The U.S.’s 911 emergency response almost works in spite of itself; it’s an aging patchwork of 6,500 call centers that largely worked when everyone had a home phone line, but has struggled as fewer and fewer Americans own a landline. The network’s vulnerabilities to hackers have been an open secret for years — but The Wall Street Journal has an in-depth story of what looks to be the largest-ever attack against the 911-emergency-response network.
In an odd way, the fact that most call centers haven’t seen major updates in years is a line of defense against attackers. Most call centers still use old-fashioned copper-wiring telephone cable — a 911 call center that ran on a Voice over Internet Protocol (VoIP) system, like many larger businesses use, would be much easier to take down.
But even copper-wire-telephone-cable call centers can be brute-forced. Starting late on the evening of October 25, 2016, for nearly 12 hours, dozens of 911 call centers across the country were barraged with thousands of calls from smartphones, from California to Florida. The 911 calls would hang up as soon as an operator picked up. “We didn’t mean to call 911!” one panicked girl told an operator, per The Wall Street Journal. “I’m not touching the phone! I’m not doing anything! I don’t know how to make it stop!”
The main attack started when the Twitter account @SundayGavin tweeted: “I CANT BELIEVE PEOPLE ARE THIS STUPID,” along with a shortened link. (Helpful tip: never click a shortened link.) Once people clicked the link, their phones began to dial 911. Police tracked the Twitter account to an 18-year-old, who claimed he had clicked the link himself, and had posted the link mainly as a joke. Other users picked up on the prank, and began tweeting the link as a way to download new Drake songs, or to please support their pages. Eventually, a social-media celeb with a Twitter account of about 440,000 followers tweeted the link, worsening the problem.
Investigators estimate the link was clicked 117,502 times. Smartphones not made by Apple weren’t affected, and clicking the link while viewing Twitter in desktop did nothing. As soon as the link was clicked, the phone would begin to dial 911. Users could hit the hang-up button, but the phone would simply begin to redial 911. The only way to stop the 911-auto-call loop was to power down the phone.
While this was happening across the country, Maricopa County, Arizona, Sheriff Sergeant Dennis Ogorchock, responsible for the department’s cybersecurity, was called into the office early in the morning, after learning the county’s own 911 system was being overwhelmed. Sergeant Ogorchock ran a WHOIS check on the website causing the mischief. It turned out that the site was registered to Meet Desai — and some social-media sleuthing revealed a young man with the same name, who happened to be enrolled in computer science at a local community college in Phoenix.
Local police found Desai in class, and brought him in for questioning. Desai claimed he had discovered the bug in the iPhone’s software, and was hoping to collect on Apple’s bug bounty — though Apple denies Desai was part of the bug-bounty program. When asked why his script caused phones to dial 911 over and over, Desai told authorities that he originally meant for his code to call 911, before deciding that would alarm too many people, but switched it to call a dead number instead. But, perhaps by accident, the code went live, and people started calling 911 en masse.
“I think he was just a teenage kid trying to make a name for himself in the hacker community,” says Sergeant Ogorchock. Desai is now charged with four felony counts of computer tampering, and has yet to enter a plea. Apple plans to patch the security hole that allowed for iPhones to be taken over and call 911 nonstop.
What’s frightening is that this attack seems to mainly have been perpetrated by teenagers goofing off on the internet, and they just accidentally brought one of the nation’s vital safety systems to its knees. It’s scarier to think what could have happened if the code hadn’t allegedly been the brainchild of a bored community-college student, but one of someone with more experience and more malicious motives.
“If this was a nation-state actor that wanted to damage or disable 911 systems during an attack, they could have succeeded spectacularly,” says Trey Forgety, director of government affairs at the National Emergency Number Association, speaking to The Wall Street Journal. “This was a serious wake-up call.”