00:00:00.067,00:00:02.269
>>We've got a great
presentation goin‚ for you uh

00:00:02.269,00:00:04.671
next generation 911 security.
We're calling it the next

00:00:04.671,00:00:08.675
generation of emergency phonage.
Uh myself my name is Alex

00:00:08.675,00:00:12.212
Kryline uh I'm the CTO of
Secure Set, a cyber security

00:00:12.212,00:00:15.749
academy in Denver. I used to be
a strategist for the Department

00:00:15.749,00:00:19.820
of Homeland Security and a
researcher with Nist. I'm also

00:00:19.820,00:00:21.355
a level 8 cyber wizard. That's
me this is my partner Trey.

00:00:21.355,00:00:23.557
>>I'm Trey Forgety I'm the
director of government affairs

00:00:23.557,00:00:27.194
and uh they they call me the
resident teenager at uh the uh

00:00:27.194,00:00:29.529
Nina the 911 association. Um
>>He's got a great face.

00:00:29.529,00:00:31.932
>>We're the standards
developer for uh everything

00:00:31.932,00:00:35.502
related to 911 so uh when you
get found uh when you call from

00:00:35.502,00:00:38.705
a cell phone, we're the reason
that's actually possible. Um

00:00:38.705,00:00:40.574
uh I'm also a former
presidential management fellow.

00:00:40.574,00:00:43.577
Alex and I did very similar
tours. I was at DHS, FCC and,

00:00:43.577,00:00:46.780
TIA, kind of all over the
federal government. Um the

00:00:46.780,00:00:48.782
reason that I'm still into
like computers and security

00:00:48.782,00:00:51.318
stuff in spite of being and
I'm gonna use the official

00:00:51.318,00:00:54.421
Defcon term, a fucking lawyer.
>>Fucking lawyer. >>Uh inspite

00:00:54.421,00:00:56.523
of that um. [crowd laughter]
[laughs] the reason that I can

00:00:56.523,00:00:58.558
still be into all this sort of
stuff is because in addition to

00:00:58.558,00:01:00.794
that I'm a physicist and a
navigator so these are are

00:01:00.794,00:01:03.063
things that are technologies
that are still very interesting

00:01:03.063,00:01:05.599
and important to me and I kinda
try to keep on top of stuff.

00:01:05.599,00:01:09.569
Also a pirate, true story.
[inaudible chatter] Um so a

00:01:09.569,00:01:12.372
couple of opening shots uh to
we'll set the stage a little

00:01:12.372,00:01:14.041
bit. [cough] Um we're gonna
talk about some [cough]

00:01:14.041,00:01:17.611
vulnerabilities in the way trust
is implemented in uh next

00:01:17.611,00:01:19.980
generation 911 which we're
gonna tell you all the sorta

00:01:19.980,00:01:22.749
background about first. Um
there's a really important

00:01:22.749,00:01:24.985
reason that we're doing this.
In the public safety community

00:01:24.985,00:01:28.188
we're very comfortable with
not telling people things. Like

00:01:28.188,00:01:30.057
we you know eh everybody knows
that the police department, the

00:01:30.057,00:01:32.859
fire department, they just love
sharing information right? Well

00:01:32.859,00:01:36.463
911's the same way. Um the
problem is in today's

00:01:36.463,00:01:38.365
information security
environment. That doesn't

00:01:38.365,00:01:40.934
work. The only way you get
stuffed fixed is by talking

00:01:40.934,00:01:43.971
about it and bringing people
like you together to say oh okay

00:01:43.971,00:01:46.373
how can we poke at this and and
figure out how it works and

00:01:46.373,00:01:48.742
break it and make it better. Um
so that's why we're doing

00:01:48.742,00:01:50.510
this and you know we believe
very passionately, our

00:01:50.510,00:01:53.146
organization does, that uh
talking about vulnerabilities

00:01:53.146,00:01:55.682
makes us stronger and so we're
gonna be doing that. Um this

00:01:55.682,00:01:58.819
October we're actually doing
the first 911 uh cyber security

00:01:58.819,00:02:00.454
conference. It'll be in
Columbus Ohio, it's gonna be

00:02:00.454,00:02:03.190
really cool. >>Same reason I
tell my dates I cry in my sleep.

00:02:05.492,00:02:07.894
[laughter] >>So the, I I'm
going to talk a little bit in

00:02:07.894,00:02:10.897
the first part of this uh a
little bit a history. Um and eh

00:02:10.897,00:02:13.767
it's important to understand
that today's 911, the 911 that

00:02:13.767,00:02:17.671
you could use to call right now
is it's called E911. That's

00:02:17.671,00:02:20.540
a part of the telephone wa age.
It's not a part of the

00:02:20.540,00:02:22.409
computer age and it's
certainly not a part of the

00:02:22.409,00:02:25.178
internet age, it really is a
part of the telephone age. There

00:02:25.178,00:02:28.181
are things here like time
division multiplexing uh and

00:02:28.181,00:02:32.019
class 5 ESS switches that that
that you just like people like

00:02:32.019,00:02:35.656
us don't ever wanna see in our
day jobs because that just means

00:02:35.656,00:02:38.725
we're doing something wrong
right? But 911, that's all

00:02:38.725,00:02:41.828
that it runs on um, and that has
some consequences. So

00:02:41.828,00:02:45.232
historically, trust in the
public switch telephone network

00:02:45.232,00:02:49.369
was this very sort of inherent
thing. Um you had relatively

00:02:49.369,00:02:51.304
high confidence usually that the
person [coughing] you were

00:02:51.304,00:02:54.341
calling was the person that you
got because uh there was

00:02:54.341,00:02:57.110
physical security of the trunks
uh running through conduits and

00:02:57.110,00:03:00.747
overhead cable. The signaling
was very obscured [cough] um, uh

00:03:00.747,00:03:03.984
until folks like uh Cap'n
Crunch, Tea Profit and folks the

00:03:03.984,00:03:06.887
the tele freaks really got into
uh poking around with the

00:03:06.887,00:03:10.357
network. Um things like medium
frequency signaling and cama

00:03:10.357,00:03:13.126
which is centralized automated
message accounting which is no

00:03:13.126,00:03:16.897
joke, a paper tape protocol
invented in the 1950's which

00:03:16.897,00:03:21.001
is still used to connect 911
calls today. No joke if you make

00:03:21.001,00:03:23.637
a 911 call it's probably being
connected by a cama. >>And

00:03:23.637,00:03:26.940
carrier pigeon. >>That too.
[laughter] Um you you also had

00:03:26.940,00:03:29.776
control plain segregation, legal
protections, all these sorts of

00:03:29.776,00:03:33.280
things and that just meant you
didn't have to worry about

00:03:33.280,00:03:36.516
things like, certificates and
authentication and cryptography

00:03:36.516,00:03:38.685
and support that that just
wasn't in the mindset and

00:03:38.685,00:03:41.822
it's still largely not in the
mindset of public safety

00:03:41.822,00:03:46.426
professionals. So back in the
1968 eh eh 1960s uh the

00:03:46.426,00:03:49.396
international association of
fire chiefs and ultimately uh a

00:03:49.396,00:03:51.832
big thing called the president's
commision on law enforcement and

00:03:51.832,00:03:55.902
the administration of justice um
got together and the really like

00:03:55.902,00:03:59.372
imagined the public safety
system of the future. Here this

00:03:59.372,00:04:03.477
is a report that was issued in
in about 1967 I think um, and in

00:04:03.477,00:04:07.447
in this report they actually
envisioned having 911, having

00:04:07.447,00:04:10.484
computer aided dispatching,
automatic vehicle location, and

