|
Hacking the 911 System In the post Sept. 11th era, there has been a renewed interest in the vulnerability of America's electronic infrastructure, including the nation's 911 system. Politicians and security experts are concerned that the ability of citizens to dial 911 for help would be cut off by a terrorist or other interest, leaving the nation completely unable to cope with routine law enforcement, fire or medical emergency. updated Ironically, very little of the concern and fear is coming from the public safety communications community, perhaps because they understand that the nation's safety doesn't depend entirely on a citizen's ability to dial 911. Rather, it comes from the ability of the emergency agency to respond to incidents, which can be reported by many different methods. Nevertheless, the 911 system is subject to routine or extraordinary outages that would diminish the public's incident reporting capability. All of these events have occurred several times before and, despite attempts to eliminate them, will probably happen again:
Beyond these routine outages, there have been three confirmed incidents involving 911 that are not well-known among the public safety community, but which have been significant among techies and privacy advocates. None of the incidents involves the unauthorized entry of a hacker into the 911 system itself. Instead, two incidents involve the rather simple process of generating multiple, simultaneous 911 calls to block incoming trunks, and one involves the unauthorized download of 911 documentation from a telephone company computer. In fact, the multiple/simultaneous call scenario isn't unique--it has been used by federal government officials when holding disaster or terrorist attack drills. In 1997 during an exercise in Los Angeles dubbed Eligible Receiver, the written scenario included posting Internet information that the 911 system was out of order. The scenario writers theorized that once the public saw the message, they would begin dialing 911 to confirm the outage, thereby completely tying up the system. Of course, it was all theoretical.... By the way, many times the press uses the term "911" to indicate the entire public safety communications system, rather than the emergency telephone system. News accounts frequently say that, "911 was affected," when in fact they mean that the radio or computer system was knocked out. It sometimes takes considerable investigation to determine exactly what systems were affected. On Jan. 15, 1996 a 19 year-old Swedish resident managed to hack into the telephone network of Southern Bell from London using a computer connection. He was able to generate multiple, simultaneous telephone calls to the 911 systems in several (11 or 13) west-central Florida counties, including Pasco, Hernando and Citrus. By making simultaneous calls to a single PSAP, he was able to tie up all their 911 trunks, thereby blocking any legitimate caller from reaching the PSAP. News stories claim he generated 60,000 telephone calls during his attack, but not all of those were directed to 911. John Schroeder, then 911 operations manager for Pascoe County, told ABC-TV news at the time, "He would call the 911 operator, apparently having gotten onto our network through a computer program. It tied up our trunks where we were no longer capable of disconnecting that caller and making that line available for a live call that may be seeking help." Schroeder added, "We deal daily with life and death situations in this business, there's no two ways about it, certainly heart attacks, drownings and that person could very well go without help due to someone that's just trying to basically, if you will, have a joke. It's not a joking matter." Some news reports say the youth claimed he had been shot. However, an audio tape of one call showed that he was clearly harassing the PSAP:
The hacker was identified, arrested by British authorities and prosecuted. He received the equivalent of a $350 fine. Later, then-FBI Director Louis Freeh called the incident a "dress rehearsal for a national disaster." There are some news stories that claim the hacker diverted 911 calls from PSAPs to other telephones. However, there is no substantiation of these claims. This hack did not directly involve the nation's 911 system. Instead, the hacker entered the public switched network, and from there was able to generate multiple, simultaneous telephone calls--he could have made the calls to any number, but for his own reasons chose 911. Contrary to news reports--which are persistent to this day--the nation's 911 "system" was not breached, hacked or "put out of commission" by the calls. Instead, a single caller generated enough calls to tie up the limited number of 911 trunks running to several Florida counties. While this certainly did raise the potential of blocking callers trying to report actual emergencies, the incident does not rise to the level of a 911 techno-attack--the same technique could be used by anyone if they had access to enough telephone lines. The Dialing Worm In late March 2000 a computer hacker released a computer worm that had the potential to tie up the nation's 911 network. Unlike viruses of the time (which require the computer user to take some action to spread the code), the 911 worm could automatically transmit itself to other computers on the same network, or even to other computers over the Internet--it didn't rely on e-mail or any user action to spread itself. Once activated, the worm would attempt to dial out on a modem with the numbers "9-1-1," thereby potentially tying up emergency lines. The worm would also attempt to erase the computer's hard disk drive on the 19th of the