hacking 911: adventures in disruption, destruction, and … · hacking 911: adventures in...
TRANSCRIPT
Hacking 911: Adventures in Disruption, Destruction, and Death
quaddi, r3plicant & Peter Hefley
August 2014
Jeff Tully
Christian Dameff
Peter Hefley
Physician, MD Emergency Medicine Open CTF champion sudoers- Defcon 16 Speaker, Defcon 20
Physician, MD Pediatrics Wrote a program for his TI-83 graphing calculator in middle school Speaker, Defcon 20
IT Security, MSM, C|CISO, CISA, CISSP, CCNP, QSA Senior Manager, Sunera Gun hacker, SBR aficionado
This talk is neither sponsored, endorsed, or affiliated with any of our respective professional institutions or companies. No unethical or illegal practices were used in researching, acquiring, or presenting the information contained in this talk. Do not attempt the theoretical or practical attack concepts outlined in this talk. This talk includes disturbing audio clips.
Disclaimer
Outline
- Why This Matters (Pt. 1) - 911 Overview
- Methodology
- Attacks
- Why This Matters (Pt. 2)
Research Aims
• Investigate potential vulnerabilities across the entire 911 system
• Detail current attacks being carried out on the 911 system
• Propose solutions for existing vulnerabilities and anticipate potential vectors for future infrastructure modifications
Methodology
• Interviews
• Regional surveys
• Process observations
• Practical experimentation
• Solution development
Wired Telephone Call
End Office
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice Voice + ANI Voice + ANI
ANI ALI
Wireless Phase 1 Telephone Call
Mobile Switching
Center
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice Voice + pANI/ESRK
Voice + pANI/ESRK
pANI / ESRK
ALI
Cell Tower
Voice
Callback # (CBN)
Cell Tower Location
Cell Tower Sector
pAN
I / E
SRK
CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK Mobile
Positioning Center
Wireless Phase 2 Telephone Call
Mobile Switching
Center
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice + pANI/ESRK Voice + pANI/ESRK
pANI / ESRK
ALI
Cell Tower
Voice
Callback # Cell Tow
er Location Cell Tow
er Sector
pAN
I / E
SRK
Latitude and Longitude, Callback #, Cell Tower Location, Cell Tower Sector, pANI / ESRK
Position Determination
Equipment
Mobile Positioning Center
Voice
VoIP Call
Emergency Services Gateway
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
VoIP + CBN Voice + ESQK Voice + ESQK
ESQK ALI
VoIP Service
Provider
CBN
ESN
#, E
SQK
CBN, Location, ESQK
VoIP + CBN
VSP Database
The Three Goals of Hacking 911
• Initiate inappropriate 911 response
• Interfere with an appropriate 911 response
• 911 system surveillance
Wired – End Office Control
End Office
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice Voice + !%$# Voice + !%$#
!%$# ALI??
NSI Emergency Calls
Mobile Switching
Center Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice + pANI/ESRK
Voice + pANI/ESRK
pANI / ESRK
ALI
Cell Tower
CBN?
Cell Tower Location
Cell Tower Sector
pAN
I / E
SRK
CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK
CBN = 911 + last 7 of ESN/IMEI
Voice Voice
Mobile Positioning Center
Wireless Location Modification
Mobile Switching
Center
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice Voice + pANI/ESRK
Voice + pANI/ESRK
pANI / ESRK
ALI
Cell Tower
Callback # Cell Tow
er Location Cell Tow
er Sector
pAN
I / E
SRK
!@#Lat/Long%%$, Callback #, Cell Tower Location, Cell Tower Sector, pANI / ESRK
Position Determination
Equipment Mobile Positioning Center
Voice
VSP Modification
Emergency Services Gateway
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
VoIP + CBN
Voice + ESQK Voice + ESQK
ESQK #ALI@
VoIP Service
Provider
CBN
ESN
#, E
SQK
VSP Database
CBN, #%Location$@, ESQK
VoIP + CBN
Bystander CCO CPR Improves Chance of Survival from Cardiac Arrest
100% 80% 60% 40% 20% 0%
Time between collapse and defibrillation (min) 0 1 2 3 4 5 6 7 8 9
Surv
ival
(%)
Nagao, K Current Opinions in Critical Care 2009 EMS Arrival Time based on TFD 90% Code 3 Response in FY2008. Standards of Response Coverage 2008.
EMS Arrival No CPR
Traditional CPR
CCO CPR
Strategic Threat Agents
• 6000 PSAPs taking a combined 660,000 calls per day
• Fundamental building block of our collective security
• Potential damage extends beyond individual people not being able to talk to 911
Solutions
• Call-routing red flags • Call “captchas” • PSAP security
standardizations • Increased budgets for
security services • Open the Black Box