00:04:10.484,00:04:13.620
radios on every cop. [coughing]
That's pretty amazing at a

00:04:13.620,00:04:16.456
time when like a radio was
something that you could just

00:04:16.456,00:04:19.593
barely fit in the trunk of a
car. Um so it we've come a

00:04:19.593,00:04:22.395
long way and the this is kind of
how we got there. So the

00:04:22.395,00:04:24.664
fundamental problem that we're
trying to solve with all this

00:04:24.664,00:04:30.904
stuff is um who called us and
where and with what? Those are

00:04:30.904,00:04:33.273
important things we need to know
who needs help and how do we

00:04:33.273,00:04:36.376
find them to get the help to
them and it's also important

00:04:36.376,00:04:38.645
uh for reasons that we'll talk
about in a second, to understand

00:04:38.645,00:04:41.848
what [coughing] they were
calling with because um the 911

00:04:41.848,00:04:46.153
system was part of the wire line
world. Right? Telephones were

00:04:46.153,00:04:48.722
these big heavy metal things
that sat on tables that some

00:04:48.722,00:04:51.024
nice man came and installed at
your house, I've seen the

00:04:51.024,00:04:55.462
videos. Um [coughing] the that
changed though in the 1980s when

00:04:55.462,00:04:59.332
all of a sudden uh uh a phone
could be a 3 pound hunk of metal

00:04:59.332,00:05:02.135
that you put in the floorboard
of your car and those no longer

00:05:02.135,00:05:04.571
had convenient addresses and
then all of a sudden crazy

00:05:04.571,00:05:07.507
people came a long and started
sending voice calls over this

00:05:07.507,00:05:10.477
internet thing that nobody knew
anything about and we decided

00:05:10.477,00:05:13.346
okay well those should probably
have access to 911 too because

00:05:13.346,00:05:15.682
otherwise somebody's gonna
pick one up one day because well

00:05:15.682,00:05:18.251
it looks like a telephone and
they're not gonna get what

00:05:18.251,00:05:22.422
they expect. So the world that
all of this is designed for just

00:05:22.422,00:05:26.860
to kind of set the stage in your
mind, in E911 the way it really

00:05:26.860,00:05:30.297
works um you've got uh when
you when you establish telephone

00:05:30.297,00:05:33.867
service with a wireline phone,
the phone company takes your

00:05:33.867,00:05:37.237
address from you on the service
order and they validate it

00:05:37.237,00:05:39.906
against this uh maroon box
called the master straight

00:05:39.906,00:05:41.875
address guide. It's a list of
all the street names in a

00:05:41.875,00:05:45.512
jurisdiction and all the correct
address ranges. Um they look it

00:05:45.512,00:05:47.581
up in the fixed database, make
sure that it's valid and then

00:05:47.581,00:05:50.450
they record it in that purple
box, the automatic location

00:05:50.450,00:05:54.087
identification database and then
at call time when you when you

00:05:54.087,00:05:57.190
call in the selective router,
that's just a class 5

00:05:57.190,00:06:00.660
telephone switch, it uses your
phone number to dereference your

00:06:00.660,00:06:05.398
address and send that to the 911
center over typically a you know

00:06:05.398,00:06:08.201
these days uh they might be up
to like you know 14 point 4

00:06:08.201,00:06:11.404
kilobit motums uh and and I
I'm really not exaggerating

00:06:11.404,00:06:14.040
that that's true. A lot of
these are you know old. >>Very

00:06:14.040,00:06:17.244
modern infrastructure. >>Ah >>V,
V90 >>For the Bundy's. >>V,

00:06:17.244,00:06:20.614
V92's still out there. Um and
and the great thing is because

00:06:20.614,00:06:24.217
of that now we you know in the
early days of 911, all of the

00:06:24.217,00:06:27.821
the people in a town regardless
of which was like the right 911

00:06:27.821,00:06:31.091
center, the right uh police
department in those days um all

00:06:31.091,00:06:34.494
the calls went to one place.
Which was not great because um

00:06:34.494,00:06:37.097
you you might be in the other
part of the county that's

00:06:37.097,00:06:40.200
actually served by the city and
so that's why this thing is

00:06:40.200,00:06:43.903
called a selective router. It
can also decide hey, you're in

00:06:43.903,00:06:48.241
Robertsville not Alice Springs
send that to the other PSAP.

00:06:48.241,00:06:50.277
PSAP is a public safety
answering point, it's a fancy

00:06:50.277,00:06:53.346
term for 911 center. >>And this
is important because what

00:06:53.346,00:06:56.283
we're gonna be talking about,
this same type of logical trust

00:06:56.283,00:07:00.553
model is what's bolted onto IP
networks right? So understanding

00:07:00.553,00:07:02.989
that the phone company trusts
the phone company cause it's

00:07:02.989,00:07:05.759
all the phone company is really
important because we didn't

00:07:05.759,00:07:08.194
change that even though it's
not the phone company anymore.

00:07:08.194,00:07:10.196
>>Ya [inaudible word] >>That's
where our exploitation's about

00:07:10.196,00:07:11.898
to come in. >>The the line we we
actually put on the conference

00:07:11.898,00:07:14.934
CD is that uh in in the
beginning there the A T and T

00:07:14.934,00:07:18.171
created the PSTN and the trust
model was void and without form.

00:07:18.171,00:07:20.440
>>Hallelujah >>Because they were
the phone [laughter] company

00:07:20.440,00:07:26.313
dammit. >>Can I get an amen?
[laughter] [applause] >> So

00:07:26.313,00:07:28.381
there there's some problems
with keeping this kind of stuff

00:07:28.381,00:07:30.684
around because if you do this
and this has been talked about

00:07:30.684,00:07:34.120
at Defcon before, um static
databases become vulnerable to

00:07:34.120,00:07:37.057
spoofing. Um if you can spoof
the automatic number

00:07:37.057,00:07:40.894
identification then as provided
you're sort of generally in

00:07:40.894,00:07:44.664
the same jurisdiction as the the
911 center you wanna target, you

00:07:44.664,00:07:48.268
can get a call to look like
it's coming from someone else.

00:07:48.268,00:07:50.937
Um and these sorts of things
have been used in like swatting

00:07:50.937,00:07:55.008
attacks um to to basically
convince a 911 center that in

00:07:55.008,00:07:58.511
fact, this is Brian Krebs for
example calling 911 >>Which

00:07:58.511,00:08:01.147
happened. >>But it's actually
not. Um spoofing any

00:08:01.147,00:08:03.383
automatically spoofs ally this
is a terrible, horrible,

00:08:03.383,00:08:05.985
miserably unethical thing to do
and we strongly encourage you

00:08:05.985,00:08:08.955
not to because it makes you a
terrible human being. Um the

00:08:08.955,00:08:13.026
thing is in in the the PSTN
world there is no uh flag to say

00:08:13.026,00:08:15.362
hey this looks kind of
suspicious maybe treat it

00:08:15.362,00:08:18.732
differently right? Um and all of
this legacy equipment is getting

00:08:18.732,00:08:22.135
really expensive, everything is
going over the top. Uh people

00:08:22.135,00:08:25.105
wanna communicate with RTT in
videos and pictures and eh eh

00:08:25.105,00:08:28.675
electronic medical records and
all this stuff and you can't

00:08:28.675,00:08:31.277
fit that over a voice channel
and so that's kind of the

00:08:31.277,00:08:34.481
forcing function that is is
getting us to uh NG number 1.

