Paper: Only 200K mobile bots needed to impair U.S. 911 system with DDoS attack
It would take only 6,000 mobile bots to disrupt 50 percent of wireless 911 calls in the state of North Carolina, according to new academic research paper.
A few as 200,000 mobile bots working in concert would be enough to launch a successful distributed denial of service (DDoS) attack against the U.S.'s 911 telecommunications infrastructure, significantly disrupting service nationwide, warns a new research paper, released Thursday by Ben-Gurion University.
In the document, researchers Mordechai Guri, Yisroel Mirsky and Yuval Elovici warn that bad actor could potentially access a phone's baseband firmware and install a rootkit that hides, masks or spoofs its numerical identifiers. The botmaster can then command the anonymous bot to inundate the system with repeated calls without being identified and blacklisted.
After simulating such attacks, the researchers also determined that only 6,000 mobile bots would be needed to substantially hamper North Carolina's 911 system, blocking 50 percent of wireless callers and 20 percent of wireline callers over multiple attempts. Meanwhile, those who do get through would experience a potentially life-threatening 40 percent rise in service time. With 50,000 bots (only 0.0054 percent of its population), 90 percent of the state's wireless users calling 911 would not get through, the report continues.
While the research paper exposes important vulnerabilities in the 911 infrastructure that should be fixed, there is no reason to believe that the threat presented within is imminent, said Rebekah Brown, threat intelligence lead at Rapid7, in comments emailed to SCMagazine.com. "There is the potential that someone could execute this attack, but it would take time and effort, and a flood of calls after a natural disaster could have the same impact," said Brown.
The paper does suggest several methods for detecting or mitigating a DDoS attack by anonymous mobile bots. Among them is Trusted Device Identification, whereby a device "is forced to send a trusted unaltered identifier to the network. The identifier... must be stored in a trusted memory region... so it cannot be changed by malware at any level," the report explains.