There have been multiple articles describing a “botnet” of 1000’s of compromised smartphones, which all make calls to a 911 Public Safety Answering Point (PSAP) or some other target. A smartphone-based attack is the primary way to generate a TDoS attack against a PSAP. Using the classic Asterisk/SIP trunk/call generator type of attack, is unlikely to affect 911, since there is no guarantee that calls will be routed to the desired PSAP. An attack leveraging many smartphones in a local area is the most likely way to affect PSAP.
There is normally significantly more trunking available than there are PSAP attendants. This is logical and common in contact centers, as it allows callers to have their calls “answered” and put into a queue waiting for attendants. For a TDoS attack against 911 to have effect, it needs to “clog” or saturate these trunks. If the attacker can overwhelm the entire trunking capacity, then some legitimate callers won’t have their calls answered. Even if the attack does not overwhelm all trunking, it will still have an impact on attendants, because they will waste a small amount of time answering the TDoS calls. There are also multiple “trunk groups”, which are collections of physical channels into the PSAP. If an attack can overwhelm one of these trunk groups, the attack may not overwhelm the entire capacity of the PSAP, but it will affect legitimate calls coming from that trunk group. The biggest trunk group is normally mobile.
A large metro area PSAP will have multiple end offices switches, which provide landline access to various geographic areas. Each of these end offices has some amount of dedicated trunking for 911, which may be around 10 trunks. If an attack originates through one of these end offices, the most calls that will reach the PSAP is say 10 simultaneous calls. The attacker can’t overwhelm the PSAP unless they saturate the trunking from all or many of these end offices. However, there is a significant amount of trunking from the mobile network, since generally, the majority of calls to a PSAP, as much as 75%, are mobile. Therefore, this is where the overall PSAP capacity can be saturated. This is also where attacks from a smartphone-based botnet would arrive.
Furthermore, we also saw a recent actual attack, where a young hacker posted a link on Twitter, to a website with malicious code. There were over 10,000 followers of the Twitter account and of course, the link was obscured though bit.ly. When the link was clicked, the malicious code used the click-to-dial feature on iOS smartphones, in code that looped 1,000,000 times and continually made calls to 911. Most of the people who clicked on the link were in the Phoenix area. What is interesting about this attack is how simple the malicious code was. It wasn’t a sophisticated bit of malware, which leveraged some obscure feature of the smartphone – it simply used the click-to-dial feature in a loop. It wasn't a botnet. Pretty much anyone could create this malware.
So in summary, we have a situation where the most vulnerable part of a PSAP is the mobile trunking, the easiest way to generate a TDoS attack on a PSAP is through compromised smartphones, the code needed to generate calls on smartphones is trivial, and we have had an “accidental” attack in the wild. Unfortunately, we expect to see more deliberate attacks in the future.
I don't know how widely "The Cyber Shield" is distributed. I believe we get it because some of our folks have security clearances (so if true, lots of people get it). Anyway, there is some info about our recent article in Government Computer News (GCN). I copied the info and provided a link to the bulletin below:
DHS working to protect emergency call centers against denial-of-service attacks
GCN, 24 Oct 2016: The distributed denial of service attack on managed DNS provider Dyn that made portions of the internet unreachable on Oct. 21 is just the latest example of the disruption caused by a system that finds itself overwhelmed with requests. Experts are still dialing for dollars when it comes to ideas for how to mitigate the risk, or even the impact, of a potential telephony denial-of-service attack on the 911 emergency services system. Read more. Is an attack on emergency services just one call away? A recent study revealed how easy it would be for bad actors to overload and disable infrastructure for the 911 emergency services in the United States. Read more. Similar to DDoS attacks, telephony denial-of-service attacks – where bad actors flood the system with illegitimate calls to knock out access to emergency services or other critical communication -- are reportedly on the rise. Tech-savvy criminals, hacktivists and even malicious nation-states see the phone system as a critical way to strong-arm federal or local authorities to pay them ransom, pay attention to their cause or just wreak havoc. With more government services facing potential cyber threats by telephone as well as online, the Department of Homeland Security has a cluster of efforts underway to lower the risk and the impact of potential telephone system-based attacks. Such attacks can swamp a 911 call center, causing a potentially life-threatening risk. In a TDoS attack an overwhelming number of calls are sent to the 911 system, and “the high number of bogus calls effectively ties up system resources so that actual 911 calls may not get through,” DHS Science and Technology Directorate