Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.
As the physical world is becoming increasingly digitized and connected to the virtual world, the lines between cybersecurity and “real” security are becoming blurred. It’s no question that crimes that occur in the virtual world affect real people on the other end of computers, tablets, phones and other internet-connected devices. But what if a virtual attack could manifest itself in the physical world and actually put your physical wellbeing at risk?
In some ways this is already possible. Earlier this month, residents of Dallas, Texas were the victims of a malicious actor whose only weapon was a series of radio tones that set off the city’s 156 blaring emergency sirens, which went off for over an hour, according to Dallas News. Beside causing panic and irritation, the outside interference with the system triggered about 4,400 calls to the city’s understaffed 911 system, making the situation even more dangerous.
Although this attack did not occur via the internet, the case highlights the threat to public safety posed by hackers infiltrating not only our computers and phones, but also our emergency systems and other critical infrastructures that keep communities safe on a daily basis.
I spoke with two cybersecurity experts to better understand the potential scope of this new risk as well as how those responsible for public safety structures can prevent digital interference with critical safety functions.
“Many of the network operation centers for cities that facilitate emergency response are inadequately secured and have inadequate cybersecurity,” explains Tom Kellermann, CEO of Strategic Cyber Ventures, in an interview with Forensic Magazine. Kellermann served as member of the Commission on Cybersecurity for the 44th Presidency and has also been on the board of the National Cyber Security Alliance and the International Cyber Security Protection Alliance. “Most of them have great physical security but terrible cybersecurity in that they’ve invested too much in old school cybersecurity technologies that are not viable in protecting those infrastructures from today’s kill chain of attack.”
In the case of the Dallas alarms, officials revealed that the radio-based system, which was installed about 10 years ago, did not come with any encryption, and that encryption was never added—until now—because no one knew that this sort of interference was possible, according to Dallas News.
Computer-based and internet-connected systems face similar problems, according to Scott White, a penetration tester, or “white hat hacker,” and senior principal security consultant at security company TrustedSec, who says he has encountered unsecured emergency response and critical infrastructure systems before.
“A lot of these systems are very unique and very outdated,” White told Forensic Magazine, saying that the mentality is often, “It’s not broken, let’s just not touch it.”
White explained that one 911 system he tested was completely offline, which made it difficult to update. He said that being offline did not protect the system from attacks, however, and that due to the outdated system—and the fact that every 911 operator had domain administrator rights—a hacker who managed to manually plug in to the system could have done serious damage.
“One wrong click (…) and they could have potentially taken down the whole system, could have disabled the whole system,” White said.
As unlikely as it would seem that a hacker would want to go to such lengths to interfere with a 911 system, there have been cases of malicious 911 flooding before. As White explains, this type of interference does not require hacking into the 911 system itself—the perpetrator simply needs to find a way to dial 911 many times repeatedly and anonymously in a short period of time, or trick others into doing so.
“(911 flooding) is not like a denial of service attack on the internet where you get flooded with garbage and you block it all, because blocking it all is probably not the right answer,” White says.
A recent 911 cyberattack was carried out in October 2016 by a hacker who exploited a security flaw in iOS systems that allowed the hacker to create a link that would repeatedly call 911 from someone’s iPhone when clicked, according to Forbes. Eighteen-year-old Meetkumar Hiteshbhai Desai was arrested for allegedly creating the exploit and posting the malicious link on Twitter. Apple patched the bug in late March, requiring iPhone users to verify their intention to make a phone call after clicking a link.
Flooding attacks to 911 systems can be much more than just a nuisance—they can be potentially deadly, as demonstrated by another case in Dallas in which a 6-month-old infant died when his babysitter could not reach 911 due to “ghost calls” caused by glitchy T-Mobile devices, as reported by CNN. Although this problem was not the result of a malicious hacking, if a hacker did want to cause serious harm, they could do it easily due to “the commodification of malware and the widespread distribution of attack platforms,” according to Kellermann.
“The typical criminal or ‘hacktivist’ in today’s world can download the necessary weaponry and be able to just shoot at will,” Kellermann explained, “much like you could buy a gun and buy a bullet and not know how to build the gun or the bullet, but yet pull the trigger. That’s exactly what’s happened in cyberspace.”
White similarly noted how easy hacking has become, saying he could teach me—someone with no hacking experience—to break into a system within “within 5 to 15 minutes.”
So what can be done about this problem, which can even affect someone who doesn’t own a computer, but may rely on these critical systems in the case of an emergency?
“From a policy perspective, (there are) things that can be done, beginning with the forced allocation of 20 percent or more of your IT budget to cybersecurity if you are maintaining or securing a lifesaving or critical infrastructure,” Kellermann said.