Too weak: 200,000 dead mobile phone will be able to capture United States-911-IT 911 alarm system information

September 10, since 1968 the United States since the launch of 911 emergency system, the national security programme had been successful from the countless critical situations to save the lives of millions of citizens. Thanks to its unique system architecture, based on the geographic location of the distress provides the nearest rescue, in order to ensure the timely and efficient rescue.

But complete police cannot guarantee absolute security for everyone. In addition to 15 years ago that a long throbbing in the heart of the terrorist tragedy in addition to ordinary people in ordinary social seems to also can easily undermine this protection to the entire United States national "safety net". Recently a group of researchers say, their exploits and technological means can easily for a long time the 911 system to a standstill. They use a TDoSDD attack, also known as "call-blocking attacks" (telephony denial-of-service attack). Means include the use of ordinary users of cell phones a lot make a false 911 call, thus causing the line blockages and disturbances, so that those who really need emergency people can't get rescue.

The researchers said, only 6,000 viruses manipulate mobile phone attack, the entire North Carolina's police head. Zombie mobile enough to capture the entire 200,000 United States of the 911 emergency system. But whether 6000 is 200,000, hacker is a very easy thing to do.

"33% the critical situation caused by such means could not be salvaged. A 911 call will become useless. "Israel Ben Gurion University researchers wrote in the report. The report had been submitted to the United States Department of Homeland Security, today announced to the public.

"The researchers really catch the 911 system weaknesses. "The United States emergency number Association telei·fugaidi (Trey Forgety). He and his Association has long been concerned about the system defect and four years ago it reminded homeland security to pay more attention. "And I think that the 911 system is actually more fragile than the researchers described. ”

Although national safety, but due to the sparse nature of the emergency event itself, 911 of the exclusive line is in fact very small. A State had 3~5 telephone lines to prepare. "This is how vulnerable you think. 3~5, I am a person with several handsets you can let it all online. ”

911 systems and power grids, dams system across the country as the United States infrastructure. Now distributed more than 7,000 emergency centers across the United States each year received more than 200.004 million calls. With the popularity of mobile devices, 70% the call by phone call. New age, new age. However, according to the disclosure, it is clear that this system does not keep well.

Gurion network security modikai·Guli, head of the University (Mordechai Guri) that as long as the use of technical means preventing counterfeit phones were found, this line blocking attacks can last for a few days at a time. At this time, the normal call for more and more severe line congestion. -It also outlaws attempts.

Similar lines blocking attacks such as this have been discussed many times on the hacking Forum, but never really did happen in reality. But things change in 2013. Then 911 emergency Center detected a number of false calls. Homeland Security and the Federal Bureau of investigation issued a joint notice, claim to detect the phone attack against 911 warning centers. Attacker uses constant harassing phone calls as a threat in an attempt to extort big money. But the last plot failed does not succeed. Despite those calls are not for the 911 lines, but the similarity between the two is enough to arouse people's Association.

# Detailed TDoS attacks

Different from the networks and the rapid development of electronic technology, United States around the 911 system and do not complete lines and system integration. Instead, the emergency system chaired by the independent, is usually a County Emergency Center. They just wait for the call and the provision of services. Line access is done by the communications company: when you need to rescue people dialed the phone number, communications network company emergency response center the signal received.

When someone called 911 emergency call, the signal will be transferred to a specialized emergency call network. Telephone exchange will be the first time to record location information for help. If the call is via a mobile phone call, early warning systems can also use the phone's GPS device to obtain more accurate location information. Then, according to the location of the call, select nearest emergency telephone network help Center answers the phone for him. According to these public safety answering points for help, sent firefighters, police or medical ambulances to the scene.

911 system line with fewer vulnerabilities, an attacker would first have to do is prepare a sufficient number of calls as harassment machine. Can usually be accomplished by a virus-infected cell phones in this step. An attacker can remotely control the infected cell phone repeatedly interfering nature of distress signals, causing the line to crowded, also have a wasted resources to relief stations.

