

Security reporter tells about hacked 911 call that sent SWAT team to his house - bbgm
http://arstechnica.com/security/2013/03/security-reporter-tells-ars-about-hacked-911-call-that-sent-swat-team-to-his-house/

======
MichaelGG
I think this is an all-new low for the word "hacked". You can call any
911-response center and provide a phone/address for them. No need to even
change your caller ID, just hide it. No need to dial 911, just find the local
10-digit number for your PSAP. You can probably even just call the police
line, and say that 911 isn't working because you're on a VoIP line.

Edit: I had a similar experience, when one of my license plates fell off. I
filled out an online form on the police site, never got a response. One day,
cop pulls me over, then draws on me and gets 4 other cops as backup. I was
under the impression you don't point guns at someone unless you're ready to
fire, so I'd assume that if I had made any sudden movements it could have been
fatal.

The thing is, I could have filled out that form with anyone's information.
There's not even a callback/confirmation. So if you fill out a form for
someone who has a concealed carry permit or something, you could probably
cause a severe incident.

~~~
dfc
_I was under the impression you don't point guns at someone unless you're
ready to fire, so I'd assume that if I had made any sudden movements it could
have been fatal._

Was this hyperbole or honesty? Drawing a firearm is a deterrent and is
employed in order to prevent things to escalating to a point where an officer
has to fire.

~~~
MichaelGG
Sorry, I should have made it clear, he drew, then pointed directly at my head
- I was looking right at the end of it. Wikipedia says the rule is "Never let
the muzzle cover anything you are not willing to destroy".

So, going from what seemed like an ordinary traffic stop to looking down a
gun, I figured he was prepared to kill me if he found it necessary. As I could
not figure out any reason for him to want to stop me like that in the first
place, it seemed logical there was some massive escalation I was unaware of.

~~~
dfc
Yes, that is a basic tenet of firearm safety. However if an officer delays
drawing his weapon until he is ready to fire it can be too late. You cannot
fire a holstered weapon.

I am not certain about the exact distance but I think a hostile person
brandishing a knife within 20 or 25 feet is considered to have an advantage /
pose serious risk of death (able to inflict serious trauma) over an officer
with a holstered weapon. (In NYS)

------
Mankhool
One need not be a hacker to get a SWAT team to storm the house of a citizen in
the U.S. [http://www.ctpost.com/local/article/Towns-to-pay-3-5M-in-
dea...](http://www.ctpost.com/local/article/Towns-to-pay-3-5M-in-deadly-cop-
raid-4290145.php)

------
betterunix
I have an easy fix: don't have soldiers doing police work.

~~~
michaelt
I'm no advocate of paramilitary policing, but if the police get a call from
your house saying there's a criminal with a gun shooting people, what
alternative is there to them showing up with guns drawn?

Even in the UK, where most of the police don't have guns, they still send
armed response teams to deal with armed criminals.

~~~
betterunix
There is a difference between showing up with bullet-proof vests and handguns,
and showing up with full body armor, assault rifles, and grenades. It is a
matter of mitigating the risk of innocent people being killed by the police.

~~~
mpyne
Good luck getting police to show up to anything involving armed criminals
without all that kit after the L.A. North Hollywood shootout of 1997 [1]. Not
to mention the Dorner police slayings or the _two_ homicidal maniacs in
upstate New York in just the past few months.

If you want to respond with anything less than the best possible tools
available to ensure you survive the event then you can certainly make that
choice. But I couldn't in good faith tell someone else to make that choice. If
you're a bystander near a heavily armed criminal the only safe place to be is
far away.

[1] <http://en.wikipedia.org/wiki/North_Hollywood_shootout>

~~~
cobrausn
When I was an MP (military police), they taught us a bit about _escalation_ ,
wherein you only use what is necessary for the task at hand and reevaluate as
the situation changes.

Cops certainly do not need to be using 'weapons that belong on the
battlefield' as their go-to weapon for any raid _unless_ it is suspected that
there may be body armored opposition (an absurdly rare occurrence - worth
treating as an outlier). It would not be unreasonable to have one or two
rifles on standby, in case a situation escalates beyond what was expected.

I do not like this trend of increasing para militarization of the US police
forces. You are supposed to trust a police officer. It is hard to trust
someone wearing BDUs and carrying assault weapons - you are more likely to
respond fearfully, which can often make things worse.

~~~
sneak
> unless it is suspected that there may be body armored opposition

You mean like in the case where someone deceives them into thinking someone
well-equipped and violent is in a certain location?

Swatting is a hard problem. We can't really put strong authentication in place
because of the asymmetry of needing anyone to be able to report a violent
crime in progress at any time at any location. And the anonymous report is,
indeed, cause for suspicion that a crime is being committed, and if that
anonymous report further claims that the bad guys are heavily armed and/or
wearing body armor, that is cause for suspicion that they may indeed be
telling the truth and the bad guys are ready to rock and roll at the drop of a
hat.

It's a sticky situation.

~~~
derefr
You know, this actually, _just this once_ , sounds like a sensible use-case
for civil deployment of surveillance drones! Not pre-emptively, mind you--but
when someone reports something like this, it'd be great to be able to send a
robot ahead of the police to see what they're up against.

~~~
ceejayoz
Robots are actually frequently used to make contact with armed suspects holed
up in buildings.

------
1337biz
Hasn't swatting been around forever? Or at least for the time when phone
number spoofing became easy. Even the Wikipedia entry is referencing an FBI
page from 2008. [1]

[1] <http://en.wikipedia.org/wiki/Swatting>

~~~
n3rdy
Script kiddies have been doing it since at least the 90's.

------
taeric
Major props to the reporter for not losing it. The self control necessary to
get through this incident quickly and without things taking serious turns for
the worse is something I can hope I have. (I probably don't.)

------
anonymoushn
Did they search his home with permission, or does a spoofed phone call alone
give the police the right to perform a search?

