We reported back in October about an iPhone exploit that caused devices to repeatedly dial 911, resulting in a such a large volume of calls that one 911 center was in “immediate danger” of losing service. A full investigation of the exploit reveals a targeted attack using the same exploit could prove devastating to the U.S. 911 emergency system.
It was initially thought that a few hundred calls were generated in a short time, but investigators now believe that one tweeted link that activated the exploit was clicked on 117,502 times, each click triggering a 911 call. The WSJ reports that law-enforcement officials and 911 experts fear that a targeted attack using the same technique could prove devastating …
“If this was a nation-state actor that wanted to damage or disable 911 systems during an attack, they could have succeeded spectacularly, Trey Forgety, director of government affairs at the National Emergency Number Association, a 911 trade group, told The Wall Street Journal.
Out of the 6,500 911 call centers around the U.S., only 420 have put in place a cybersecurity program designed to protect them from a similar 911 attack.
“An Emerging Crisis”
“I don’t want to be alarmist, but it’s an emerging crisis,” retired Rear Adm. David Simpson, who oversaw emergency management and cybersecurity at the FCC for about three years during the Obama administration, told the WSJ.
Last year, researchers at Ben-Gurion University in Israel concluded that fewer than 6,000 smartphones infected with malicious software could cripple the 911 systems in an entire state for days.
The code was allegedly created as a proof of concept by Arizona teen Meetkumar (“Meet”) Hiteshbhai Desai, who found a vulnerability in Apple’s mobile operating system. He had hoped to claim a bug bounty from Apple by revealing the flaw. Desai claims he accidentally posted the version of the code that dialed 911. He says he actually meant to post a version that would display a pop-up on screen, and then freeze the device. Desai faces four felony counts of computer tampering.
From the October MacTrast report:
Desai found a way to use JavaScript to remotely open popup alerts, open apps, and make phone calls . To demonstrate the exploit, he wrote code to cause affected iPhones to call 911. He felt this was the best way to do a proof-of-concept, in order to collect a bounty offered by Apple. He uploaded the exploit code to his own server, and then shared the link via Twitter and his own YouTube channel. (Both links have since been deleted.)
Desai says he never intended the code to go out into the wild, and he had simply tweeted the wrong link.
A Fix is on the Way
An Apple representative told the WSJ a fix is on the way. The company says an upcoming system update to the iPhone will plug the hole that made such an attack possible. The update will cause a “cancel” or “call” pop-up to appear on the iPhone screen, and users will be required to press “call” before the iPhone will dial.
“The ability to dial and reach a 911 operator quickly is critical to public safety,” the company said. “The dialing feature in this instance was intentionally misused by some people with no regard for public safety. To prevent further abuse, we’re putting safeguards in place and have also worked with third-party app developers to prevent this behavior in their apps.”
