Schneier on Security
A blog covering security and security technology.
« Macintosh Security |
| Cheating in Online Poker »
October 19, 2007
Hacking of 911 Emergency Phone System
There are no details of what the "hacking" was, or whether it was anything more spoofing the Caller ID:
Randal T. Ellis, 19, allegedly impersonated a caller from the Lake Forest home shortly before midnight March 29, saying he had murdered someone in the house and threatened to shoot others.
Allegedly hacking into systems maintained by America Online and Verizon, Ellis used the couple's names, which he had confirmed earlier in a prank call to their home, authorities said.
Authorities spent more than six months tracking down Ellis before arresting him in Mukilteo last week. He was in the process of being extradited to California on Tuesday and was charged with "false imprisonment by violence" and "assault with an assault weapon by proxy." The crimes carry a possible prison sentence of 18 years.
Elizabeth Henderson, the assistant Orange County district attorney in charge of the economic-crimes unit, said Ellis' scheme was "fairly difficult to unravel."
Some more stories, with no more information.
Posted on October 19, 2007 at 6:36 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't think this can be just spoofing caller ID. That's fairly trivial, but to my understanding 911 doesn't use CallerID, it uses ANI (Automatic Number Identification) which is a lower-level protocol.
I haven't heard of ANI being spoofed before.
Speaking of spoofed caller ID, does anyone know what to make of the ID "000-000-0000"? (Not a joke: I got such a call, with no message left.)
Easier than spoofing ANI (which is really hard) it's probably easier to spoof the account details for the number. There's bound to be a social-engineering method to get the address associated with a phone number changed (or perhaps use a mobile phone without a SIM? No SIM is needed to dial emergency services in some recent phone models...).
It's pretty easy (as Wombat said) to spoof Caller ID. Any modern office phone system can be set to send out any phone number you please as the originating CID, provided they're using something better than a standard phone line to carry the calls (a PRI, for example).
Your call from 000-000-0000 was probably from a bill collector or a phone spammer. They often set their systems up that way so you can't call them back, but there is a "number" so people who block calls without caller ID can't filter them.
It's unlawful to do so, of course.
"false imprisonment by violence" and "assault with an assault weapon by proxy".
What does that even mean?
I mean no one was actually shoot right?
@greg: read the article. Armed SWAT team barged in and handcuffed the 'pranked' homeowners.
In this case, the perp was caught. I wonder how many similar incidents are unsolved.
In fact, I'd expect more faked 911 calls, until a hacker makes a local politician the target.
Then suddenly it will be a huge priority to fix the system.
Oh no! He's the next Kevin Mitnick -- lock him up in solitary confinement before he has the chance to hack into AOL and launch our nuclear arsenal!!
And, since no human being could have these mysterious powers over technology, call the Vatican to perform an emergency exorcism.
Then start pouring over all the doomsday prophesies -- there MUST BE something, anything, that predicts this scenario.
... Or he's just another teenager who understands systems of systems better than the designers. On second thought, hire him!
I think that it is wonderful that the cops have some uncertainty that the house harbors a criminal.
That said, I do not want to be the one doing the time.
Assault is the threat or attempt to do harm. If you threaten to beat someone up, that's assault. If you do actually hit them, that's "battery".
"Assault weapon" is a specific class of firearms, and carry an additional charge above and beyond deadly, hence the "assault with an assault weapon" as opposed to plain "assault" which would apply if you threatened to beat someone up with your fists. The SWAT team carried said "assault weapons".
The accused didn't hold them prisoner himself, but tricked the SWAT team into doing it. Thus there's the "by proxy". And because there were weapons deployed, it's by nature a "violent" situation thus the first charge.
I had occasion to call 911 last week. There wasn't an emergency, but I had done a pretty good job of impersonating one and I didn't want someone else sending in the cops, so I called them to say that I was fine and not to send anyone.
Anyhow, one of the things that surprised me was that the operator asked me for the phone number I was calling from. I thought for sure that their system would tell them that. Maybe it was just to verify the ANI information?
> Anyhow, one of the things that surprised me was that the operator asked me for the phone number I was calling from. I thought for sure that their system would tell them that. Maybe it was just to verify the ANI information?
This is standard dispatch practice. Not all PSAPs have the latest technology, and moreover, not every address entry in the telco database is accurate either.
The more important point is that if you hang up (for whatever reason), 911 has a number at which they can (and will) call back.
I admired the way the D.A. charged this case out. "Assault with an assault weapon by proxy" indeed!
Could this be through a VoIP system? That would make it trivially easy to socially hack into the customer's web front end to change the e911 address and get this effect.
@Bruce, there is more information at the "some" link, to wit:
""One of the reasons that we're not disclosing exactly how he did it is because we don't want to teach other computer hackers how to do it," she said."
"In June, four people were charged in Texas with operating a chat line where they taught people how to make false 911 calls, sending emergency response teams to targeted victims, a practice known as 'swatting.' [...]
Authorities said that Ellis had made nearly 200 fake 911 calls to dispatch systems in California, Arizona, Washington and Pennsylvania."
So we can once again debate the merits of full disclosure...
Personally, I think it's appropriate to limit disclosure of the details until there's a chance to fix the systems, if a fix is even possible (how does ANI work with VOIP?).
I am surprised SWAT did not shoot the victim. He is lucky he did not have a gun or they certainly would have shot first and asked questions later.
@bob, I give the SWAT team more credit than you. They are trained to shoot first in the sense of shooting before their target, but not in the sense of shooting before they assess the situation, they are in fact trained to assess first and then act appropriately.
So, ff he were carrying a gun and dropped it immediately when they started barking orders they would not shoot - but what are the odds he would respond as desired to the confusing and unexpected commands when he was expecting to confront a prowler?
@Anonymous: To make things worse, most of the time when I have seen them on TV (the only exposure I have to SWAT teams, so far) - all the members of the SWAT team are each screaming different things at the top of their lungs, and out of sync to boot; so there is no hope of a person being able to understand what they are saying - and just at a time when adrenalin is causing the fight or flight response to displace the intellect needed to comprehend the instructions.
But the real problem is that the philosphy in police departments seems to have shifted over the decades from "serve and protect the public, even at risk to police officer's lives" [the fundamental reason behind police existing] to one of "do the utmost to prevent a police officer from being harmed, even if it means the public gets hurt".
Like when the cops were outside the school at columbine waiting for a quorum to arrive before going in, while students are being executed in real time. Or that time when the DC police shot that guy because he had knife taped to his hand. Or shooting that crazy guy at the airport last year who was running away.
"Anyhow, one of the things that surprised me was that the operator asked me for the phone number I was calling from. I thought for sure that their system would tell them that. Maybe it was just to verify the ANI information?"
As Andrew said, this is to provide a valid call-back number in case the ANI is wrong for some reason. If during the course of an emergency the call is lost, they want to be able to get back in contact with you quickly to continue the call. The call also goes into the dispatch notes so they can call you at a later time (days or weeks later) if they need more information as part of an investigation.
I've noticed most call centers are starting this practice as well. After waiting for ten minutes when I finally get a customer service rep on the line, they get my number so that they can call me if the call is lost (instead of having me try to get the same employee again).
@bob I aggree about the philosophy. One of the main reasons to use police instead of military is that police are expected to risk themselves rather than the public.
In the area I live in, if the police will do what's convenient even if irreversible damage is done. Need to execute a search warrant of a home with pet dogs; no need to wait for the owner or animal control to confine them, just walk in and shoot them.
I think asking for your number is also a (mild) secuity check. I've noticed that taxi dispatchers who I know have CLI ask for numbers always. When I give a different number (I often give my mobile number but call from fixed) they seem to make more effort to get some verification.
@bob the SWAT training exercise I viewed was exactly like that, for just the reason you mention - the goal is sensory overload, to freeze the reaction when they confront their target. In a hostage rescue situation it gives them the chance to take preemptive action and down the bad guys hopefully before they take down the hostage(s). In this scenario there's a chance that the homeowner would freeze and perhaps survive - although I wouldn't want to be in his shoes, and certainly not if he turned toward the loudest shout without dropping the gun...
Found this for tracing known nefarious callers for their history. Give the questionable phone number and get either nothing or the goods.
@Bob and the others in the SWAT discussion...
The police, in many instances, have taken too much of an assault oriented attitude. Again, it's an issue that's been going on for years.
Every American should feel insulted when they see State Troopers at Logan bearing automatic weapons (as they did when re-opening after 9-11), or the image of the INS(?) Officer in the military helmet and google and submachine gun taking Elian Gonzales.
Are such tactics necessary at time? Yes. But take the time to verify the situation, and that doesn't seem to be done as much anymore. Particularly in a situation of a quiet house, is there any reason for an assault for what stealth -- or shock, the robots now becoming more common -- can perform to surveille the situation up close without risk to the lives of officers or mistaken innocents?
What is a bright spot is the U.S. Marshal's good old fashion police work with the Browns in New Hampshire recently were patience was balanced with force and in the end it was an old fashion hand on the shoulder "You're under arrest."
Another good example of balancing officer safety with acting like we (should) expect our police to act was the Dawson College shooting in Montreal last year. The Montreal police officers were trained to act immediately and enter a dangerous situation with only their normal sidearms to confront the shooter in an attempt to confine or kill him. That training was in response to the failures at Columbine where control of the building was ceeded by officers who had been trained to fall back and wait to assemble a team for a full force assault in that situation.
We don't want police officers to die. But we also don't want them acting like Red Coats, nor do we want innocents dying instead of police officers.
Similiar issues are seen in the fire service, where to find the balance between the safety of firefighters, and that of the public. There are some voices I feel go so far on the side of responder safety that you might as well not leave the station.
For the questions on 911, I'm not certain all places have E-911 yet (CT has had it statewide for 15 years or so), but even then database errors occur. It's better then the first couple years after they launched, but you still once in a blue moon hear a Dispatcher asking an officer to call 911 from the residence after a call where information was screwed up -- I'm not sure what they do back at dispatch, but I guess they flag that call made by the FD or State Trooper and report it back to the telephone company that maintains the E-911 database with the corrected information.
This sounds pretty typical of party lines. Its something called 'swatting' - calling up a 911 system and convincing them to send as many officers as possible to your victim's house. Its about the highest level achievement party line kids can do with the phone system.
As for calling a local 911 - there are a bunch of ways to accomplish this. Most 911 systems will transfer you to the correct dispatch center, so all you have to do is get close. All you'd have to do is find a business remotely close to your victim that allows you to outdial (partycity anyone? or am I in the wrong crowd for that reference) and hit 911. Odds are you could operator assist a call to 911 too, which would send an ANI fail (yeah the operator will tell you they don't do that, just tell them you are 'special/retarded' and they'll transfer you anywhere).
You could also do some homework, check out some old phone books or the local library's local history section and find the pre-911 (no not the trade center thing) number for police emergency. Those numbers typically route directly to 911 (AKA PSAP - you could probably also call up the PSAP coordinator and get it out of them). You could also just scan out the old exchange the police's current non-emergency. At anyrate once you have a PSAP number you can just ANI fail to it all day long.
If you wanted to get more technically sophisticated you could go through a diverter like telus (yeah you can still get it to work) and spoof your ANI.
though, I honestly suspect this was far far far less skilled. This kid probably figured out the victim's AOL password, and found some Verizon diverter. Used the AOL information to get their house info (they probably ordered stuff online, infos emailed to their AOL account). Also, Verizon has this habit of charging people with outlandish offenses that have no basis in truth, EG:
For the record, the password is still the default as printed in the publicly available manual from the early 80s, not to mention the rest of their claims are over blown too
This talk of ANI and callback numbers surprises me a bit. Modern E911 systems and modern local exchanges can prevent 911 callers from disconnecting. The caller can hang up but the call doesn't release until the operator disconnects. The operator can re-ring an onhook phone while the connection is still up (as in without dialling any number). The local phone company where I live was tricked into giving this ability to some fly-by-night telemarketer who used the ability to force people to leave their phones offhook through a long recorded sales pitch. When you hung up they rang you back immediately. It was either listen to your phone ring or leave your phone offhook until the pitch completed. A month later the phone company sent out a letter apologizing and promising that they were working to prevent that from happening in the future.
Verifying that the database information being displayed to the operator is in fact correct does make sense. Of course, none of this applies to VOIP or mobile calls.
I flew through London about 6 months after the subway bombings there. Scattered throughout the airport were London police officers in full body armor carrying sub-machine guns (mostly MP5s I think). I wouldn't be surprised if they are still there.
I doubt a measure like that is security theatre. I think they want to be ready to provide an armed response, instantly, if they detect any sort of serious situation in progress.
The word I hear is that he allegedly used a TDD service and persuaded the operator about his address. But that was from a non-public mailing list.
@anonymous ... "But the real problem is that the philosphy in police departments seems to have shifted over the decades from "serve and protect the public, even at risk to police officer's lives" [the fundamental reason behind police existing] to one of "do the utmost to prevent a police officer from being harmed, even if it means the public gets hurt"."
I have to agree with this. It has changed. They should be more like the secret service. Take a bullet for the public if necessary. A hear all the excuses, "they have families", "you can't expect that". Well actually I can. Just like I expect a fire fighter to go into a burning building and not be scared of heights. Just like I expect a paramedic to not pass out at the sight of blood. I expect the police to protect the public even at risk to themselves. There is a risk doing it, but you know that going in. If you decide to be a police officer, you know you are going to chase bad guys. You know you are going to have to deal with violent situations. You know it is your job to protect society. So you know the risks and you choose to do the job. If you don't like the risks, then go find a different job.
It used to be very hard but actually ANI is no harder to spoof than CLID these days. All you need is a Linux PBX/VoIP application like Asterisk, a lax VoIP provider & a little know-how.
last night, at aproximately 2:30a.m., I was tramautically awakened by my Ambien-induced sleep by a loud pounding on my door, TWICE. It really creeped me out. I asked who's there, and the reply I received was, "It's the police!"....and indeed it was. I went to the door to find one officer (strangely donning a Texas-ranger-style hat, and behind him were FOUR other officers!). They asked me if everything was alright, to which I replied, "yes of course....why?" They told me that dispatch received a 911 call from my house, which was a hang-up 911 call. Neither I, nor ANY of my roomates made any such call. I have reason to believe I was 911-pranked by a couple of real SICK individuals I used to work with, who have homophobic beefs against me.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.