Browse Content by Topic:
The Growing Threat to PSAPs from Telephony Denial of Service (TDoS) Attacks
Author: David Kahn
Copyright: 9-1-1 Magazine, Feature Content
In March 2012 the Department of Homeland Security (DHS) National Coordinating Center for Communications issued an alert that several Public Safety Answering Points (PSAPs) had experienced a new and somewhat unexpected problem: Telephone Denial of Service (TDoS) attacks that threatened the PSAP’s ability to communicate with inbound callers and first responders alike. In these attacks, the 9-1-1 Interactive Voice Response (IVR) system and call center operators were saturated with zombie voice phone calls of a magnitude that overwhelmed and rendered ineffective the PSAP’s communications infrastructure. Since our PSAP’s primary interface to the public is currently 9-1-1 voice calls, clogging up its ability to answer inbound voice calls is in itself a serious problem. The problem is compounded by the fact that many PSAPs share the same pool of telephone lines for inbound calls with those used for contacting police, fire and EMS dispatchers with additional information or patching the inbound 9-1-1 caller directly to the first responders. In the ongoing discussion of how public safety can mitigate TDoS attacks, this article will focus on the hardening of existing 9-1-1 technologies and how Next Generation 9-1-1 (NG9-1-1) will substantially increase the capacity of PSAPs to handle large call volumes, whether resulting from TDoS attacks or from concurrent legitimate calls. And finally, it will address how FirstNet, the new nationwide public safety network, will play a critical role in securing public safety communications and 9-1-1 calls.
Voice telephony other than cellular is now predominantly Voice over Internet Protocol (VoIP) based. An attacker who has a computer with the right software can “robo-dial” hundreds or thousands of simultaneous phone calls using inexpensive Session Initiation Protocol (SIP) computer software on a PC while abusing the infrastructure of legitimate services such as Skype, ICQ, or major SIP providers. Free Asterisk Private Branch Exchange (PBX) software can easily be programmed to make simultaneous calls. Asterisk has been programmed by attackers to keep the lines open as long as possible by dialing recursively through touchtone or IVR call trees, and if a person is reached, it has the ability to speak unintelligibly or play white noise so that the person answering does not immediately hang up – anything to delay having the call disconnected.
TDoS attacks can cause significant damage to the target by shutting down legitimate voice communications or by creating a diversion while another attack is perpetrated. Organizations under attack are forced to acquire expensive mitigation solutions while perpetrators can inexpensively acquire the tools to initiate an attack. Consequently, there are markets for both TDoS attacks and defensive services. As this threat is just now emerging, the defensive measures have not yet caught up with the attackers’ capabilities.
Systems that detect TDoS attacks typically are based on black listing originating phone numbers and a few more sophisticated systems analyze audio samples to determine that the call is not legitimate. Both strategies take time and as fast as they disconnect bogus calls, the attacker will setup new calls even faster. Since SIP systems can easily “spoof” random phone numbers, blacklisting only deters unsophisticated attackers.
The best hope to reduce attacks is to encourage, or if that doesn’t work, try to force, SIP service providers to shutdown abusive customers. The first step in doing this is to collect any information available about the attacker and report the attack immediately to the FBI at www.ic3.gov.
The most effective thing we can do to harden our PSAPs is to increase the channels by which the public can reach us to more than voice telephony. Ideally, the added channels would also be more difficult to saturate than phones. Public safety has made progress with the partial rollout of NG9-1-1 systems that accept text messages, and they can do far more by moving to Internet Protocol (IP) based systems.
Text Message Denial of Service attacks on PSAPs are difficult to perpetrate. This is because the cellular carrier uses the location reported by the phone and its triangulated location from the cell towers to direct the text message to the correct PSAP and this process is entirely under the control of the cellular carriers. 9-1-1 voice calls from cellphones are difficult to spoof for the same reason. Therefore, as inbound calls from VoIP landlines become a smaller fraction of the PSAP’s mix, TDoS attacks will become more obvious and consequently we can reduce their impact on PSAP operations.
The impact of TDoS attacks can also be mitigated by dedicating a portion of the PSAP’s telephone lines to inbound calls from landlines or VoIP systems and keeping these lines segregated from those accepting cellular calls. During a TDoS attack, the IVR system’s initial outbound message can recommend that callers use a cell phone to contact 9-1-1 by voice or text.
Public safety communications will be profoundly affected by the new First Responder Network Authority (FirstNet). In addition to voice and text messages, the public will have 9-1-1 applications on their smartphones that enable important new capabilities to provide police, fire, EMS and secondary public safety agencies such as utilities with critical information that is currently not available. A few examples are:
- Continuous updates of the caller’s current location until the incident is over.
- Geo-tagged still pictures and video.
- Medical records and real-time biometric uploads.
Given FirstNet’s focus on interoperability, it should soon become easy to securely share information between agencies. The PSAP will share the information received from the “caller” with dispatch who will share it with the public safety personnel arriving on-scene. Public safety’s command and control and situational awareness capabilities will expand astronomically!
In the IP world, the playing field with the bad guys is at least leveled and if FirstNet does its job of providing security and device authentication services, public safety will have the advantage. In the near future, clogging the inbound landlines with TDoS attacks will become about as relevant as blocking the PSAP’s smoke signal system!
Public safety’s move to IP-based systems will create new opportunities to increase efficiency and to protect both the public and public safety personnel. However, increased reliance on IP brings new challenges and new opportunities for bad actors to attack public safety infrastructure because current strategies of isolating public safety systems on private networks will no longer be feasible. PSAPs and other public safety agencies must quickly become more knowledgeable about Information Assurance (IA) strategies, policies and tools.
FirstNet has announced that its core services will include a security engine and an applications engine/framework. Both will be critical to hardening our systems so that they work when public safety needs them most. Taking a page from the Department of Defense’s IA policies, the run-time engine will need to perform National Institute of Standards (NIST) certified encryption of all data at-rest and in-transit and provide a secure “sandbox” execution engine that guaranties only approved applications are allowed to execute and that each application only has access to the memory and storage specifically assigned to it. Otherwise, we will inevitably have programs that by intention or mistake allow inappropriate access to privileged data or crash critical infrastructure.
While local control is critical, and required by the legislation that created FirstNet, it cannot be allowed to degrade the security or the reliability of critical infrastructure. Since smaller public safety agencies will not have the capability to setup and maintain secure systems, FirstNet will likely provide services in the “Cloud” that can be purchased on a subscription basis for routine requirements or from an online “App Store” selling only trusted applications, many of which will only run inside of FirstNet’s secure runtime engine.
When FirstNet board member Jeff Johnson recently spoke at the Public Safety Communications Research (PSCR) Program Conference in Westminster, Colorado, he noted that when he started as a firefighter, public safety’s communications technology was far ahead of the public and business organizations. However, in the intervening years, the internet and smartphones had allowed the public to leapfrog public safety.
Now it is public safety’s turn to leap forward. The improvement will be end-to-end – from PSAP’s interfacing with the public through voice, text and IP systems, more access to critical data by public safety personnel in command centers and the field, and vastly improved command & control and situational awareness through secure, reliable and fast broadband connections and services provided by FirstNet. As Bob Dylan once wrote: The times they are a-changin’
David Kahn is CEO of Covia Labs, Inc., a company that has developed communications interoperability technology. Covia was named a “Top Performing Technology” at the US Military’s 2010 Coalition Warrior Interoperability Demonstration events, and has worked on contracts for the Department of Homeland Security and Defense Advanced Research Projects Agency. Kahn has advanced degrees in physics, nuclear science and engineering.
For more information on FirstNet see www.ntia.doc.gov/category/firstnet