00:08:34.481,00:08:37.217
>>So we have a better way.
>>We'll just put that on the

00:08:37.217,00:08:41.221
internet. >>Nope. >>Ya.
[laughter] No but seriously, uh

00:08:41.221,00:08:43.456
a lot of people hear next
generation 911, they hear that

00:08:43.456,00:08:45.291
it's IP based and they
immediately say oh you're

00:08:45.291,00:08:47.927
putting 911 on the internet, how
could you be so stupid? Well

00:08:47.927,00:08:50.897
first off, no we're not.
That's not the idea. >>Almost.

00:08:50.897,00:08:53.700
>>The standards. [laughter]
We're not okay? >>Okay fine.

00:08:53.700,00:08:56.302
>>Ya. >>[laughs] >>Stop trying
to make the internet happen

00:08:56.302,00:08:58.605
Alex, >>Alright. >>it's not
gonna happen. [laughter] So it

00:08:58.605,00:09:01.441
it's gonna be over private
managed IP networks. It's all

00:09:01.441,00:09:03.843
hopefully going to be very
secure um but as we're gonna

00:09:03.843,00:09:06.846
talk about in a bit, there are
some reasons why things have to

00:09:06.846,00:09:10.917
work differently uh for life
safety systems. So other sort of

00:09:10.917,00:09:15.021
externalities that that matter
for us um carriers are walking

00:09:15.021,00:09:17.457
away from their legacy TDM
infrastructure. They don't

00:09:17.457,00:09:19.559
wanna be in this business
anymore because it doesn't

00:09:19.559,00:09:21.928
make money, it's expensive to
maintain, it's highly

00:09:21.928,00:09:25.365
regulated. So even in places
where uh you know they are

00:09:25.365,00:09:28.067
keeping up the copper network,
they're no longer keeping up

00:09:28.067,00:09:31.471
the copper network for the
purpose of carrying analog

00:09:31.471,00:09:34.507
voice. They're actually giving
you like a DSL terminal adapter

00:09:34.507,00:09:37.010
for your house and then spitting
the telephone stuff out the back

00:09:37.010,00:09:39.879
end of that. They're doing the
conversion inside the home. Um

00:09:39.879,00:09:43.716
and that has real consequences
because now that changes the way

00:09:43.716,00:09:46.319
that the voice the voice call
part of it is being carried even

00:09:46.319,00:09:48.988
in the wireline world. And as I
already said there are lot's

00:09:48.988,00:09:51.090
of different ways that people
now wanna communicate that from

00:09:51.090,00:09:53.560
our perspective we want to
accommodate because we want

00:09:53.560,00:09:56.830
people to be able to get 911
natively, the way they need it.

00:09:56.830,00:09:59.666
>>There's even a preceding
right now at the FCC about PSTN

00:09:59.666,00:10:03.103
sunset right so, regardless of
whether or not the carriers

00:10:03.103,00:10:05.839
choose to do this, they're
gonna be required to do this in

00:10:05.839,00:10:08.508
a very short term period of
time. So that's why NG 911's

00:10:08.508,00:10:12.312
very important is because it's
the new standard that can sit on

00:10:12.312,00:10:15.582
top of IP based networks which
is what we're rolling to but

00:10:15.582,00:10:18.585
we have to fix some things.
>>Ya. Our organization and a few

00:10:18.585,00:10:21.221
others got together and formed
something called the NG 911 now

00:10:21.221,00:10:24.958
coalition and uh basically our
goal, you can find us at NG911

00:10:24.958,00:10:28.428
dot org. Our goal is to have
NG911 rolled out nationwide by

00:10:28.428,00:10:31.364
the end of the year 2020.
That's really aggressive and

00:10:31.364,00:10:33.933
it's gonna be hard but we're
pushing hard with congress, the

00:10:33.933,00:10:36.836
FCC, the carriers, everybody to,
to try and get that done because

00:10:36.836,00:10:40.707
we we need it badly. >>So
what's the purpose for you

00:10:40.707,00:10:42.642
wanting to do this right?
Because now we're starting to

00:10:42.642,00:10:46.146
transition into a okay well we
know we have to move to this new

00:10:46.146,00:10:49.449
thing because the PSTNs going
away but there are lots of

00:10:49.449,00:10:52.785
things that we could do to just
preserve PSTN functionality on

00:10:52.785,00:10:55.989
on an IP network right but the
thing that's also driving it

00:10:55.989,00:10:59.893
is a desire for shiny new toys.
We want things like dyn dynamic

00:10:59.893,00:11:03.296
location based routing which we
will very much talk about in

00:11:03.296,00:11:06.733
just a moment. Uh we want
failover ease and the ability to

00:11:06.733,00:11:08.968
transfer calls to the
appropriate public safety

00:11:08.968,00:11:11.137
answering point on a >>It's
tough when it's hardwired

00:11:11.137,00:11:13.273
>>Ya, on a really dynamic basis
cause the telephone's

00:11:13.273,00:11:16.609
hardwired. Uh we wanna be able
to do mobile public safety

00:11:16.609,00:11:19.512
answering points. We want
virtualized public safety

00:11:19.512,00:11:22.215
answering points. So imagine we
have a hurricane and all the

00:11:22.215,00:11:25.118
public safety answering points
are blown away. Okay, cool. So

00:11:25.118,00:11:28.555
understanding that that happens
then how do you respond? The way

00:11:28.555,00:11:30.924
you respond is by spitting up a
new public safety answering

00:11:30.924,00:11:33.693
point but remember that we have
this problem with trust in the

00:11:33.693,00:11:37.864
PSTN right? Because we're not
the phone company anymore. Now

00:11:37.864,00:11:40.633
we're lots of different
organizations who all want equal

00:11:40.633,00:11:43.703
privileged access. That gets
into some really interesting

00:11:43.703,00:11:48.441
problems. In NG 911 while it is
absolutely necessary, it is

00:11:48.441,00:11:51.678
still totally The Jetson's on
some level because we haven't

00:11:51.678,00:11:54.480
quite figured out how to do the
thing that we really wanna

00:11:54.480,00:11:57.650
accomplish. So I'm going to
talk about for just a moment the

00:11:57.650,00:12:01.955
I3 architecture. This is done by
Nina, big shout out. I3

00:12:01.955,00:12:05.291
architecture has basically 3
different types of components.

00:12:05.291,00:12:08.728
The first component is uh the
carrier service environment

00:12:08.728,00:12:11.297
right or rather the originating
service environment. These are

00:12:11.297,00:12:13.633
the carriers like A, T, and T,
Verizon, T-Mobile, Sprint,

00:12:13.633,00:12:18.504
Comcast, everybody else who
dials into the emergency

00:12:18.504,00:12:22.442
services IP network or the ezzy
net. That's that cen central

00:12:22.442,00:12:24.677
big blue >>The fluffy cloud.
>>The big blue cloud on the

00:12:24.677,00:12:27.146
screen. >>Ju just to be clear,
it's uh it is the carrier's,

00:12:27.146,00:12:29.282
he's absolutely right about
that. The cool thing is, with

00:12:29.282,00:12:31.951
NG911 it's no longer just the
carriers. >>That's right. >>So

00:12:31.951,00:12:36.923
if Facebook and Whatsapp want to
send emergency traffic to an

00:12:36.923,00:12:39.993
NG911 system, and they're
using the ITF standards for how

00:12:39.993,00:12:42.195
you do stuff like that, they can
absolutely do it and it will

00:12:42.195,00:12:45.164
work fine. >>Totally but
remember, now we have new

00:12:45.164,00:12:48.668
service providers who are not
traditional telcos, who are

00:12:48.668,00:12:52.939
now able to associate traffic
with a 911 environment right?

00:12:52.939,00:12:56.109
Like, whos whatsapp? Who who
knows who they are? Do, do we

00:12:56.109,00:12:58.845
know? You? Well you all have the
app but have you have you talked

00:12:58.845,00:13:02.915
to CEO of Whatsapp? No you're
not gonna do that. So um so this

00:13:02.915,00:13:05.385
get's to an interesting
question of like how do we

00:13:05.385,00:13:08.054
validate trust end to end right?
Because this is what we're

00:13:08.054,00:13:11.391
about to exploit. What's the
uh the third part of this of

00:13:11.391,00:13:14.694
this architecture are these
legacy and next generation

00:13:14.694,00:13:18.164
public safety answering points
right? So ultimately what the

00:13:18.164,00:13:21.067
duration of this talk is gonna
focus on is the association

00:13:21.067,00:13:23.936
between those public safety
answering points and that ezzy

00:13:23.936,00:13:27.407
net right? The emergency
services IP network. So let's

00:13:27.407,00:13:29.609
talk >>Uh I >>Ya? >>just real
quick, I wanna give a shout out.

00:13:29.609,00:13:32.145
The national highway traffic
safety administration operates

00:13:32.145,00:13:34.981
uh the national 911 office.
Which is it's really

00:13:34.981,00:13:37.483
unfortunate with within our
government there is like one

00:13:37.483,00:13:39.752
person with a handful of
contractors >>Ya >>Who's role

00:13:39.752,00:13:41.888
it is >>And she's a boss
>>She's awesome, Laurie

00:13:41.888,00:13:44.490
Flaherty. Uh they actually put
this diagram together. They're

00:13:44.490,00:13:47.527
they're great for this stuff
um so big shout out to Nitsa and

00:13:47.527,00:13:50.329
the national 911 office for
that. >>Thanks Laurie. [laughs]

00:13:50.329,00:13:52.799
So let's talk protocols for a
minute. So cause this is really

00:13:52.799,00:13:55.301
what we're gonna be exploiting
the next couple of slides. We

00:13:55.301,00:13:57.570
have this thing called the ESRP
or the emergency services

00:13:57.570,00:14:00.373
routing protocol. This is
basically a sib proxy right?

00:14:00.373,00:14:03.209
Handles all sib traffic that's
initiated with inside of the

00:14:03.209,00:14:06.746
ezzy net. The second piece that
we have is this emergency call

00:14:06.746,00:14:10.817
routing function or the ECRF.
This determines the best or most

00:14:10.817,00:14:14.287
appropriate piece app not
necessarily >>Not the nearest

00:14:14.287,00:14:17.056
>>Not necessarily the closest
but the most appropriate right?

00:14:17.056,00:14:19.158
So like if you're you know can
you give a use? Can you give a

00:14:19.158,00:14:21.894
use case about where one
wouldn't be the closest or the

00:14:21.894,00:14:24.797
most appropriate? >>A perfect
example of this, if you are uh

00:14:24.797,00:14:27.800
standing right near the, the
border between 2 counties um one

00:14:27.800,00:14:30.536
county has its 911 system
literally directly across the

00:14:30.536,00:14:34.574
line within like feet of you but
you're here. The people that

00:14:34.574,00:14:36.609
respond, the people that are
supposed to answer that call are

00:14:36.609,00:14:39.412
your county's 911 center. It
may be farther away >>Clear

00:14:39.412,00:14:41.380
across the state >>But it's
still the right one because

00:14:41.380,00:14:44.083
you're inside it's service
contour, which gets important in

00:14:44.083,00:14:46.819
a minute. >>So then the last
piece we have is the policy

00:14:46.819,00:14:49.655
routing function which really
defines the non geographic

00:14:49.655,00:14:53.059
assets of routing right? Like ss
you know flag these calls, send

00:14:53.059,00:14:56.295
all these calls to this one
public safety answering point

00:14:56.295,00:14:59.332
cause they have like special
analysts or you know uh

00:14:59.332,00:15:01.934
telecommunicators who are there
who are the 911 call takers

00:15:01.934,00:15:04.537
right? Somebody who might be
specially trained in some sort

00:15:04.537,00:15:07.607
of methodology. Um and then the
last one is icam which we all

00:15:07.607,00:15:10.443
know, identity credential access
management. So these are really

00:15:10.443,00:15:14.347
the 4, the 4 different pieces of
the network that we're gonna

00:15:14.347,00:15:17.150
interface with. So, what's the
trouble with trust? This is a

00:15:17.150,00:15:20.453
really important piece because
what we've done is we've

00:15:20.453,00:15:23.589
talked about is we took this
legacy methodology of trust from

00:15:23.589,00:15:28.094
the PSTN, we laid it on the IP
network. Remember that all calls

00:15:28.094,00:15:32.298
under all circumstances must
reach 911, even if the

00:15:32.298,00:15:37.336
authentication fails. Everything
has to go through. Why? Because

00:15:37.336,00:15:40.273
no if if if something happens,
we wanna make sure that

00:15:40.273,00:15:42.141
somebody's taken care of.
We've got a great quote on

00:15:42.141,00:15:45.211
this in a second. >>It it it's
just not acceptable to say

00:15:45.211,00:15:47.914
we're sorry your certificate
is expired, please hold and

00:15:47.914,00:15:50.349
bleed to death. [laughter] that
that's >>And we'll have

00:15:50.349,00:15:53.753
someone with you in a wait time
of 5 to 10 minutes. Um but the

00:15:53.753,00:15:56.722
the interesting part here is
what we've built underneath of

00:15:56.722,00:16:00.993
this model of all calls must go
through is a fail working model.

00:16:00.993,00:16:03.496
And that fail working mode is
really important and it's what

00:16:03.496,00:16:06.465
we're about to talk through
the exploitation. >>Ya. So this

00:16:06.465,00:16:10.036
is I I'm personally very proud
of this I I I this um I would

00:16:10.036,00:16:12.605
love to say this was intentional
and I hacked Defcon knowing that

00:16:12.605,00:16:15.741
someday I would give this talk
but that, that's total BS. Um,

00:16:15.741,00:16:18.578
but 2 years ago I asked Bruce
Shiner a question about how do

00:16:18.578,00:16:23.182
we uh get folks to uh how how do
we drive adoption of secure

00:16:23.182,00:16:25.852
communications technologies by
making sure that access to

00:16:25.852,00:16:29.422
emergency services which for mo
people experiencing some kinds

00:16:29.422,00:16:31.724
of emergencies it it's really
important you know if you're

00:16:31.724,00:16:34.493
being abused uh if if the you
know you have a medical

00:16:34.493,00:16:36.896
condition you don't want other
people to know about that, we

00:16:36.896,00:16:39.332
have to keep up trust and and
Bruce thought about it for a

00:16:39.332,00:16:43.502
second and he said you know um
uh it if there's some reason

00:16:43.502,00:16:46.505
the PKI doesn't work, if
there's some reason the

00:16:46.505,00:16:50.810
fucking PKI doesn't work, I
want to fucking talk to 911.

00:16:50.810,00:16:53.913
>>Amen. [laughs] >>And I
guarantee you, everybody feels

00:16:53.913,00:16:56.148
that way right? I mean you
don't ever wanna hear we're

00:16:56.148,00:16:58.818
sorry the OCSP server is offline
you can't call 911 today.

