- Apr 24, 2013
- 1,200
The female caller was frantic. Why, she asked 911 dispatchers, hadn’t paramedics arrived to her home? She’d already called once to say her husband was writhing on the floor in pain. “Hurry up!,” she’d pleaded, as she gave the operator her address. And then she hung up and waited for help to arrive, but it never did. By the time she called back, her husband had turned blue. “He’s dying!” she cried helplessly into the phone.
But the paramedics had gone to the wrong address and couldn’t find her home. When the dispatcher cited the intersection they were currently passing, it was nowhere near her home.
When Christian Dameff and Jeff Tully set out four years ago to determine how to provide the best medical care to patients between the time a 911 call was made and the patient arrived to the emergency room, they were focused on things like the CPR coaching 911 operators sometimes provided over the phone. But as they listened to thousands of recordings of 911 calls, they discovered something equally critical to patient care: The 911 system itself. The system operates nationwide 24 hours a day, assuring the public that help is just a phone call away. But sometimes it doesn’t work as planned.
To direct first responders to a caller’s location, the emergency call system relies on a database of addresses tied to phone numbers or, in the case of wireless phones, to the location coordinates sent by the phone’s GPS chip and the cell phone tower that processes the call.
But Dameff and Tully discovered that the 911 system has several vulnerabilities that make it susceptible to failure. Dameff is an emergency room physician and Tully is a pediatric doctor. But they’re also white hat hackers who decided to team up with Peter Hefley, an IT security manager for Sunera, to identify problems within the 911 system. The trio recently presented their findings at the Def Con hacker conference in Las Vegas.
Aside from software glitches that can sometimes prevent medical help from being dispatched on time, they were concerned about the security of the address databases, populated by subscriber information from telecoms, that first responders rely on to locate victims. If a hacker could obtain access to the databases, he could alter or delete critical information that could prevent help from arriving on time. They were also concerned that a hacker might launch a denial-of-service attack preventing calls from getting through at all. Earlier this year in Washington state, the 911 system inexplicably went down statewide for six hours, preventing more than 4,000 calls from reaching dispatchers. Although the the outage wasn’t caused by an intentional attack—just an overloaded system—the consequences of an intentional hack, they realized, would be the same.
“When [911] fails or doesn’t work as optimally as it should—either through glitches or something else—the demonstrable harm is that people die,” Dameff says. “This isn’t, ‘Oh my credit card got stolen and someone charged $600 at Target.’ These are systems … designed and implemented to save peoples’ lives. It’s the definition of a critical infrastructure system.”
The minutes between a 911 call and the arrival of help are particularly critical for people in cardiac arrest. Research shows it takes an average of six minutes for first responders to arrive after such a call is placed, during which time the victim has a 50 percent chance of survival without CPR. The survival rate drops drastically with each subsequent minute that passes without help.
“We could see that that patient didn’t get timely medical care because of the glitch,” Dameff says of the call from the woman whose husband collapsed. “During that window is the most impactful time … to save their life.”
See more: http://www.wired.com/2014/08/how-hackers-could-mess-with-911/