month. The snippet of computer code, officially labeled the "bat.chode" virus, did not become widespread outside its origin city Houston for some reason (50 or fewer reports of infection), and there were no reports of any U.S. PSAPs being hit by repeated modem dialings. According to later Congressional testimony of Leslie Wiser, Jr., of the National Infrastructure Protection Center, the FBI started an investigation into the virus on March 29, 2000. FBI Houston began the investigation when businesses in that city reported their computer hard drives were being erased by a virus. The next day FBI agents executed a search warrant on a suspect's residence. On May 15 a federal grand jury indicted Franklin Adams (a programmer for a Houston, Tex. bank) on charges of knowingly causing the transmission of a program onto the Internet that caused damage to a protected computer system, and by causing loss aggregated to at least $5,000. Adams was also charged with unauthorized access to electronic or wire communications while those communications were in electronic storage. Adams pleaded guilty to charges of attempting to damage a protected computer system. On April 5, 2001 he was sentenced to 5 years probation and fined $12,353 for restitution. Under the terms of his sentencing, Adams is restricted to using a computer only for work and educational purposes. According to the Wiser, "Because each infected computer can scan approximately 2,550 computers at a time, this worm could have the potential to create a denial of service attack against the 911 system." Presumably he means that thousands of different computers dialing 911 at the same time would have tied up most or all of the available 911 trunks at one or more comm centers. This attack exploited the public telephone system and the necessarily limited number of incoming 911 trunks available to PSAPs. Although the actual intent of the virus writer isn't known, it's obvious that this same type of attack could be used against any telephone number, at any residence or business. The exploit was not specific to the 911 system, it's design or technology. And again, it did not involve a hack of the 911 system itself. [more on the virus] First Amendment Rights Perhaps the most intriguing case involving 911 occurred in 1988 and involves hackers, BellSouth and the First Amendment to the U.S. Constitution. It's perhaps more well-known to free speech advocates than to 911 administrators. First, one has to recall the era: personal computers were just taking off, and their use and access was subject to debate. Like many other eras in America, two cultures evolved: serious computer users at corporate sites who were very serious about their technology, and personal computer users who were vastly more irreverent about using computers. From that second group grew so-called "hackers" who curiosity and experimentation led them to reach out and explore other computer systems. While there might have been a fringe element with criminal intent, most of the hackers were bent only on finding out as much as they could about remote computer systems and exploring them. Surf this article from CNN.com for an interview with hacker/publisher Eric Corley (aka Emmanuel Goldstein) that explains hackers and their motivation. Hackers gave themselves individual names (FryBoy, Leftist, Urville, Prophet), formed groups with strange-sounding names, and traded information on modem phone numbers, access codes, passwords and other system information. One of the most active and well-known was the "Legion of Doom" group loosely based in Atlanta (Geo.). There were different factions of LOD--some would re-route phone calls, others would steal phone codes, other would simply explore. A third element in all this was the government, who saw the hackers as not only a security problem, but as no less than a threat to national security. Hackers were identified, surveilled, tracked down and basically handled as the most serious criminals in America. All this brings us to 1988 when Robert J. Riggs, then 20 years old and from Decatur (Geo), accessed a BellSouth computer system sometime between Sept. 1987 and July 1989, at least according to court documents. From that system (accessed he said later without a password) he downloaded a text document titled, "Bell South Standard Practice (BSP) 660-225-104SV- Control Office Administration of Enhanced 911 Services for Special Services and Major Account Centers." The document set out certain terms, procedures and other methods for handling the provisioning of the then-rather new 911 service in BellSouth's territory. By all later accounts, the three-page document wasn't secret, sensitive or confidential in any way. In fact, BellSouth officials later conceded in court that copies of the document could be obtained by the public from BellSouth for $13. It contained no computer programming code. By today's standards, it was a non-document. Nevertheless, the 911 document was a curiosity to the hackers, either because of its subject or the newness of the technology. They read it, exchanged it and then took one additional step--they posted it on a computer bulletin board. As you may recall, this was before the public Internet. They only points of mutual contact were bulletin boards that one dialed up, logged on and used obscure keyboard commands to read text information. One of these bulletin boards was based in Joliet (Ill.) and operated by Richard Andrews--he called it "Jolnet." Riggs, who went by the name of "Prophet," had an account on Jolnet and used its hard disk space to store the 911 document. Andrews accessed the document and read it, and passed it along to another computer bulletin board operated