00:16:58.818,00:17:02.822
>>Merp >>That that's not
that's just not okay. Um so

00:17:02.822,00:17:05.057
that has consequences though. Uh
it you know in military

00:17:05.057,00:17:07.326
communications, in financial
communications, in literally

00:17:07.326,00:17:10.062
everything else we do, if the
authentication fails, with the

00:17:10.062,00:17:13.199
or the encryption fails we say
don't handle that traffic

00:17:13.199,00:17:15.601
because it's you know it
it's not good, we don't want

00:17:15.601,00:17:17.970
it, it's potentially
malicious. In 911, that's not

00:17:17.970,00:17:20.873
an option for us. We don't get
that privilege so, we have to

00:17:20.873,00:17:23.876
work around it and that has real
consequences for uh

00:17:23.876,00:17:26.946
vulnerabilities in deployed
systems. >>So we're gonna talk

00:17:26.946,00:17:29.482
through what our methodology was
for exploitation of the

00:17:29.482,00:17:33.452
emergency services IP network
and and basically that side of

00:17:33.452,00:17:37.523
the of the architecture for NG
911. So when we wanted to do our

00:17:37.523,00:17:41.360
research here, we focused on um,
not necessarily low hanging

00:17:41.360,00:17:44.297
fruit but the hard to solve
problem. Cause the hard to solve

00:17:44.297,00:17:47.366
problem here is how do we make
sure that all calls go through

00:17:47.366,00:17:49.802
and quite frankly we haven't
figured that piece out and

00:17:49.802,00:17:51.604
that's why we're here cause
we're gonna talk about our

00:17:51.604,00:17:55.308
exploitation. What we did figure
out though is how to use the

00:17:55.308,00:17:59.011
fail working model to our
nefarious advantage. So I'm

00:17:59.011,00:18:01.681
gonna talk through the steps
that we took. The first one was

00:18:01.681,00:18:04.850
we exploited the underlying
cryptographic vulnerability in

00:18:04.850,00:18:07.653
uh the current implementation of
the standard, not in the

00:18:07.653,00:18:11.123
standard itself. We'll talk
through that. Uh two, we got

00:18:11.123,00:18:14.493
commanding control inside of the
ezzy net. We were able to forge

00:18:14.493,00:18:17.797
to the location coordinates for
both where our public safety

00:18:17.797,00:18:20.466
answering point is supposed to
be in the world and thus it's

00:18:20.466,00:18:23.903
also it's inherent service
contour but also, where all of

00:18:23.903,00:18:27.173
your calls are supposed to come
from is very different from

00:18:27.173,00:18:29.976
where we tell the ezzy net where
they're actually coming from.

00:18:29.976,00:18:33.479
Um, we were able to setup a
denial of service attack to DOS

00:18:33.479,00:18:36.315
the other public safety
answering points and capture all

00:18:36.315,00:18:39.719
the failover traffic. So in 3
different ways we figured out

00:18:39.719,00:18:43.289
how to subsume all of the
possible traffic so we get all

00:18:43.289,00:18:48.427
of the calls. So all calls flow
to basically my uh laptop.

00:18:48.427,00:18:52.264
Important caveat. [laughs] Very
important caveat. We did not do

00:18:52.264,00:18:55.368
this in the world so I'm not
going to jail for Defcon sorry

00:18:55.368,00:18:58.637
guys. Uh, [chuckles] I'll put
was we did this at a research

00:18:58.637,00:19:01.507
lab. We went to Texas A and M
University, to the internet 2

00:19:01.507,00:19:04.377
lab. They were incredibly cool
to have us we're gonna give a

00:19:04.377,00:19:07.646
huge shout out at the end for
them uh but I wanna note that

00:19:07.646,00:19:09.648
there are some really important
things here. This is a lab

00:19:09.648,00:19:12.018
environment, it's not a
production environment so things

00:19:12.018,00:19:13.986
are gonna operate differently.
They're both neater and

00:19:13.986,00:19:16.856
cleaner in some areas, they're
[laughs] also way more fucked up

00:19:16.856,00:19:20.726
in other areas right? The the
other piece of this though is

00:19:20.726,00:19:23.796
that the some of this is just
the way that the software is

00:19:23.796,00:19:26.132
currently implemented and cause
it's not running in a

00:19:26.132,00:19:28.567
production environment, some of
the things we were able to do,

00:19:28.567,00:19:32.672
we don't know if they'll fix
in production. So we figured out

00:19:32.672,00:19:34.840
what those really awful things
really were like read write

00:19:34.840,00:19:38.377
privileges and uh [chuckles]
privileged escalation and figure

00:19:38.377,00:19:41.247
out [chuckles] then how to take
those and go back to the vendors

00:19:41.247,00:19:43.149
to help them make a more secure
solution. >>And and I'll just

00:19:43.149,00:19:45.885
point out there, that a lot of
this. So there are a lot of NG 1

00:19:45.885,00:19:47.887
systems that are deployed today.
There, there sort of

00:19:47.887,00:19:51.791
transitional. Um and so some of
these things you probably could

00:19:51.791,00:19:54.360
go and do if there was something
attached to those other than

00:19:54.360,00:19:57.730
like analog voice channels but,
there isn't. >>There's not.

00:19:57.730,00:20:00.199
>>So you know, you eh eh yeh
it's kinda hard to you know,

00:20:00.199,00:20:03.669
pop certificates over uh uh oh
over TDM voice. >>Ya so this is

00:20:03.669,00:20:07.573
not an ohday talk sorry guys. So
the uh let's start with our

00:20:07.573,00:20:12.044
our first step exploitation of
cert of certificates. So NG911

00:20:12.044,00:20:14.380
uses certificates to assure
trust so they're not just

00:20:14.380,00:20:17.817
letting people play in fire. Um
there is in the standard of

00:20:17.817,00:20:20.753
requirement for certificate
authority but >>It's called

00:20:20.753,00:20:23.422
the peace app credentialing
authority and due to reasons

00:20:23.422,00:20:26.425
mostly involving money uh it
doesn't exist yet. >>Womp

00:20:26.425,00:20:30.563
womp. Uh so the uh it while on
calls for that certificate

00:20:30.563,00:20:32.998
authority they're actually
today just using self sign

00:20:32.998,00:20:37.570
certificates. [crowd boos] Wooh!
Boom. [laughs] [crowd laughter]

00:20:37.570,00:20:43.409
So uh, here's the problem with
self sign certificates. Uh you

00:20:43.409,00:20:46.779
can do easy certificate
exploitation so, let's walk

00:20:46.779,00:20:49.615
through the methodology. So we
start by getting on the wire

00:20:49.615,00:20:54.153
with uh SSL strip, Sid Vicious,
uh Wire shark and a few other

00:20:54.153,00:20:57.890
tools. We see the cert as it
floats by on the wire, we pull

00:20:57.890,00:21:01.994
it down, we malform it and as
you'll see in line 6 uh, the

00:21:01.994,00:21:05.598
certificate says maximum ponage.
That's really interesting.

00:21:05.598,00:21:07.800
>>That can't be right. >>No
way that's autogenerated.