Program Manager Daniel Massey said. “As attacks become larger and more sophisticated, it is very important that systems for defense also improve to meet this threat,” he added. “Our project can play a significant role in helping defend against future attacks.” In fact, DHS has a number of efforts underway to try and stem the tide of TDoS attacks, according to Mark D. Collier, CTO of SecureLogix Corp., a San Antonio, Texas-based telephony technology vendor working with DHS. Their core project together seeks ways to detect spoofing -- or differentiating fake calls from legitimate ones -- and aims to apply this to potential TDoS attacks, Colliers said. In another project, in conjunction with the University of Houston, SecureLogix and DHS are investigating how the move to Next Generation 911 might impact TDoS attacks, particularly in relation to emergency services. “When you’re dealing with 911, this could be a real emergency situation,” Collier said. “We want to make sure that we are never dropping the right call.” Collier said the pilots his company is working on include at least two city 911 call centers and a major dispatch line for police and fire fighters. Larry Shi, principal investigator for the University of Houston, said that different government agencies including the FBI and
DHS have noticed the “growing number of TDoS attacks against both commercial call centers and emergency communication systems. Without proprietary protection, these attacks against 911 call centers can easily make the service unavailable which may cause serious consequences, like loss of lives.” The results of the pilot deployments should help demonstrate the effectiveness of the solution identify issues that may still need to be resolved and show how the results can be widely applicable to 911 systems around the country, as well as other critical systems that are vulnerable to telephony attacks. To read more click HERE
See the article below about a young hacker who "accidentally" or so he says, generated a Telephony Denial of Service (TDoS) attack against 911 facilities in the Phoenix area. The hacker had a twitter account with some 12,000 followers and included a link, which installed malware on their iOS devices, which called 911 over and over again. The hacker claims that he posted the wrong link, only intending to cause popops to be displayed on the device.
I have posted some recent articles describing how a botnet of infected smartphones could be used to generate a TDoS attack against 911. For convenience, I posted a few of these articles below. What makes this type of attack significant is that it is one of the few ways that you can really flood a 911 network. I will describe why in a later post.
This recent article is the first case that I am aware of where an attack such as this has been used in the wild. I don't know how many devices were generated or how many calls were made, but the attack clearly had an impact.
See the follow up article below in GCN, describing how the Department of Homeland Security (DHS) Science and Technology (S&T) Cyber Security Division (CSD) is working with SecureLogix help address the issue of Telephony Denial of Service (TDoS) attacks in 911 environments.
Check out the following articles on Telephony Denial of Service (TDoS) and how it could affect 911 systems. The threat described involves how a botnet of affected smart phones, could be used to flood a 911 center in the same local area as the compromised smart phones. This is definitely possible. While most 911 centers have some extra capacity, very few if any have the ability to operate effectively if flooded with 1000's of concurrent calls. This is especially true if this occurs during an emergency, when the 911 center is already inundated with legitimate calls.
There are other ways to generate TDoS, such as use of free PBX software such as Asterisk, SIP trunks/a compromised service provider. However, one of the challenges is using these services to make "local" 911 calls. For example, if you used a SIP trunk and made 911 calls, where would they go? It is tricky to target a particular 911 center. This is why using compromised smart phones is a particularly nasty technique, because assuming you could compromise a few thousand smart phones in a large metropolitan area, you could easily use this to overwhelm the local 911 center.
Finally, the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Cyber Security Division (CSD) is very aware of this issue and we have been performing research with them to address this issue. I summarized this work in earlier posts and provide more details in the future. You can get a summary of this research program by watching a video recording from a DHS conference earlier this year.
There have been several articles about a bust of at least 70 people in India, who are behind some of the IRS scam phone scam. We have been working the the IRS/TIGTA, the FTC, and DHS CSD on this issue - it is good to see that at least one of the fraud rings has been busted. Hopefully this will result in at least a temporary reduction in this scam.
Here are articles from the Wall Street Journal and CNN. You can find several more:
Here are a couple of links to the Department of Homeland Security (DHS) Cyber Security Division (CSD) showcase earlier this year. They did a great job of recording the videos of all the presenters. We were fortunate to be a featured presenter on the first day.