~~~
bcoates
If the police know it spoofed, of course not, but if they have probable cause
to believe a person is in danger they can do a search for that person without
consent or a warrant.

~~~
drucken
How would they " _know it spoofed_ " without checking? I mean there is no
reason to believe someone they just arrested...

~~~
lawnchair_larry
In this case, Krebs recognized that dilemma and just consented to the search.
If someone were to SWAT someone that they knew had unrelated contraband, this
becomes an interesting question. That's not far off of what AT&T did to Weev
initially, but I think his drug charges were thrown out.

------
corresation
The #1 issue is the completely insecure, trust nature of the phone system. It
should be _trivial_ for a local police department to verify, with a very high
degree of trust, that the number calling them is legitimate. That this doesn't
exist is absurd, and is twenty years behind where it should be.

~~~
MichaelGG
It's the same as IP traffic, really. Calls can go through any number of
providers. You can spoof phone traffic just as easily as IP traffic. The
"caller ID" number is totally unrelated to any incoming line. The number could
also be from another country, or corrupted.

The Internet seems to work fine with IP, despite it being trivially spoofable.
I think your expectations are incorrect.

Edit to add: It's not even desirable, what you're asking. Imagine, for
instance, Twilio. If each call had to be immediately traceable, what would
that mean? Would Twilio need to require proof of identification before
allowing any outbound calls? I think what your suggesting would be extremely
detrimental.

~~~
corresation
_It's the same as IP traffic, really. Calls can go through any number of
providers. You can spoof phone traffic just as easily as IP traffic._

While this seems to get stated a lot, it isn't actually true at all: spoofed
IP packets get no response (I should also add that most providers flag and
drop packets that have no business originating from where they did, so
spoofing IP is usually a completely non-starter to begin with), or rather the
response goes to _an entirely different place_ (as if you spoofed someone's
number to call 9/11 but only the original number can actually hear what the
operator is saying). There are a couple of examples of very large providers
misusing BGP (usually accidentally), but it is immediately identifiable,
completely tracked, and _rejectable_.

 _It's not even desirable, what you're asking._

What am I "asking", given that you've gone to such lengths to declare it? If
someone has a phone on AT&T or Verizon or _even Skype_ the provider should be
able to essentially sign the call initiation. Much like TCP, the world phone
system has a routable infrastructure (otherwise it would be impossible to call
a number because where does it go?), and such a mechanism is hardly far flung
when we're talking about emergency services.

Yeah, there are some services that can't abide by that, and they should
properly be flagged as "completely anonymous, untraceable call" and get the
credibility such deserves.

~~~
MichaelGG
Spoofed telephone calls can't be called back either, exactly like IP.

You are asking that the originator of a call be identifiable somehow. That's
not possible, given the number of resellers and levels. That would require
even more trust, getting every provider to have a transitive trust
relationship and show ID. A single call might go through 3, 4, even more
resellers before ending up at the destination.

~~~
corresation
_Spoofed telephone calls can't be called back either, exactly like IP._

These emergency phone calls are two-way communications, exactly _unlike_ the
IP spoofing situation (seriously you really want to stick with the wrong IP
example?)

 _You are asking that the originator of a call be identifiable somehow_

Wonder of wonders, yes I am. The world phone system is a completely routable
system -- providers effective own prefixes or even individual numbers, which
is exactly how one can call someone. The notion that if a call comes in that
says "Hi I'm 555-5555 from Verizon @ 555 Blaxberry Lane" and it can actually
be verified if not authenticated by Verizon is hardly some big technical
marvel. It's actually _TRIVIAL_ , and it's exactly how the world pay-phone
system works (note that these people aren't spoofing numbers to call pay sex
lines because the telcos actually care about that). This whole ball of
nonsense is because telcos have zero obligation to give a crap, so they don't.

~~~
MichaelGG
SMTP might be a better analogy, but I'll concede as it's irrelevant.

You're wrong about the compensation bit. It's entirely possible to send fake
traffic and get compensation. Cutting that off is an entirely manual process;
with someone noticing the fraud and reporting it. It's not some magic
authentication that happens.

The reason things like sex lines (either premium rate numbers or just really
high-rate areas) often do not work is because the costs are passed on through
the various companies (so they'll clip anything over a few cents) or because
they simply will not accept calls if they are not within the trusted system.
If you have a VoIP line and try dialing a 1900 number, it won't work unless
that VoIP provider has made a specific deal. It's not like they look at the
calling number, then mail out bills to whoever they think the owner is.

Guess what: Folks don't accept limitations on dialing 911 (or the PSAP admin
line, which is just a normal number). They're going to demand 911 be answered
regardless of billing relationships.

At both 911 companies I've owned, the routing system depended on being able to
"spoof" caller ID. We would have to accept whatever caller ID we were given,
because there's it's essentially intractable to know who has the actual
relationship with the end user. It's also not knowable if the connection
handing me off this call is authorized to use that number. There's simply zero
concept of that. Additionally, there's no such thing as a real master database
correlating number-address. (That'd make things easy easier!)

Even if there was, it'd still be trivial to swat. Buy a number online, say
your address is <target address>. Place a legitimate call that
"authenticates". Change address, repeat. Worst case scenario (if you can't
make an anonymous payment), hack someone else's VoIP account and change their
address and place call.

You are right that this _is_ a large problem. Some PSAPs have come under DoS
attacks, getting a flood of fake calls. 9-1-1 is a critical piece of safety,
and it's fairly unprotected. Funding is limited. Some of the vendors involved
are laughably bad. And, at least a few years ago, there was a massive
disconnect between technology/Internet and the emergency response side.

