icant change for anyone coming from
the circuit-switched telephony world,
which formed the current emergency
services system for placing 9-1-1 and
1-1-2 emergency calls.
The regulatory community has also
noticed the steady shift to Internet Pro-
tocols for all forms of communication.
In early 2011, the Federal Communica-
tion Commission (FCC) issued a No-
tice of Inquiry (NOI) on the Framework
for Next-Generation 911 Deployment5
to solicit feedback on all forms of mul-
timedia emergency calling.a
The characteristics associated with
a deployed architectural model impact
security. The fundamental security
problem of emergency services is that
these are services associated with a high
cost, such as dispatching first respond-
ers like ambulances, law enforcement,
fire department services, and the ser-
vice must be available to all users, not
just highly vetted ones. Consequently,
there is much potential for misuse of
the system, which unfortunately does
occur. Yet the fact that the services must
be universally available means there is
little way to prevent such misuse.
Since the emergency services solutions are built on top of the existing
communication architectures and
protocols, they inherit the associated
characteristics, including the security
problems of Voice over IP, instant messaging (IM), and other forms of communication technologies. Yet despite
these problems, from the point of view
of economics it is unlikely to assume
a separate end-to-end communication
infrastructure will ever be deployed
solely for use by emergency services.
false emergency calls
Among all the security challenges to-
day’s systems suffer most from so-
called “false emergency calls,” a form
of denial-of-service attack. As the Euro-
pean Emergency Number Association
(EENA), the European counterpart of
NENA, has noted, “False emergency
calls divert emergency services away
from people who may be in life-threat-
a In their NOI response Barnes et al.
1 provided
a high-level description of the IETF emer-
gency services architecture and illustrated
the main characteristics. A more technically
minded reader may want to consult the origi-
nal IETF specifications (see Rosen et al.
11 and
Rosen and Polk10).
the fact that
the services must
be universally
available means
there is little way
to prevent misuse.
ening situations and who need urgent
help. This can mean the difference between life and death for someone in
trouble.” EENA has attempted to define
terminology and describe best current
practices for dealing with false emergency calls,
3 which in certain European
countries can be as high as 70% of all
emergency calls. Reducing the number
of bogus calls often represents a significant challenge, since emergency services authorities in most countries are
required to answer every call (whenever
possible). If there is no ability to associate the caller with a real-world person
in case of misuse, then the ability to
prosecute is limited. Due to requirements for supporting the so-called SIM-less emergency calls in many countries
(emergency calls that are placed without a SIM card); calls from phones with
pre-paid cards, or from public telephones make accountability difficult.
While hoax call attacks typically
lead to various negative results, they
typically do not cause life-threatening
situations. But a small percentage
of these calls pose a significant risk.
Most significantly, “swatting”—faking
an emergency that draws a response
from law enforcement (usually a SWAT
team)—has the potential for causing
life-threatening problems.
4
The attack is fairly simple: the location system of today’s telephony system performs a lookup using the telephone number as used by the caller.
The obtained location information is
then provided to the emergency number authorities for dispatch of first responders, in this case a SWAT team.
Unfortunately, the caller’s phone
number can be modified.
A very similar attack can be used in
IP-based emergency services systems.
13
In its simplest form, the adversary
crafts location information and attaches it to an outgoing emergency call.
While there are various countermeasures, none are easy to deploy.
When location information is obtained from the Internet access provider (as it is common for both fixed
as well as cellular telecommunication
emergency services systems), various identifiers must be linked to each
other in order to obtain the physical
location of the emergency caller. The
proposed intermediate VoIP emergency services architecture developed by a
U.K. standardization organization illustrates this mapping process in the
example of a DSL network in Appendix
E of an EENA operations document.
7 A
weak link in the mapping process can
be exploited. Similarly, when location
measurements must be obtained, as
those are often provided with the support of the end devices themselves
(for example, from a GPS module).
Naturally, an adversary in control of
the end device is able to return fake
measurement results and can thereby
impact the obtained location.
An approach that focuses on the
prosecution of those who misuse the
service is difficult to accomplish in
an IP-based emergency services solution as well. The challenges are primarily on the technical side but are a
side effect of the deployment reality:
strong identity proofing is not widely
deployed by many VoIP/IM services
nor is it deployed in the Internet in
general. In-person identity proofing is
expensive and by itself is not sufficient
to provide a high level of assurances
throughout the entire service life cycle
(for example, as described in NIST SP
800-63).
8
The Internet is global, and many
application service providers operate
their services everywhere. So, despite
a perfect mapping between the digital identifier and a real-world person
the solution to the problem will be
dependent on the regulatory environment and the ability of law enforcement agencies in different countries
to cooperate. For example, how easy
will it be to hold a person located in
country X using alice@example-ser-
vice.com responsible for making a
hoax call to an emergency service in
country Y? This problem was identi-