As I have said and I need to post some more info here, we have expanded our research program with DHS CSD to focus on addressing issues such as calling number spoofing and caller authentication, and how this helps to address voice security issues such as Telephony Denial of Service (TDoS), robocalls, scams, bomb threats, etc.
The first link is to the full set of videos. The second is a link to our video. Check them out:
It is time to start blogging again. I have been really busy. Aside from normal work, I am ramping up my work with the Cyber Security Division (CSD) of DHS S&T, to focus on addressing calling number spoofing/lack of authentication, and applying this to voice attacks, such as Telephony Denial of Service (TDoS), robocalls, bomb threats, social engineering, etc. More on this in coming posts.
The first thing I am going to do is get rid of most of the lists on this blog. It is difficult to manage them and you can easily find all the articles I post on these on twitter, LinkedIn, and Google+. Follow me there or search for posts if you are interested.
Here is a video from last years DefCon on how to use a burner cell phone to generate a bunch of calls for a Telephony Denial of Service (TDoS) attack. This allows an attacker to create a virtually untraceable and highly anonymous attack. Even with a single phone, you can generate enough calls for a long enough period, to affect a small target, such as a hospital ER/ICU, small business, a small PSAP, etc.
The Department of Homeland Security, Science and Technology Directorate, Cyber Security Division hosted their annual show case late last year. This event gives all active researchers the opportunity to briefly cover their area of research. DHS just posted the videos. These are definitely worth watching - you will get a good idea of the program areas and the great research (and transition) that is going on.
I am currently working on two new projects with this group, one focused on complex distributed Telephony Denial of Service (TDoS) and another on TDoS and other issues affecting Next Generation 911 systems. I documented the first project in a previous post. The second just started and I will introduce it in a subsequent post.
A new Internet based tool is available now to simplify making calls with spoofed calling number. The main difference with this tool, is that it only accepts Bitcoin, so it is more anonymous. It certainly lowers the bar provides another tool for those performing social engineering. I included a few links below the image with more information.
For those following my blog, you know that Telephony Denial of Service (TDoS) is a flood of unwanted inbound calls, typically to an enterprise contact center. The calls can arrive at any enterprise or any part of an enterprise, but are normally targeted at critical voice lines. This includes 911, other public safety numbers, hospital emergency rooms and intensive care units, key parts of financial contact centers, and other organizations. TDoS attacks are the most significant form of voice-related DoS, because they involve malicious calls, are easy to generate, and can affect enterprises using both TDM and SIP networks. The following diagram illustrates a TDoS attack:
The Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and service providers have produced a number of warnings and bulletins about TDoS. A few of the more recent ones can be found in prior posts on this blog.
Attacks such as this are simple, but still very effective. They do not involve a significant amount of volume in terms of concurrent calls and they are not very sophisticated or complex in terms of spoofing call information, such as the calling party number or ANI. We expect that in the near term, more complex attacks will be seen, involving greater sophistication in terms of spoofing call information and much greater volume. The following table illustrates the progression we have seen and expect in the future for TDoS:
In a short amount of time, we expect these attacks to become more common, be more sophisticated (complex), and involve greater volume (distributed). This will make the attacks much more difficult to detect and mitigate, both for the target enterprise as well as service providers.
The DHS Science and Technology Directorate (S&T) Cyber Security Division (CSD) recognizes the TDoS threat and has funded SecureLogix for two Research and Development (R&D) efforts. The first effort is to define the evolving threat, define enterprise and service provider countermeasures, and build solutions for these environments. The second effort involves a broad look at security issues affecting Next Generation 911, including TDoS, which will be particularly disruptive for these environments. These R&D efforts will produce a TDoS solution that can address the most sophisticated attacks, for both TDM and SIP networks, within both enterprise and service provider networks. While the final solution is still being developed, a basic approach involves use of several filters, which score calls based upon pre-call signaling information, queries to network authentication services, and then content and possible use of turing tests. All controlled by enterprise-defined policy. These filters are shown in the following diagram:
We will be posting more information as this R&D effort progresses. You can track our progress on these efforts by following this blog and our twitter feeds at @markcollier46 and @dhsscitech.
This is one of the best articles I have read in a while. It covers how Pakistan captured multiple individuals on the FBI's most wanted list - responsible for millions of dollars of toll fraud and International Revenue Sharing Fraud (IRSF). It also covers some of their techniques. Toll fraud/IRSF isn't sexy, but it is definitely a way to make money.