00:21:07.800,00:21:11.470
[laughs] So we now supply our
self sign certificate to our own

00:21:11.470,00:21:14.807
virtual public safety answering
point right? So we've have

00:21:14.807,00:21:18.043
access to a virtual one cause
Texas A and M was cool enough to

00:21:18.043,00:21:21.013
give us one but you can also go
out and get them because they

00:21:21.013,00:21:25.284
exist because we want emergency
response to be dynamic. So we

00:21:25.284,00:21:28.387
have this public safety
answering point, we have our own

00:21:28.387,00:21:31.357
certificate, we have all the
drivers, we've got all the

00:21:31.357,00:21:34.560
ports correctly configured, we
associate it with a network, and

00:21:34.560,00:21:38.464
what happens next? Boom goes the
dynamite. We're now

00:21:38.464,00:21:42.067
authenticated to the emergency
services IP network or the ezzy

00:21:42.067,00:21:45.437
net in equal privilege to
everybody else. It accepts our

00:21:45.437,00:21:49.074
certificate and now we're on,
and what happens? Sib sessions

00:21:49.074,00:21:52.111
start moving because it is load
balance visitor inherent in the

00:21:52.111,00:21:55.281
network. We don't have to do
anything but provide the network

00:21:55.281,00:21:58.384
our base geo location
coordinates to start getting

00:21:58.384,00:22:01.720
traffic. So we've invented a
bullshit piece app. We've

00:22:01.720,00:22:05.024
sufflied we supplied the ezzy
net with a bullshit certificate

00:22:05.024,00:22:11.397
and we already start capturing
911 calls. But after we do this,

00:22:11.397,00:22:14.567
because I'm a special brand of
interesting person, I wanted to

00:22:14.567,00:22:18.070
do 2 different types of
geolocation attacks. The first

00:22:18.070,00:22:21.507
one is I wanted to see if I
could move my piece app. So why

00:22:21.507,00:22:24.310
would I wanna do that? Uh so
I've got this rogue ya know

00:22:24.310,00:22:27.746
it's like a rogue base station
attack basically. You wanna put

00:22:27.746,00:22:32.117
the victim in geo location to
your infrastructure. So I moved

00:22:32.117,00:22:35.054
my infrastructure to be in geo
location of whatever I wanted.

00:22:35.054,00:22:39.992
So in this circumstance right?
The the ESRP uses this function

00:22:39.992,00:22:42.962
called lost, the location and
service translation and it

00:22:42.962,00:22:48.067
requires uh the uh ECRF um sorry
to use the location data

00:22:48.067,00:22:51.737
interface to figure out where I
actually am. Do you wanna? >>Ya

00:22:51.737,00:22:55.107
and the cool thing about this is
like it it NG911 is designed

00:22:55.107,00:22:59.845
using these uh like awesome IETF
standards track uh things like

00:22:59.845,00:23:04.884
uh uh lost and held um and uh uh
devices called forest guides

00:23:04.884,00:23:09.121
that that make it possible for
your gadgetry to figure out

00:23:09.121,00:23:12.858
where you are, for the network
to figure out where you are and

00:23:12.858,00:23:15.861
then to communicate that
information uh we hope securely

00:23:15.861,00:23:19.098
to an NG911 system. Um they use
for the for the part the're

00:23:19.098,00:23:21.333
talking about here though they
also use something called GIS,

00:23:21.333,00:23:25.304
geospatial information systems
um to define the service

00:23:25.304,00:23:28.073
contours of 911 centers.
>>That's right. >>This is all

00:23:28.073,00:23:31.910
of the calls within this polygon
go to this center and here's

00:23:31.910,00:23:34.613
the IP address of it's uh
border controller. >>So we

00:23:34.613,00:23:37.983
switched our service contour to
move from Texas to Bally's

00:23:37.983,00:23:41.887
Paris hotel giving Defcon
it's very first piece app. So

00:23:41.887,00:23:45.891
[laughter] all calls in all
calls in our part of Texas where

00:23:45.891,00:23:49.528
we actually are, are now
received in Defcon basically by

00:23:49.528,00:23:53.198
my laptop. Not not particularly
cool. The other part though of

00:23:53.198,00:23:56.101
this attack and this is the int
the other interesting part is,

00:23:56.101,00:23:59.838
we were able to forage the geo
location of inbound calls. So

00:23:59.838,00:24:02.474
it's one thing to change the
geolocation of the public safety

00:24:02.474,00:24:06.111
answering point it's another
thing to write a short script

00:24:06.111,00:24:09.715
and run it on top of the ezzy
net that says put all inbound

00:24:09.715,00:24:12.952
calls into a 10 meter radius of
my uh the middle of my service

00:24:12.952,00:24:16.088
contour. So we grab >>[inaudible
words] >>They have nowhere else

00:24:16.088,00:24:19.358
to go. We grab all traffic even
if we're not able to get to

00:24:19.358,00:24:22.728
this level of exploitation
right? Even if we, if for some

00:24:22.728,00:24:25.764
reason there's something on
the network that senses that

00:24:25.764,00:24:28.500
that's bullshit, that's not
your geolocation, you're not

00:24:28.500,00:24:31.170
supposed to be the correct piece
app right? It doesn't matter

00:24:31.170,00:24:34.273
cause on the other side, if
we're able to attach at all we

00:24:34.273,00:24:37.576
can direct all the calls to us
anyway. >>Infact if we wanted to

00:24:37.576,00:24:40.379
we could selectively uh we we
could basically man in the

00:24:40.379,00:24:43.182
middle uh your pida flo position
information data format location

00:24:43.182,00:24:45.684
object. That's the thing that
the location information server

00:24:45.684,00:24:49.021
sends into the 911 center to say
here's where the caller is.

00:24:49.021,00:24:52.091
>>Yep. >>Um we could actually
man in the middle that, alter it

00:24:52.091,00:24:56.161
and then the forest guides will
tell uh uh your carrier network

00:24:56.161,00:24:58.197
to send the call somewhere else
basically somewhere of our

00:24:58.197,00:25:01.500
choosing. Um and that's we we
didn't we didn't write that

00:25:01.500,00:25:03.235
up here but that that's
certainly another way you could

00:25:03.235,00:25:06.472
so this very simply because the
pida flows are not signed. >>Ya.

00:25:06.472,00:25:08.907
>>The carrier doesn't have to
sign that to say this person is

00:25:08.907,00:25:11.076
actually where I assert that
they are. >>Or you could for a

00:25:11.076,00:25:14.413
single phone number of an
inbound caller. A single phone

00:25:14.413,00:25:16.882
number of an inbound paller
caller you can track and

00:25:16.882,00:25:20.085
identify an actual individual
and you can make their call, not

00:25:20.085,00:25:23.522
all calls, just that one call,
go to the public safety

00:25:23.522,00:25:25.724
answering point you want.
>>Anybody see Ocean's Eleven?

00:25:25.724,00:25:28.494
>>Cause it was filmed here in
Vegas. >>I mean that >>[laughs]

00:25:28.494,00:25:30.863
>>that essentially happened.
They had to like physically tap

00:25:30.863,00:25:32.931
something to do that. >>Yep.
>>Uh because of the nature of

00:25:32.931,00:25:35.234
the 911 network but that
wouldn't be required >>Right.

00:25:35.234,00:25:38.570
>>In this. you could just say uh
any 911 calls from within uh I

00:25:38.570,00:25:40.973
think it was the MGM Grand in
>>Yep >>that case. Please bring

00:25:40.973,00:25:44.510
those to us. >>Totally. So not
having Brad Pitt and George

00:25:44.510,00:25:46.712
Clooney at hand, we also had to
figure out a failover

00:25:46.712,00:25:49.882
vulnerability. So when we talk
about this fail working model

00:25:49.882,00:25:53.018
that we discussed previously
with all calls must go through,

00:25:53.018,00:25:55.821
we're gonna show 2 use cases.
The way its supposed to work and

00:25:55.821,00:25:58.791
then the way we made it work. So
when we did the failover

00:25:58.791,00:26:02.227
vulnerability we have this uh
you know basically public safety

00:26:02.227,00:26:05.264
answering points so this is the
NG911 function running on top of

00:26:05.264,00:26:08.367
the ezzy net. You have a good
public safety answering point.

00:26:08.367,00:26:10.869
This is like the legit good
dudes, they're supposed to be

00:26:10.869,00:26:14.072
there, they start connecting
right? They exchange their

00:26:14.072,00:26:16.442
certificates, they're all
copesthetic, they start getting

00:26:16.442,00:26:19.378
sib traffic, we have another
good public safety answering

00:26:19.378,00:26:21.647
point right? Because we have
multiple public safety answering

00:26:21.647,00:26:24.283
points in a state, cause these
are the 911 call centers so

00:26:24.283,00:26:27.352
there's like 50 or whatever.
Um you know sorry for being a

00:26:27.352,00:26:29.288
little flipid about the number
but you know it depends on the

00:26:29.288,00:26:32.324
state and so but what happens if
we now sever this line of

00:26:32.324,00:26:35.828
communication? Well if they drop
the session, the good pee piece

00:26:35.828,00:26:39.798
app goes away and it fails over
to the other good piece app.

