In public safety we use the term admin lines to differentiate between the critical 9-1-1 inbound lines and other numbers, mainly the publicly listed phone number for the law enforcement or fire/EMS department the PSAP supports.
These continuing TDoS attacks against public safety can successfully disrupt PSAP operations by causing confusion in the centers.
The Attack Setup
Te attack consists of the following components:
- The attacker scans the web for a list of public phone numbers for law enforcement, fire/EMS in a specific geographic area and then manually calls each number to validate.
- They build a database of ‘good numbers’
- All of us have used conference bridges/ Webex type systems and are aware of the capability for the conference bridge to dial out and connect our audio to the bridge. The attackers will configure a conference bridge to ‘dial out’ to numerous public safety locations and connect them all on a conference call.
- Another scenario they use is to hang up as soon as the call is answered. I spoke with a senior law enforcement officer at a major US city where this specific attack hit them recently and lasted for hours.
- During the ‘test call’ phase, where they are validating the phone number, they will engage the PSAP call taker in conversation and then begin ‘taking dirty’ or make physical threats.
- A third scenario, after a number of PSAPs are connected via their conference bridge, they play middle eastern music or use a voice modulator to create a deep threatening voice and tell everyone on the conference bridge that they are ‘doomed’.
The Power of Confusion
All of the scenarios above disrupt the 9-1-1 center.
When 9-1-1 call takers answer the admin lines they may find other local 9-1-1 centers on the call or they may be speaking to centers in other states. Call takers may not understand what is going on. It is normal to believe the ‘other people’ on the bridge (or their systems) must have initiated the call.
We know of a scenario in the Southwest US where the carrier investigating TDoS reports thought the problem was malware in the 9-1-1 servers, which they began rebooting. Clearly the carrier was confused.
The specific attacks we have seen will sometime last for hours, with the attackers system launching thousands of calls.
What we know..
- Public safety systems are vulnerable.
- These attacks disrupt operations
- The attackers appear to have a large database of public safety phone numbers
- The attackers have the ability to launch large scale attacks against multiple, geographically diverse agencies and ‘bridge’ them together
- Attacks can last for hours
- The majority of US states have had at least one instance of an attack
- The attacks against public safety apparently began in August of 2018, affecting Howard County Maryland. In this attack, James Cox of Howard County government worked with Cisco and installed the Securelogix platform to address the attack.
- The original attacks were conducted from the Middle East, the location of the attacks known. When I attended a meeting at the FBI Miami Field Office earlier this year a detective (who spoke the language) was able to speak with one of the individuals in the middle east.
- The FBI indicated that the attackers were soliciting help via YouTube to attack Public Safety in the US. The YouTube video was ‘how-to’ conduct an attack.
- The recent attack (NYPD and Miami Beach) where the NYPD Cyber team traced the the attack origination to a US college campus. I am not aware if the attacker used the conference bridge capability of the university phone system to stage the attack.
- The original attacks were all VoIP. The numbers were usually 3 or 4 digits (e.g. 911 or 4434) but the attacker would occasionally change the number during the attack.
These attacks continue today.
Working with AT&T, we installed the Securelogix platform and it has proven to be a useful tool. The interesting thing is that it appears the attackers noticed their calls were not getting through and are trying different methods to get around the system. For example- instead of a steady stream of TDoS calls, they tried spacing them out. We recently experienced a number of calls, 4 at a time, and then a few minute pause. Their conference bridge was engaged, so when our call takers answered, they found themselves talking to other call takers in the center.
At a minimum, it is important to alert your staff that these attacks are occurring.
If you do experience an attack, the FBI requests you submit a report via this link: