On Thursday, DHS announced a $2.6 million research contract with the University of Houston aimed at defending next-gen 911 call centers from TDoS attacks.
A TDoS attack, or Telephony Denial of Service, floods a service with bogus phone calls, preventing legitimate users from getting through. Such an attack could take a 911 call center offline for hours, or even potentially days.
In 2013, dozens of such attacks across the United States targeted the administrative phone numbers for police, fire, and ambulance services, although not any 911 emergency lines, according to a warning issued by DHS.
And in 2014, a private industry notification from the FBI noted approximately 1,000 such attacks targeting emergency communications of medical centers across the United States in the year prior.
"Due to the ease of TDoS attacks that cyber actors carry out on vulnerable systems," the FBI wrote, "as well as using tactics to evade detection, it is most likely that TDoS will be the 'go-to' method that can be used on other organizations, whether government or private, that rely heavily on telephone lines."
"…each channel of communicating with 911 brings its own vulnerabilities."
The problem, Larry Shi, an assistant professor of computer science at the University of Houston and a principal investigator for the project, told Motherboard in a telephone call, is that "there are many more ways to request help from 911," such as wearable devices that automatically call for help, apps on your smartphone, even home security systems, "but each channel of communicating with 911 brings its own vulnerabilities."
Next generation 911 call centers are especially vulnerable, he explained, because they are VoIP-based, not traditional landlines, putting them at risk of not only TDoS attacks, but also traditional DDoS attacks, malware, and targeted hacking attempts.
A TDoS could even happen by accident. "One of the things that we've found is that software bugs could unintentionally launch these attacks," Omprakash Gnawali, also an assistant professor of computer science at the University of Houston, and a principal investigator on the project, said, noting that 911 call centers sometimes receive automated calls from cell phone providers. "The cell phone company is definitely not trying to launch a TDoS attack."
"Lots of software that we install on our smartphones can make phone calls and send texts," Gnawali added. "A bug could result in an unintentional message to a 911 call center."
The University of Houston team will conduct research with a small development 911 call center in a controlled lab environment that uses some of the same hardware and software equipment as real 911 call centers. By identifying weaknesses in next-gen 911 systems, the team aims to develop a cost-effective way to mitigate the TDoS risk—and develop new standards for the industry.
"The whole ecosystem here is complex," Shi said, "and there are so many places where there's a possibility of an attack. We need to do research to see what are the motivations, what's the psychology there, the technology involved and how to defend against that."
DHS declined to comment for this story.