00:26:39.798,00:26:42.468
Right? That's good. We want
that to happen. In a hurricane,

00:26:42.468,00:26:44.903
one public safety answering
point gets knocked out. They

00:26:44.903,00:26:47.806
lose power, something happens,
it rolls over, calls get

00:26:47.806,00:26:51.410
balanced, all calls still go
through. What's the way, the

00:26:51.410,00:26:55.214
other way that this could work?
Well, we used this attack called

00:26:55.214,00:26:57.983
voiper. Straight got it off
github. I'm not gonna invent

00:26:57.983,00:27:01.820
like I wrote the code. Uh but so
we used voiper attack to go

00:27:01.820,00:27:05.724
after the quality of service of
the sib connection between this

00:27:05.724,00:27:10.162
bot, this cloud. Ooo the cloud.
And the good piece app right? So

00:27:10.162,00:27:12.331
we have the public safety
answering point you know just

00:27:12.331,00:27:15.567
like we did in our last one and
it connects over here but then

00:27:15.567,00:27:19.538
we also have our evil piece app.
Ooo. And so our evil piece app

00:27:19.538,00:27:23.842
uh initiates a uh a sip attack
using voiper against the quality

00:27:23.842,00:27:27.713
of service of that connectivity
between the NG911 function on

00:27:27.713,00:27:31.416
the ezzy net and the good piece
app. And so when it starts doing

00:27:31.416,00:27:34.887
that what we're able to do is
turn that good piece app, cause

00:27:34.887,00:27:37.289
we're cutting off its line of
communication cause we're

00:27:37.289,00:27:40.959
fucking with QOS right? Into a
sad piece app. And now that we

00:27:40.959,00:27:44.730
have our sad piece app, we get
all the traffic. >>All your 911

00:27:44.730,00:27:48.934
calls are belong to us. >>Boom.
[laughter] So why would we do

00:27:48.934,00:27:52.070
this? Right? It's cool to be
able to do this in a lab but wa

00:27:52.070,00:27:55.574
why is this actually important
beyond the fact that we're

00:27:55.574,00:27:58.544
looking to bring people into the
security research field on this?

00:27:58.544,00:28:02.447
Well it's important to
understand who the threat actors

00:28:02.447,00:28:05.083
for these things would be. So, I
mean it's one thing to be able

00:28:05.083,00:28:07.286
to like, invent some cool
vulnerability but like if no

00:28:07.286,00:28:08.820
one's gonna use it then so
what. Well, [laughs] ultimate

00:28:08.820,00:28:12.057
reality here is that this is the
tom foolery and trickery of the

00:28:12.057,00:28:14.826
criminal element right? You get
em to look the other direction

00:28:14.826,00:28:17.563
then you punch em in the neck
and the way that we do that here

00:28:17.563,00:28:20.432
is we think through a
circumstance in which, you would

00:28:20.432,00:28:23.202
have someone or a group of
people who would work for

00:28:23.202,00:28:26.672
example in the criminal element
like organized crime um or

00:28:26.672,00:28:29.875
others who would wanna be able
to do things like rob a bank.

00:28:29.875,00:28:32.844
Capture all the 911 calls from
people saying the bank is being

00:28:32.844,00:28:36.815
robbed and just basically move
them to Devnull. And at the at

00:28:36.815,00:28:40.085
the end of what we've done
here basically is we figured out

00:28:40.085,00:28:45.457
how people would choose to use
911 as a veneer right? The

00:28:45.457,00:28:48.493
comfort that people get when
they call 911 and take that

00:28:48.493,00:28:51.363
availability away from them and
you could easily imagine people

00:28:51.363,00:28:55.100
wanting to do this in multiple
fields. Um and because basically

00:28:55.100,00:28:58.637
what we've done is use the
system redundancy against the

00:28:58.637,00:29:02.441
network itself, we have been
able to express the same type of

00:29:02.441,00:29:05.010
tactics, techniques, and
procedures that we would expect

00:29:05.010,00:29:07.312
from criminal element. >>And and
I'll point out, let me, let me

00:29:07.312,00:29:09.514
give you a kind of a
hypothetical example of like

00:29:09.514,00:29:12.985
where and why this could matter.
So one of the big like sexy use

00:29:12.985,00:29:16.355
cases for NG911 uh if you if you
remember the christmas day

00:29:16.355,00:29:20.325
bombing attack from New York
city, um that was stopped

00:29:20.325,00:29:23.161
because someone called 911 and
they said there's this creepy

00:29:23.161,00:29:26.164
looking white van, here's the
license plate blah blah blah.

00:29:26.164,00:29:28.600
That's great, that works.
Creepy looking white van, it's

00:29:28.600,00:29:32.904
a ford, license plate etc. It
would be much better for us and

00:29:32.904,00:29:35.974
the public safety community if
the person making that 911 call

00:29:35.974,00:29:38.510
could instead simply snap a
picture of the creepy looking

00:29:38.510,00:29:40.879
white van >>That's right.
>>and send that to us so that we

00:29:40.879,00:29:43.448
can then decide okay is this
relevant? Yes, great push it out

00:29:43.448,00:29:46.351
to the cops on the street, go
after this creepy looking white

00:29:46.351,00:29:49.287
van. Because that stops uh you
know I I had a buddy that got

00:29:49.287,00:29:51.556
you know yanked out of his truck
and and thrown to the ground

00:29:51.556,00:29:53.992
with you know guns to his head
basically because he was driving

00:29:53.992,00:29:56.962
a truck that looked like one of
an armed robber. Um you know

00:29:56.962,00:30:00.799
with photographs it's that
it's harder for that to happen

00:30:00.799,00:30:04.703
um hopefully but, somebody could
easily in a circumstance like

00:30:04.703,00:30:07.806
that, alter uh uh that
information. If they were

00:30:07.806,00:30:10.842
lurking, the the attacker
could've said okay I see that

00:30:10.842,00:30:14.079
photograph coming across the
wire, let's make the white van

00:30:14.079,00:30:17.883
a red Tercel. >>Ya. So I mean
you can fool with the integrity

00:30:17.883,00:30:20.886
and availability of these
systems but what's important

00:30:20.886,00:30:23.822
to understand is it's not just
a 911 network. It's a critical

00:30:23.822,00:30:26.291
infrastructure network. Like
these are things people use that

00:30:26.291,00:30:28.593
we all pay money for that's
supposed to work, that we're

00:30:28.593,00:30:30.862
supposed to be able to rely on
and that's why you have to do

00:30:30.862,00:30:34.533
vulnerability research in these
areas. But, not all is lost.

00:30:34.533,00:30:38.203
There are mitigations. Trey?
>>Yes. So, um we talked earlier.

00:30:38.203,00:30:40.138
My organization, we're the
standards developers and the

00:30:40.138,00:30:43.175
great things is we do actually
have uh a small number of very

00:30:43.175,00:30:47.512
dedicated, very knowledgeable
people um on uh uh IP networking

00:30:47.512,00:30:50.549
and uh ITF standards and and
security to some extent.