Intelligent giving users more functionality of the phone at the same time, as criminals on mobile platforms, making them paved conditions. Hacker the information through email, with a link, or insert malicious code in the app, I can come to the back door of the mobile access. This one, by app control a cell phone is not uncommon. Last year, researchers found in the Apple App Store app that contains malicious software. Apple's store has always been based on review is known for its strict, other less stringent threshold of malicious software in the Android store is understandable. In 2011, a survey for Android software, Google Play in the Store, there are more than 10,000 app that contains a malicious program.

In the case of TDoS attacks, criminals can use to sneak malicious code phone firmware level, and complete control over the phone. In the attack, criminals through remote control command allows these infected phones constantly sent out distress messages and calls, affected the judgement of shelter staff. Firmware is the underlying software, and mobile phone system equivalent to the computer BIOS and the relationship between Windows. Since all of these operations are done at the firmware level of harassment, so does not have any display on the screen. That is to say, where do you probably looked at the cell phone does not move, but it was crazy to send harassing messages. This means not being noticed in the running attack, and afterwards do not leave marks.

Of course 911 are not without retaliatory measures. 911 systems and communications companies can pull black refused to accept specific phone calls. Black are two ways: one is the cell phone number and SIM card; the other is for the phone's IMEI serial number. Which belongs to the block at the hardware level, equivalent to the phone was rejected by the network, even if you replace the SIM card cannot be cracked. In general communications, mobile phone number and mobile phone IMEI code as part of the signal to be transmitted, so the 911 system received harassment harassment can take the two points. But tricky is that criminals can use software programs to send random virtual IMEI, bring a lot of inconvenience to the blockade.

In General, the operator the phone number and phone IMEI is binding. (Some contracts even more so) limit on a particular mobile phone number will only be used. In other words, once detected by a network operator does not match the original IMEI number and will refuse to provide communications services. But the 911 special is special in that it is an urgent call, without the limitation of IMEI-bound. Frequency is not high because of the 911 hotline calls, plus call charges may lead to the pressure of public opinion and current practice of the major operators are particularly lenient to 911 hotline. As long as it is to call 911, regardless of the cards without card, phone enough is not enough, will simply be released.

# Attack effects

TDoS attacks for an actual test results, researchers are also designed with North Carolina's 911 emergency system in the laboratory a simulation platform. Prior to North Carolina was chosen because the State had disclosed details of the 911 system in the State, the data easier for researchers. North Carolina 911 emergency system currently has 20 network switch, 288 call center, received more than 23,000 calls a day. In a year, a figure more than 8 million. But like North Carolina and many other States, there is an old and deadly problem: their service centre relies on a switch to call the deal with 911 hotline. As long as the overload switch, the attacker can affect more than one call center is not working properly.

Researchers test showed that only about 6,000 phones in the controlled, they can make 50% calls have been delayed or unable to connect.

# Coping strategies

Researchers recommended that local authorities should ensure that they have adequate network redundancy to cope with the mass line blocking attacks.

While the Federal Government recommended that operators of emergency system management. The Federal Communications Commission last year proposed a Bill, also supported the same approach. Because in the past there have been phone pranksters held no owner identity wanton harassment telephone calls. Many civil society groups expressed support for this proposal.

A solution from the other handset makers. By technology encryption to prevent people from freely changing the phone's IMEI code. Can a firewall preinstalled in the phone or cell phone manufacturer, monitor abnormal 911 emergency phone calls.

No matter what, and researchers hope that the Government will take action as soon as possible. Because as long as these vulnerabilities exist, and attack people more nervous day. Citizen security threats a day.

