Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22...
Transcript of Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22...
![Page 1: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/1.jpg)
Hacking 911: Adventures in Disruption, Destruction, and Death
quaddi, r3plicant & Peter Hefley
August 2014
![Page 2: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/2.jpg)
Jeff Tully
Christian Dameff
Peter Hefley
Physician, MD Emergency Medicine
Physician, MD Pediatrics
IT Security, MSM, C|CISO, CISA, CISSP, CCNP, QSA Senior Manager, Sunera
![Page 3: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/3.jpg)
Jeff Tully
Christian Dameff
Peter Hefley
Open CTF champion sudoers- Defcon 16 Speaker, Defcon 20
Wrote a program for his TI-83 graphing calculator in middle school Speaker, Defcon 20
Gun hacker, SBR aficianado
![Page 4: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/4.jpg)
![Page 5: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/5.jpg)
This talk is neither sponsored, endorsed, or affiliated with any of our respective professional institutions or companies. No unethical or illegal practices were used in researching, acquiring, or presenting the information contained in this talk. Do not attempt the theoretical or practical attack concepts outlined in this talk.
Disclaimer
![Page 6: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/6.jpg)
Outline
- Why This Matters (Pt. 1) - 911 Overview
- Methodology
- Attacks
- Why This Matters (Pt. 2)
![Page 7: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/7.jpg)
Why This Matters (Pt. 1)
4/26/2003 9:57pm
![Page 8: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/8.jpg)
Emergency Medical Services (EMS)
![Page 9: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/9.jpg)
![Page 10: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/10.jpg)
![Page 11: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/11.jpg)
![Page 12: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/12.jpg)
![Page 13: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/13.jpg)
![Page 14: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/14.jpg)
![Page 15: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/15.jpg)
![Page 16: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/16.jpg)
Research Aims
• Investigate potential vulnerabilities across the entire 911 system
• Detail current attacks being carried out on the 911 system
• Propose solutions for existing vulnerabilities and anticipate potential vectors for future infrastructure modifications
![Page 17: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/17.jpg)
Methodology
• Interviews
• Regional surveys
• Process observations
• Practical experimentation
• Solution development
![Page 18: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/18.jpg)
Wired Telephone Call
End Office
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice Voice + ANI Voice + ANI
ANI ALI
![Page 19: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/19.jpg)
Wireless Phase 1 Telephone Call
Mobile Switching
Center
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice Voice + pANI/ESRK
Voice + pANI/ESRK
pANI / ESRK
ALI
Cell Tower
Voice
Callback # (CBN)
Cell Tower Location
Cell Tower Sector
pAN
I / E
SRK
CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK Mobile
Positioning Center
![Page 20: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/20.jpg)
Wireless Phase 1 Data
![Page 21: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/21.jpg)
Wireless Phase 2 Telephone Call
Mobile Switching
Center
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice + pANI/ESRK Voice + pANI/ESRK
pANI / ESRK
ALI
Cell Tower
Voice
Callback # Cell Tow
er Location Cell Tow
er Sector
pAN
I / E
SRK
Latitude and Longitude, Callback #, Cell Tower Location, Cell Tower Sector, pANI / ESRK
Position Determination
Equipment
Mobile Positioning Center
Voice
![Page 22: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/22.jpg)
Wireless Phase 2 Data
![Page 23: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/23.jpg)
VoIP Call
Emergency Services Gateway
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
VoIP + CBN Voice + ESQK Voice + ESQK
ESQK ALI
VoIP Service
Provider
CBN
ESN
#, E
SQK
CBN, Location, ESQK
VoIP + CBN
VSP Database
![Page 24: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/24.jpg)
![Page 25: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/25.jpg)
The Three Goals of Hacking 911
• Initiate inappropriate 911 response
• Interfere with an appropriate 911 response
• 911 system surveillance
![Page 26: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/26.jpg)
Wired – End Office Control
End Office
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice Voice + !%$# Voice + !%$#
!%$# ALI??
![Page 27: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/27.jpg)
ALI Database
![Page 28: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/28.jpg)
NSI Emergency Calls
Mobile Switching
Center Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice + pANI/ESRK
Voice + pANI/ESRK
pANI / ESRK
ALI
Cell Tower
CBN?
Cell Tower Location
Cell Tower Sector
pAN
I / E
SRK
CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK
CBN = 911 + last 7 of ESN/IMEI
Voice Voice
Mobile Positioning Center
![Page 29: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/29.jpg)
Wireless Location Modification
Mobile Switching
Center
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
Voice Voice + pANI/ESRK
Voice + pANI/ESRK
pANI / ESRK
ALI
Cell Tower
Callback # Cell Tow
er Location Cell Tow
er Sector
pAN
I / E
SRK
!@#Lat/Long%%$, Callback #, Cell Tower Location, Cell Tower Sector, pANI / ESRK
Position Determination
Equipment Mobile Positioning Center
Voice
![Page 30: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/30.jpg)
VSP Modification
Emergency Services Gateway
Selective Router
PSAP
ALI Database
Voice Only
Voice and Data
Data
VoIP + CBN
Voice + ESQK Voice + ESQK
ESQK #ALI@
VoIP Service
Provider
CBN
ESN
#, E
SQK
VSP Database
CBN, #%Location$@, ESQK
VoIP + CBN
![Page 31: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/31.jpg)
![Page 32: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/32.jpg)
![Page 33: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/33.jpg)
Swatting Call
![Page 34: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/34.jpg)
![Page 35: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/35.jpg)
![Page 36: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/36.jpg)
![Page 37: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/37.jpg)
![Page 38: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/38.jpg)
VoIP Service Providers
![Page 39: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/39.jpg)
Service disruption attacks
• Line-cutting
• Cell phone jamming
• ALI database editing
• TDoS
• PSAP targeting
![Page 40: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/40.jpg)
![Page 41: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/41.jpg)
Resource exhaustion (virtual/personnel) Outdated system architectures Lack of air-gapping Privacy
![Page 42: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/42.jpg)
![Page 43: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/43.jpg)
![Page 44: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/44.jpg)
Health Impacts
![Page 45: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/45.jpg)
Bystander CCO CPR Improves Chance of Survival from Cardiac Arrest
100% 80% 60% 40% 20% 0%
Time between collapse and defibrillation (min) 0 1 2 3 4 5 6 7 8 9
Surv
ival
(%)
Nagao, K Current Opinions in Critical Care 2009 EMS Arrival Time based on TFD 90% Code 3 Response in FY2008. Standards of Response Coverage 2008.
EMS Arrival No CPR
Traditional CPR
CCO CPR
![Page 46: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/46.jpg)
![Page 47: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/47.jpg)
Strategic Threat Agents
• 6000 PSAPs taking a combined 660,000 calls per day
• Fundamental building block of our collective security
• Potential damage extends beyond individual people not being able to talk to 911
![Page 48: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/48.jpg)
Reverse 911
![Page 49: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/49.jpg)
Solutions
• Call-routing red flags • Call “captchas” • PSAP security
standardizations • Increased budgets for
security services • Open the Black Box
![Page 50: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/50.jpg)
![Page 51: Hacking 911: Adventures in Disruption, Destruction, and Death CON 22/DEF CON 22 presentations/DE… · Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle](https://reader036.fdocuments.us/reader036/viewer/2022070823/5f2b1b9d3881ec4f7b5ed284/html5/thumbnails/51.jpg)
Q&A