by an AT&T employee. He asked that employee to send the 911 document along to the proper authorities. However, Andrews didn't remove the document from his bulletin board. Finally, the 911 document was accessed from Jolnet by Craig Neidorf (rhymes with eye-dorf), the 19 year-old publisher of the on-line hacker magazine "PHRACK" while he was a pre-law student at the University of Missouri. Neidorf, who went by the name "Knight Lightning," published an edited version of the document by sending it around to other bulletin boards, along with a copy of a 911 glossary. He had edited the document at Riggs' suggestion to prevent anyone from determining its origin. Some accounts claim that AT&T and law enforcement authorities knew the document had been downloaded and was being passed around. In any case, no action was taken until Jan. 19, 1990 when U.S. Secret Service agents visited Neidorf armed with a search warrant, gathered up his "PHRACK" materials and mailing list during a frat house raid. Neidorf and Riggs were indicted on Feb. 1, 1990 in a controversial case of interstate transportation of stolen property, wire fraud and violations of the federal Computer Fraud and Abuse Act of 1986. The indictment said the "computerized text file" was worth $79,449, and a BellSouth security officials testified at trial it was worth $24,639.05. By June, the grand jury had amended the indictment to drop the computer fraud charges and add other wire fraud charges. The defense filed several motions to dismiss the indictment before trial. The trial began on July 23, 1990 in Chicago's U.S. District Court for the Northern District of Illinois. Defense attorney Sheldon Zenner gave his opening statement after jury selection, and so did Assistant U.S. Attorney William Cook. The case contained some interesting elements for the time, including exactly what was "property," what was deemed to be in the public domain, and did the "PHRACK" publication have constitutional protections when it published the 911 document. The case has been reviewed by many legal publications and is still studied today by law students for its constitutional issues. Cook moved to keep the 911 document out of the public record, and U.S. District Judge Nicholas Bua granted his motion. Much of the prosecution's case turned inconclusive during the trial. The edited version of the document was useless for hacking into other systems, including any actual 911 system. A Ms. Williams from BellSouth testified that the 911 documents were proprietary and not public information. However, upon cross-examination by the defense attorneys, Williams explained that the "Proprietary" stamp was put on all BellSouth documents without any special determination of their contents. Williams also admitted that any person could call an toll-free number and obtain the same information from other documents, including some whose information was more detailed than any published in "PHRACK." Secret Service agents testified and so did Riggs. On the fourth day of testimony, the proceedings unexpectedly ended when the government asked the court to dismiss all the charges--and it did, leaving Neidorf, some say, with a $100,000 court cost bill. Courthouse speculation was that BellSouth had not be entirely upfront with federal investigators on the general availability of the document, but instead had indicated it was considered confidential. The prosecution, upon learning about the true availability of the document, had to back down. Meanwhile, Riggs and another hacker pleaded guilty in 1990 to one count of conspiracy each for the original computer break-in. Riggs was sentenced to 21-months in prison on federal charges of breaking into BellSouth's computer network and passing the 911 document along over computer connection and across state lines. He was also ordered to serve probation and perform community service after their prison time. For a more thorough examination of phone hackers and the era, check Steve Parker's Web site. Other historical material is available at this Web site. Like the other cases, this hack did not involve an entry into any 911 system. In fact, that was the point of contention at trial--it wasn't a hack at all. In any event, this incident is more about computer access and free speech than about anything related to the nation's 911 systems. WebTV Hack In July 2002 there were reports that a small number of WebTV devices were dialing 911. Apparently they had somehow been re-programmed to dial 911 instead of dialing the WebTV company's headquarters for updates. WebTV allows subscribers to access the Internet via their phone line, using their television as a display device. In Dec 2003 the FBI announced that it had arrested David Jeansonne, 43, at his home in Metairie (La.) after being indicted by a federal grand jury on two counts of damaging protected computer systems "without authorization." He was released on $25,000 bail after appearing in court. He was scheduled to appear later a California court, where the indictment was handed down, because that is where WebTV, now owned by Microsoft, is headquartered. According to the indictment, in July 2002 Jeansonne sent certain WebTV users e-mail messages with an executable attachment. That program was disguised as a utility that would allow adjustment of the WebTV screen colors. Instead, it reset the system's server dial-in code from a California 7-digit number to 911. Those receiving the program lived from Rochester (NY) to San Diego (Calif.), the FBI said. After resetting the number, the WebTV device would dial 911 the next time the person attempted to connect to the company's server. The device would also dial 911 in the middle of the night