太脆弱：20万部僵尸手机就能攻陷美国911报警系统 - 911 - IT资讯

9月10日消息，自1968年美国推出911应急系统以来，这套全国性的安全方案已经成功从无数危急情况中拯救了千万公民的生命。这得益于其独特的系统架构，能够依据求救者的地理方位提供距离最近的救援，从而保证了救援的及时高效。

不过再完备的警力也无法保证每个人的绝对安全。除了十五年前那起令人久悸于心的恐怖悲剧之外，寻常社会中的普通人似乎也可以轻易破坏这套保护着整个美国国民的“安全网”。最近一组研究人员称，他们利用漏洞和技术手段可以很轻易地在相当长时间里使911系统陷入瘫痪。他们使用了一种叫TDoSDD的攻击方法，也称作“电话阻断式攻击”（telephony denial-of-service attack）。手段包括利用普通用户的手机大量拨打虚假的911报警电话，从而造成线路堵塞和信息干扰，使得那些真正需要急救的人无法得到救援。

研究人员称，只需要6000部被病毒操控的手机发起攻击，就可以让整个北卡罗来纳州的警力晕头转向。20万部僵尸手机足以攻陷整个美国的911紧急相应系统。而无论是6000还是20万，对黑客来说是很容易做到的事。

“这种手段能够造成33%的危急情况无法被救助。911报警电话会变得形同虚设。”以色列本·古里安大学的研究员在报告中如此写道。这份报告此前被递交给美国国土安全部，今天向大众公布。

“这次研究人员真的抓到了911系统的弱点所在。”美国紧急号码协会主席特雷·弗盖蒂（Trey Forgety）表示。他和他的协会长久以来就在关注这个系统缺陷并于四年前就提醒国土安全部对此多加注意。“而且我认为911系统其实比这次研究人员描述的还要脆弱。”

尽管命系全国安危，不过由于突发紧急事件本身的稀少性质，911的专属线路其实很少。一般一个州只有3～5条电话线路预备。“这是多么不堪一击呀，你想想看。才3～5条，我一个人拿几部手机就可以让它全部占线。”

911系统和全国电网、水坝系统一起作为美国的基础设施。现在分布全美的7000多个紧急事故处理中心每年接到超过2亿4千条求助电话。随着手机设备的普及，70%的求助电话是由手机拨打。新时代，新形势。不过根据上述的披露，显然这套系统并没能很好地保持与时俱进。

古里安大学的网络安全负责人莫迪凯·古力（Mordechai Guri）表示，只要使用技术手段防止假冒电话被识破，这种线路阻断式攻击就能够持续好几天之久。这时候的正常求救电话越多，线路拥堵越严重。这也更合了不法分子的企图。

像这种类似的线路阻断式攻击已经在黑客论坛上被讨论过很多遍，只不过一直没在现实中真正发生过。不过事情在2013年发生变化。当时911紧急预案中心检测到一批虚假来电。国土安全部和联邦调查局联合发表了一份告示，声称检测到了针对911预警中心发动的电话攻击。攻击者利用不断的骚扰电话作为要挟，企图敲诈高额金钱。不过最后阴谋失败并未得逞。尽管当时那些电话并非针对911的线路，不过两者之间的相似性还是足以引起人们的联想。

# TDoS攻击详解

与网络和电子科技的日新月异不同，美国各地的911系统并没有完成线路和系统的一体化。相反，应急系统由各地自主主持，通常是一个县区一个应急中心。他们只管等待来电和提供服务。线路接入则由通信公司来完成：当需要救援的人拨出电话号码后，通讯网络公司把这些信号转接到紧急情况应急中心。

当一个人拨打了911紧急电话，信号会被转接到一个专门处理紧急电话的网络。电话交换机会在第一时间记录下求救着的位置信息。如果求救电话是通过移动手机拨打的，那么预警系统还可以通过手机的GPS装置获取更精确的位置信息。然后，根据呼救者所在的位置，电话网络选择距离最近的紧急情况救助中心为他接通电话。而这些公共安全应答点会根据呼救者的情况，派出消防员、警察或者医疗救护车前往事发地点。

利用911系统线路少的弱点，攻击者首先要做的就是准备足够数量的电话作为骚扰机器。通常都可以通过感染了病毒的手机来完成这一步。攻击者可以远程控制这些被感染的手机不断发出有干扰性质的求救信号，既造成线路拥挤，也会给救助站造成资源虚耗。

