Lake Forest, Washington 911 center compromised.

23 October 2007

The SWAT team charged with the town of Lake Forest in Washington state was dispatched to the house of a local family after being informed that a heavily armed drug dealer had killed at least one individual and was in possession of a large stock of distributable drugs on the premises. As one would expect, they geared up for a full assault and hit the house like gang busters. There's one important fact which they didn't have at the time, and this fact made all the difference: The original 911 call that alerted police to this house was faked. Computer forensics technicians discovered later (after the SWAT team found nothing at all but a terrified family on the premises) that someone had cracked into their network from the outside and forged a call from one of the phone numbers corresponding to the house. 19 year old Randall Ellis of Mukilteo, Washington was taken into custody after the 911 call center's data network was examined and evidence was gathered. They're pretty sure that he did it because SWATting has occurred in other places that he's been, and they say that he's got the skills and the chops to pull off such a stunt.

The story's thin on details: Someone could have placed a convincingly faked telephone call to the local 911 call center, or someone could have cracked their network from the outside and edited records of a recently placed call and bumped it to the top of the queue. Or someone could have inserted a fake record of a 911 call that carried maximum priority. Word of this particular incident has been scarce indeed, especially seeing as how US law enforcement doesn't want any more people getting any bright ideas, because SWATting (as they're calling it) is a fairly rare prank right now, but certainly not within the realm of isolated incidents anymore. Because of this, there are some things that I'm going to leave out of this article because I don't want anyone getting any fancy ideas, either, and wreaking havoc with them.

Faking the CID (called identification) headers of telephone calls is not exactly simple these days but it's a known technique, and is actually pretty common if you know where to look. You could use VoIP (Voice Over IP) technology to make it look like the call is coming from another number entirely, and so far as the destination(s) of the call are concerned the call looks legit. The easiest thing to use would be a softphone configured with false CID information, though it is also possible to hack an ATA (advanced telephony adapter) to do the same thing. However, when the hammer falls and Someone starts digging into the CDRs (Call Detail Records - logs that keep track of what happened during every phase of a phone call, from initiation to pickup on the other side to hangup) of the telephony switches that were used, they will start figuring out what really went on. It's a time consuming and annoying process (even with custom written utilities assisting) but it can be done. A major problem, however, is getting your hands on those records for forensic analysis, because they are also used to determine billing of customers, and not many communications companies are willing to make them available without a court order.

If someone doesn't want to go the VoIP route, there's a phone phreaking technique called orange boxing that can be used to fake the caller ID headers of an outgoing phone call, with much the same effect. The idea is that a phreak would generate the proper signal to blast into the phone line after the other party answered, and while they might see the real info before picking up (though dialing *67 would block it), they would certainly see the faked CID info if they looked at the LCD display. The biggest problem with this method is not generating the audio signals to play back but getting them into the phone line, because the microphones in telephone handsets are, as they go, not of high enough quality to make it work perfectly.

Of course, the classic fix would be to crack into the telephony switches (and possibly the record keeping systems) and edit configs such that calls from a certain line are given false caller ID headers. Might be easy; might be difficult. It would depend on how skilled the cracker was and the security of the phone company in question. Along those lines would be compromising the 911 call center's network and monkeying around with things. Again, there are a lot of factors at play in such a scenario, and with the limited information they've provided in the article, there's no way of knowing.