when it made its routine daily call to update software and system information. Jeansonne allegedly sent the e-mail to 18 persons with whom he had a dispute. Some of those persons re-sent the disguised virus to other persons. The FBI said a total of 21 persons eventually received the virus. According to the U.S. Attorney's Office, "The 9-1-1 calls caused by the e-mail resulted in the dispatch of police in locations from New York to California." They said that at least 10 persons reported being visited or called by the police because of the WebTV-dialed 911 calls. According to the U.S. Attorney, the virus also collected some user information and e-mailed it to a particular e-mail account. Jeansonne was linked to the virus by Microsoft technicians who scoured WebTV logs to find a link between Jeansonne and the e-mail account. In one e-mail message located by Microsoft, someone e-mailed Jeansonne, "I wish you had not done that…at least not the '9 you know what' aspect. It could have caused terrible trouble for you…" In the indictment, the U.S. Attorney said the 911 dialing, "did intentionally cause damage without authorization to protected computer, to wit, the users' WebTV boxes and WebTV's servers, thereby causing a threat to public health and safety." Jeansonne faces up to 10 years in prison and a $250,000 fine on each of the two counts. He could also be ordered to pay any restitution. Update - In mid-Feb. 2005 Jeansonne pleaded guilty in a San Jose (Calif.) federal court to two counts of intentionally damaging a computer and causing a threat to public safety. On March 7, 2005 Jeansonne was sentenced to six months in jail, six months home detention, and restitution of $27,100 to Microsoft, who operated WebTV. Homeland Security After the Sept. 11th terrorist attacks, the trend was to increase physical security in preparation for additional attacks. By early 2002, however, a broader range of targets was being identified: the nation's utilities, water supply, road and ship transportation system, and the Internet. During Congressional committee testimony into post-Sept. 11 security issues, a congressional aide claimed that Florida's 911 system had been hacked. Bill Caruso, press spokesman for Rep. Rob Andrews (D-NJ), said in Nov. 2001, "It's not really the private sector denial of service stuff that we are concerned about. That is a nuisance but not a danger to the public. What (we) are concerned about is attacks on the power grid, 911 systems, other critical infrastructure. Caruso claimed that a hacker had "recently" diverted 911 calls in South Florida from public safety agencies to the phone number of a local pizza parlor. "This is not giving a couple of million dollars to Yahoo so I can read my e-mail tomorrow morning. We are talking about preserving emergency services systems in order to protect the public's safety." We have attempted to confirm this hack with Florida PSAP managers and dispatchers, but everyone we've contacted says they've never heard of the incident. We've also attempted to contact the Congressman to obtain details of the incident, but have not received any phone calls, e-mail or regular mail back from him or his spokesperson. In the fall of 2001, Mountain View (Calif.) police Det. Chris Hsiung was notified of what he felt was a suspicious pattern of Web surfing of Silicon Valley utilities and government Web sites. Analysis of the probes by the FBI and DoD determined they were coming from the Middle East. According to news accounts, "The visitors studied emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities." And allegedly, the probes, "homed in on a class of digital devices that allow remote control of services such as fire dispatch and of machinery such as pipelines"--paging or so-called SCADA systems which are used by power and water utility companies to control valves and switches remotely. At a June 2002 privately-hosted symposium on homeland security, Ronald Dick, director of the FBI's National Infrastructure Protection Center, told the group, "The event I fear most is a physical attack in conjunction with a successful cyber-attack on the responders' 911 system or on the power grid." He did not cite any source for his anxiety. The Internet Worm In late January 2003 an Internet "worm" (Sapphire, Slammer, SQL-Hell) invaded computers running Microsoft's SQL Server software, which slowed operations on computers worldwide running ATM, e-mail and other applications. The worm invaded the city network in Bellevue (Wash.) and made its way to the CAD computer of the Eastside Communications Center, which uses CAD software from TriTech Systems Software. The worm also infected customer running Northrup-Grumman's PSI (old PRC) CAD software. At Eastside, dispatchers realized that read-write computer database operations were slowing down around 2 a.m., and eventually notified their computer support personnel. Technicians responded and diagnosed the problem, and had the CAD server back up by noon. During the CAD server outage, dispatchers used manual dispatch methods, and officials said no 911 calls, incidents or dispatches were affected. Microsoft had issued an update, or patch, in July 2002 that fixes the worm vulnerability. However, many computers had apparently not been updated with the patch and were open to being infected. Eastside technicians immediately upgraded their computer before allowing live CAD operations on it Again, the 911 telephone system was not infected or affected by the worm. In both known cases, the dispatchers noticed a performance drop on their CAD computers and simply began taking and handling incidents using manual methods. |
[back to main 911 history page] [back to main 911 page]
