How Swatting Works
Brian Krebs, an investigative journalist working for the Washington post, has the dubious distinction of being one of the first journalists to be “Swatted”. For those of you not up on the hacker nomenclature, “Swatting” is the practice of using forged information to send a heavily armed police team to an unsuspecting victim’s house. This is a deplorable practice, but, as with all threats, the only way to defend yourself is to understand the vector of assault.
Today we’re explaining the mechanics of “Swatting”, but first, one has to understand how 911 works.
911 Caller ID
How does 911 validate the phone number that’s calling? Scary Truth: Nothing validates outbound caller ID.
The way the phone network was built, Caller ID was a tag that was added on later. There is a central database that is managed by the government, but there’s no central authority. That is to say, if you can copy my caller ID, the phone network will think you are me. While there are certainly CNAM (Caller Name) Directories, these are built based upon the information offered by a phone number and not by some central authority. So to restate the point, 911 doesn’t validate Caller ID or CNAM and anyone can pose as someone else.
How does 911 get address information?
In the case of an actual copper phone line, the 911 information is updated automatically by the service provider in accordance with Federal regulations. This means that the service address always corresponds to the Caller ID. With VoIP handsets, e911 service is used, and the 911 address information can often be controlled by the user. So again, to restate my point, 911 address information, in many circumstances, is a user provided field.
Finally let’s dive into the specific Vectors of attack.
Vectors of Attack
In order to make a phone call from a faked or spoofed Caller ID, someone has to use either an online service or a free PBX distribution like Asterisk. Using either of these tools, the user can place a call to the public phone network offering whatever caller ID the user wants. Let’s look at this as an example using Brian Krebs.
Brian lives at 123 Fake Street in Aspen, Colorado. His landline at his home is 970-555-4444.
Jeff is a wannabe hacker who doesn’t like Brian. Jeff uses a spoof calling website to make a call using his web browser to the number 911 using the Caller ID 970-555-4444. 911 answers, validates his address via a 911 lookup tool, which pulls up Brian’s information, and starts to assess the situation. Jeff says he’s being held hostage at his home at 123 Fake Street and there’s a ton of violent individuals who are heavily armed. The 911 operator validates that this is the correct address for the origination of this call and begins to work.
The astute 911 operator immediately calls in for assistance with the local law enforcement, who, based upon available information, assume the worst and send heavily armed police to the residence. This comes as a surprise to Brian who is just waking up to the sound of helicopters descending on his property.
How can we fix swatting?
There are multiple reforms coming for 911 service, they need to be expedited. Some examples of specific initiatives that should be accelerated include:
- The reform of FirstNet
- The transition to Next Generation 911
- Authorization, Authentication and Security practices with respect to 911 information
We all have a duty to protect users from these kinds of abuses. Service providers should work together alongside the Federal government to reform Public Safety service in the US because 911 cannot become a weapon.
Disclaimer: Joshua is the VP of Marketing at 2600hz, the open-source Cloud Telecom company. He is passionate about telecom, beer and human interaction. The thoughts and opinions expressed here are his own and do not reflect the opinions of his company. Any direction given here is intended to illustrate points which are already public knowledge and do not represent new disclosures. Do not use any of the information in this article for nefarious purposes, you will very likely be caught and you will very likely go to jail.