VoIP phone hackers pose public safety threat
The demand stunned the hospital employee. She had picked up the emergency room’s phone line, expecting to hear a dispatcher or a doctor. But instead, an unfamiliar male greeted her by name and then threatened to paralyze the hospital’s phone service if she didn’t pay him hundreds of dollars.
Shortly after the worker hung up on the caller, the ER’s six phone lines went dead. For nearly two days in March, ambulances and patients’ families calling the San Diego hospital heard nothing but busy signals.
The hospital had become a victim of an extortionist who, probably using not much more than a laptop and cheap software, had single-handedly generated enough calls to tie up the lines.
Distributed denial-of-service attacks — taking a website down by forcing thousands of compromised personal computers to simultaneously visit and overwhelm it — has been a favored choice of hackers since the advent of the Internet.
Now, scammers are inundating phone lines by exploiting vulnerabilities in the burgeoning VoIP, or Voice over Internet Protocol, telephone system.
The frequency of such attacks is alarming security experts and law enforcement officials, who say that while the tactic has mainly been the tool of scammers, it could easily be adopted by malicious hackers and terrorists to knock out crucial infrastructure such as hospitals and 911 call centers.
“I haven’t seen this escalated to national security level yet, but it could if an attack happens during a major disaster or someone expires due to an attack,” said Frank Artes, chief technology architect at information security firm NSS Labs and a cybercrime advisor for federal agencies.
The U.S. Department of Homeland Security declined to talk about the attacks but said in a statement that the department was working with “private and public sector partners to develop effective mitigation and security responses.”
In the traditional phone system, carriers such as AT&T; grant phone numbers to customers, creating a layer of accountability that can be traced. On the Web, a phone number isn’t always attached to someone. That’s allowed scammers to place unlimited anonymous calls to any land line or VoIP number.
They create a personal virtual phone network, typically either through hardware that splits up a land line or software that generates online numbers instantly. Some even infect cellphones of unsuspecting consumers with viruses, turning them into robo-dialers without the owners knowing that their devices have been hijacked. In all cases, a scammer has access to multiple U.S. numbers and can tell a computer to use them to dial a specific business.
Authorities say the line-flooding extortion scheme started in 2010 as phone scammers sought to improve on an old trick in which they pretend to be debt collectors. But the emerging bulls-eye on hospitals and other public safety lines has intensified efforts to track down the callers.
Since mid-February, the Internet Crime Complaint Center, a task force that includes the FBI, has received more than 100 reports about telephony denial-of-service attacks. Victims have paid $500 to $5,000 to bring an end to the attacks, often agreeing to transfer funds from their banks to the attackers’ prepaid debit card accounts. The attackers then use the debit cards to withdraw cash from an ATM.
The hospital attack, confirmed by two independent sources familiar with it, was eventually stopped using a computer firewall filter. No one died, the sources said. But hospital staff found the lack of reliable phone service disturbing and frustrating, one source said. They requested anonymity because they were not authorized to talk about the incident.
But typical firewalls, which are designed to block calls from specific telephone numbers, are less effective against Internet calls because hackers can delete numbers and create new ones constantly. Phone traffic carried over the Internet surged 25% last year and now accounts for more than a third of all international voice traffic, according to market research firm TeleGeography.
To thwart phone-based attacks, federal officials recently began working with telecommunications companies to develop a caller identification system for the Web. Their efforts could quell more than just denial-of-service attacks.
They could block other thriving fraud, including the spoofing and swatting calls that have targeted many people, from senior citizens to celebrities such as Justin Bieber. In spoofing, a caller tricks people into picking up the phone when their caller ID shows a familiar number. In swatting, a caller manipulates the caller ID to appear as though a 911 call is coming from a celebrity’s home.
Unclassified law enforcement documents posted online have vaguely identified some victims: a nursing home in Marquette, Wis., last November, a public safety agency and a manufacturer in Massachusetts in early 2013, a Louisiana emergency operations center in March, a Massachusetts medical center in April and a Boston hospital in May.
Wall Street firms, schools, media giants, insurance companies and customer service call centers have also temporarily lost phone service because of the attacks, according to telecommunications industry officials. Many of the victims want to remain anonymous out of fear of being attacked again or opening themselves up to lawsuits from customers.
The Marquette incident is noteworthy because when the business owner involved the Marquette County Sheriff’s Department, the scammer bombarded one of the county’s two 911 lines for 3 1/2 hours.
“The few people I’ve talked to about it have said that you just have to take it and that there’s no way to stop this,” Sheriff’s Capt. Chris Kuhl said.
A Texas hospital network has been targeted several times this year, said its chief technology officer, who spoke on the condition of anonymity because the individual’s employer has not discussed the attacks publicly. One of its nine hospitals lost phone service in a nurses unit for a day, preventing families from calling in to check on patients.
As the hospital searched for answers, it temporarily created a new number and turned to backup phone lines or cellphones for crucial communications. The chain eventually spent $20,000 per hospital to install a firewall-type device that is able to block calls from numbers associated with an attack.
For all the money spent on Internet security, companies often overlook protecting their telephones, Artes said.
“It’s kind of embarrassing when a website goes down, but when you shut down emergency operations for a county or a city, that has a direct effect on their ability to respond,” he said.
The Federal Communications Commission has begun huddling with phone carriers, equipment makers and other telecommunication firms to discuss ideas that would help stem the attacks. One possibility is attaching certificates, or a secret signature, to calls.
The FCC’s chief technology officer, Henning Schulzrinne, acknowledged that though such a solution is probably a year or two away, it could put an end to most fraudulent calls.
But Jon Peterson, a consultant with network analytics firm Neustar, said such measures raise privacy worries. Some calls, such as one to a whistle-blower hotline or one originating from a homeless shelter, may need to remain anonymous. There won’t be a single fix. But the goal is clear.
“The lack of secure attribution of origins of these calls is one of the key enablers of this attack,” Peterson said. “We have to resolve this question of accountability for the present day and the future.”