Recently multiple news outlets reported on Waterloo, Iowa’s Black Hawk County 911 center’s new SMS capability.
While this subject is not specifically VoIP security, considering the blending of communications methods and the importance of 911 call centers I figure that SMS in this context is fair game for a VOIPSA Blog post.
Several security implications surrounding this new 911 SMS capability come to mind:
Time Delays in SMS transmissions – we’ve all experienced some delay, from marginal to extended, when it comes to sending and receiving SMS messages. What remains unclear from reports is if the carriers supporting 911 SMS in Black Hawk County give SMS to 911 communication priority network access, either initially and/or throughout the entire SMS dialog.
Lingo – SMS messages are limited to 160 characters. As a result, acronyms and texting lingo are pervasive. Reports say the 911 operators are brushing up on their texting lingo in preparation. I sure do hope they are using decent resources, such as TLLTMSIFW, so when HIOOC comes in IDGARA is the right response.
Flooding – sending mass amounts of SMS messages could adversely affect the call center’s operations. Using pre-paid phones, bluetooth dongles and simple software, an attacker with marginal resources could initiate this kind of attack with ease. How will 911 call centers handling SMS handle floods of SMS messages? The nuisance facter here should not be underestimated; here’s some good anecdotal experience
SMS Spoofing – with the advent of various spoofing services, we’ve seen the types of attacks that can leverage spoofing. SpoofCard time and again has unauthorized access to voicemail, and still an issue with some carrier’s default user settings. We can expect to see the same issues with SMS spoofing.
SMS Swatting – will likely be a byproduct of spoofing SMS messages to 911 call centers. However, the use of SMS brings a new twist to Swatting, since the spoofed SMS message will be tied to a cellular phone, rather than a fixed landline number, perhaps leading to mobile Swatting as law enforcement will need to track the mobile phone (GPS, triangulation) to gain physical proximity the the SMS origin.
MMS – while no mention is made in the news reports about MMS support at 911 call centers, I think it’s reasonable to assume that ability to handle multimedia messages is in the works. The implications of moving from 160 characters of text to multimedia messaging with attached video/photos are dramatic. Further, this opens new attack vectors in terms of how these multimedia files are processed and accessed (think trojan Flash, PNG, etc.).
I’ve only scratched the surface here of course, but hopefully this provides some food for thought — as always, comments welcome