker, Defcon 20 Gun hacker, SBR aficianado
- 5. This talk isneither sponsored, endorsed, or affiliated with any of our respective professional institutions or companies. No unethical or illegal practices were used in researching, acquiring, or presenting the information contained in this talk. Do not attempt the theoretical or practical attack concepts outlined in this talk. Disclaimer
- 6. Outline - Why ThisMatters (Pt. 1) - 911 Overview - Methodology - Attacks - Why This Matters (Pt. 2)
- 7. Why This Matters(Pt. 1) 4/26/2003 9:57pm
- 8.
- 16. Research Aims • Investigatepotential vulnerabilities across the entire 911 system • Detail current attacks being carried out on the 911 system • Propose solutions for existing vulnerabilities and anticipate potential vectors for future infrastructure modifications
- 17. Methodology • Interviews • Regionalsurveys • Process observations • Practical experimentation • Solution development
- 18. Wired Telephone Call End Office Selective Router PSAP ALIDatabase Voice Only Voice and Data Data Voice Voice + ANI Voice + ANI ANI ALI
- 19. Wireless Phase 1Telephone Call Mobile Switching Center Selective Router PSAP ALI Database Voice Only Voice and Data Data Voice Voice + pANI/ESRK Voice + pANI/ESRK pANI/ESRK ALI Cell Tower Voice Callback#(CBN) CellTowerLocation CellTowerSector pANI/ESRK CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRKMobile Positioning Center
- 20. Wireless Phase 1Data
- 21. Wireless Phase 2Telephone Call Mobile Switching Center Selective Router PSAP ALI Database Voice Only Voice and Data Data Voice + pANI/ESRK Voice + pANI/ESRK pANI/ESRK ALI Cell Tower Voice Callback# CellTowerLocation CellTowerSector pANI/ESRK Latitude and Longitude, Callback #, Cell Tower Location, Cell Tower Sector, pANI / ESRK Position Determination Equipment Mobile Positioning Center Voice
- 22. Wireless Phase 2Data
- 23. VoIP Call Emergency Services Gateway Selective Router PSAP ALI Database VoiceOnly Voice and Data Data VoIP + CBN Voice + ESQK Voice + ESQK ESQK ALI VoIP Service Provider CBN ESN#,ESQK CBN, Location, ESQK VoIP + CBN VSP Database
- 25. The Three Goalsof Hacking 911 • Initiate inappropriate 911 response • Interfere with an appropriate 911 response • 911 system surveillance
- 26. Wired – EndOffice Control End Office Selective Router PSAP ALI Database Voice Only Voice and Data Data Voice Voice + !%$# Voice + !%$# !%$# ALI??
- 27.
- 28. NSI Emergency Calls Mobile Switching Center Selective Router PSAP ALIDatabase Voice Only Voice and Data Data Voice + pANI/ESRK Voice + pANI/ESRK pANI/ESRK ALI Cell Tower CBN? CellTowerLocation CellTowerSector pANI/ESRK CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK CBN = 911 + last 7 of ESN/IMEI Voice Voice Mobile Positioning Center
- 29. Wireless Location Modification Mobile Switching Center Selective Router PSAP ALIDatabase Voice Only Voice and Data Data Voice Voice + pANI/ESRK Voice + pANI/ESRK pANI/ESRK ALI Cell Tower Callback# CellTowerLocation CellTowerSector pANI/ESRK !@#Lat/Long%%$, Callback #, Cell Tower Location, Cell Tower Sector, pANI / ESRK Position Determination Equipment Mobile Positioning Center Voice
- 30. VSP Modification Emergency Services Gateway Selective Router PSAP ALI Database VoiceOnly Voice and Data Data VoIP + CBN Voice + ESQK Voice + ESQK ESQK #ALI@ VoIP Service Provider CBN ESN#,ESQK VSP Database CBN, #%Location$@, ESQK VoIP + CBN
- 33.
- 38.
- 39. Service disruption attacks •Line-cutting • Cell phone jamming • ALI database editing • TDoS • PSAP targeting
- 41. Resource exhaustion (virtual/personnel) Outdated system architectures Lackof air-gapping Privacy
- 44.
- 45. Bystander CCO CPRImproves Chance of Survival from Cardiac Arrest 100% 80% 60% 40% 20% 0% Time between collapse and defibrillation (min) 0 1 2 3 4 5 6 7 8 9 Survival(%) Nagao, K Current Opinions in Critical Care 2009 EMS Arrival Time based on TFD 90% Code 3 Response in FY2008. Standards of Response Coverage 2008. EMS Arrival No CPR Traditional CPR CCO CPR
- 47. Strategic Threat Agents •6000 PSAPs taking a combined 660,000 calls per day • Fundamental building block of our collective security • Potential damage extends beyond individual people not being able to talk to 911
- 48.
- 49. Solutions • Call-routing redflags • Call “captchas” • PSAP security standardizations • Increased budgets for security services • Open the Black Box
- 51.