手机的智能化在给用户带来更多功能的同时，也为不法分子在移动平台的兴风作浪铺垫了条件。黑客通过发邮件、附带链接的信息，或者在app中插入恶意代码都可以取得对手机的后门操作权限。这其中，通过app控制一部手机已非稀罕事。去年，研究人员就在苹果App Store里发现了包含恶意软件的app。而苹果的商店一向是以审查严格著称的，其他门槛没有那么严格的安卓商店里的恶意软件存在几何，可想而知。2011年，一项针对安卓手机软件的调查显示，在谷歌的Play Store里，就存在着超过一万个包含恶意程序的app。

在TDoS攻击的例子中，不法分子可以通过恶意代码潜入到手机固件层面，从而完成对手机的控制。在发动攻击时，不法分子可以通过遥控指令让这些被感染的手机不断地发出求救短信和电话，影响救助站人员的判断。固件是更底层的一种软件，其和手机系统的关系相当于电脑上BIOS和Windows之间的关系。由于所有这些骚扰操作都是在固件层面完成的，所以手机屏幕上不会有任何显示。就是说，很可能你看着手机明明放在哪儿不动，但它却在疯狂地发着骚扰短信。这种攻击手段在运行中不会被人察觉，在事后也不会留下痕迹。

当然911方面也不是没有反制措施。911系统和通讯公司都可以通过拉黑的方法拒绝接受特定手机的来电。拉黑包括两种途径：一种是针对手机号码，即SIM卡；另一种是针对手机的IMEI序列号。后者属于硬件层面的封杀，相当于这部手机遭到了联网拒绝，即使更换SIM卡也无法破解。在一般的通讯中，手机号码和手机IMEI码都会作为信号的一部分被传输，所以收到骚扰的911系统可以抓住这两点进行反骚扰。不过棘手的是，犯罪分子可以使用软件程序发送随机虚拟的IMEI，给封锁工作带来很多不便。

一般而言，运营商都会对手机号码和手机IMEI进行绑定。（某些合约机更是如此）从而限制一个号码只在特定手机上使用。也就是说，一旦网络运营商检测到一个号码和原先的IMEI不匹配，会拒绝提供通讯服务。不过911特殊就特殊在它是个紧急电话，不受IMEI绑定的限制。由于911热线的拨打频率并不高，再加上如果给求救电话收费可能会带来到的舆论压力，目前各大运营商的做法都是对911热线特别网开一面。只要是拨打911，不管有卡没卡，话费够还是不够，都一律放行。

#攻击效果

为了实际测验TDoS的攻击效果，研究人员还专门根据北卡罗来纳州的911应急系统在实验室搭建了一个模拟平台。选择北卡罗来纳州是因为之前该州曾公开过州内911系统的详细数据，这些数据方便了研究人员。目前北卡罗来纳州911应急系统拥有20个网络交换机，288个话务中心，每天接到超过2万3千条求助电话。一年下来，这个数据超过8百万条。不过北卡罗来纳州和其他许多州一样，都有一个陈旧而致命的问题：他们的话务中心都依赖一个交换机进行来电的处理911热线。只要这一个交换机过载，攻击者就能影响到多个话务中心不能正常工作。

研究人员的测试显示，只需要大约6000部受操控的手机，他们就能使50%的求救电话遭到延搁或无法接通。

#应对策略

研究人员就此建议当地部门应确保他们有足够充分的网络冗余以应对这种大规模线路堵塞式攻击。

同时联邦政府建议运营商对紧急热线采取系统管理。联邦通讯委员会去年提出一份议案，也支持同样的做法。因为过去一直有恶作剧者拿着没有机主身份的手机肆意拨打骚扰电话。诸多民间团体也对这种提议表示支持。

问题的另一条解决之道是从手机制造商方面着手。通过技术加密来防止不法分子随意更改手机的IMEI码。或者手机制造商可以在手机里预装一道防火墙，监控异常的911紧急电话拨打。

不论怎样，古力和研究人员都希望政府能够尽快做出行动。因为只要这些漏洞多存在一天，攻击的威胁就让人多提心吊胆一天。公民安全也就多一天受威胁。