00:30:50.549,00:30:53.018
That's probably our biggest
limitation right now um they

00:30:53.018,00:30:56.254
come up uh wi with 2 things.
Both the i3 standard, that's

00:30:56.254,00:30:59.991
the standard with how you do
NG911. Um it has tons of

00:30:59.991,00:31:03.662
security related uh uh eh
functional entities and

00:31:03.662,00:31:07.466
protocols and so forth baked in.
The border control functions uh

00:31:07.466,00:31:09.701
do >>Yep. >>special things. The
routing proxies do things, you

00:31:09.701,00:31:12.671
know we mark suspicious traffic.
All that sort of stuff. Um but

00:31:12.671,00:31:14.406
then on top of that they
actually published another

00:31:14.406,00:31:17.676
standard called NG sec. That's
the security standard for NG

00:31:17.676,00:31:21.046
911. I will tell you it is good,
it's not great. It's not

00:31:21.046,00:31:23.949
done. It it is a wonderful
document as it is. >>Yep. >>But

00:31:23.949,00:31:27.252
there are tons of things that
the public safety community has

00:31:27.252,00:31:31.790
not yet thought about to put in
there because we've never had

00:31:31.790,00:31:34.793
intrusion detection before. It
it what're you gonna detect

00:31:34.793,00:31:38.029
the the the pizza guy called
instead of you know a 911 call?

00:31:38.029,00:31:41.233
That that that doesn't help.
Um we've never had a lot of

00:31:41.233,00:31:43.702
these these security related
things that we're gonna have

00:31:43.702,00:31:47.139
to have now and so just knowing
about it to enough to put it in

00:31:47.139,00:31:49.441
a document is like step one.
>>Right. >>For for our

00:31:49.441,00:31:52.844
community. It's very
important. Um we we have the

00:31:52.844,00:31:55.714
ability as I said in the
standard to mark unauthenticated

00:31:55.714,00:31:59.117
traffic as suspicious um and now
with some of the recent rule

00:31:59.117,00:32:02.254
changes by the FCC we should
have um much better capability

00:32:02.254,00:32:05.023
to use reputation scoring for
phone numbers and things like

00:32:05.023,00:32:07.959
that to make decisions about
okay, do we think this is likely

00:32:07.959,00:32:12.764
to be a nefarious call uh from
the media standpoint? Um I I we

00:32:12.764,00:32:14.599
mentioned the piece app
credentialing authority, the

00:32:14.599,00:32:18.837
special CA. >>[clears throat]
>>Um that does not exist yet but

00:32:18.837,00:32:21.273
uh there is an RF peebing put
together for that and I've

00:32:21.273,00:32:24.509
looked at uh what i tho hope and
pray will be the final version I

00:32:24.509,00:32:28.380
have to edit um last week and so
it'll be about another 2

00:32:28.380,00:32:31.716
months I think before the the an
RF goes out for the CA. Which is

00:32:31.716,00:32:34.019
a good thing but we also still
have to figure out how to pay

00:32:34.019,00:32:36.855
for it because that you know in
in the public sector everyone is

00:32:36.855,00:32:39.257
so flushed with cash that they
just you know have tons of it

00:32:39.257,00:32:44.095
lying around. Um, not really.
>>Depends on which state but ya,

00:32:44.095,00:32:47.732
not really. [laughs] >>Um and
and for now, there's this sort

00:32:47.732,00:32:50.702
of inherent mitigation which is
that even though most of the

00:32:50.702,00:32:54.773
carrier networks are now
natively IP sip, you know voip

00:32:54.773,00:32:59.077
basically. Um and even though
there are NG911 systems out

00:32:59.077,00:33:03.515
there that are natively IP and
sip, in the middle everything is

00:33:03.515,00:33:07.219
getting converted to TDM to go
over like one set of trunks and

00:33:07.219,00:33:09.855
use one particular switch so
that it can still get to the

00:33:09.855,00:33:11.857
place where it's just gonna be
turned right back into what it

00:33:11.857,00:33:15.493
was to start with. Um which is
not terribly efficient but it is

00:33:15.493,00:33:18.296
sort of a security protection
because turning your traffic

00:33:18.296,00:33:21.967
into TDM first like breaks a lot
of the stuff that we talk about

00:33:21.967,00:33:24.135
here because it none of the IP
stuff actually makes it out the

00:33:24.135,00:33:26.071
other end. >>Plus, even if we
wanted to get away from the

00:33:26.071,00:33:28.473
technical side of things right
like if you're a public safety

00:33:28.473,00:33:31.643
answering point, and you
normally get like 80 calls in an

00:33:31.643,00:33:35.313
hour, and you get no calls for
like 3 hours you can probably

00:33:35.313,00:33:37.449
start to imagine that there's
something not right. So

00:33:37.449,00:33:40.452
there's like, if you're just
a smart person you'll figure

00:33:40.452,00:33:42.721
out that you're under attack
depending on what the nature of

00:33:42.721,00:33:45.824
the attack is and you can then
contact your system

00:33:45.824,00:33:49.494
administrator on line 7. Uh or
you could contact any peep any

00:33:49.494,00:33:51.930
of the people who run the
emergency services network and

00:33:51.930,00:33:54.532
they can begin doing some sort
of analysis or forensics to

00:33:54.532,00:33:57.535
determine these things. So these
are bad things that absolutely,

00:33:57.535,00:34:01.172
100 percent can happen today but
we have a reasonable expectation

00:34:01.172,00:34:04.442
that by getting people who are
smart together in a room and

00:34:04.442,00:34:07.112
working through it that we'll
get there. >>Also and that, the

00:34:07.112,00:34:08.780
process you just talked about
can be automated actually.

00:34:08.780,00:34:11.850
>>Right. >>There are people
right now looking at um it it so

00:34:11.850,00:34:15.654
it turns out that the 911 call
is exceptionally uh regular. Uh

00:34:15.654,00:34:18.523
we see it uh beautifully in
terms of like the flow by time

00:34:18.523,00:34:21.626
of day, day of week etc. Um and
so you can start to automate

00:34:21.626,00:34:24.329
things like around uh okay am I
getting far more calls or far

00:34:24.329,00:34:27.332
fewer calls than I should
reasonably expect at this time

00:34:27.332,00:34:29.467
and >>Standard deviation.
[laughs] >>ya. So we'll leave

00:34:29.467,00:34:32.971
op sorry I I I got a couple er
couple more mitigations here um.

00:34:32.971,00:34:35.507
First off we could start having
we talked earlier that the

00:34:35.507,00:34:38.510
location objects are not signed.
We should absolutely be signing

00:34:38.510,00:34:41.179
those. Um and that's actually
gonna be part of a future

00:34:41.179,00:34:44.115
revision to the standard we
think. >>Yep. >>um Same thing

00:34:44.115,00:34:46.651
with uh piece app service
contours. Those should be signed

00:34:46.651,00:34:50.155
as well once the CA exists. Um
we can start to do some things

00:34:50.155,00:34:53.425
like low level sanity checking.
We can say if the GPS chip in

00:34:53.425,00:34:57.028
the cell phone says it's in
Texas, um and it's showing the

00:34:57.028,00:35:01.466
call as being uh uh presented at
a uh a piece app in Las Vegas

00:35:01.466,00:35:03.868
well okay there's a mismatch
there and we should find out why

00:35:03.868,00:35:06.805
that's happening unless we
intended it to. Um and we can

00:35:06.805,00:35:12.010
also do things like we can say
um uh uh if if this is attached

00:35:12.010,00:35:15.847
to a cable modem that's in
Kansas, then uh the call should

00:35:15.847,00:35:19.017
not be showing up at a psap
that's in Florida. So we we

00:35:19.017,00:35:21.086
can start to do some of the
database stuff that we do today

00:35:21.086,00:35:24.723
to kinda sanity check some of
this. Also implementing TLS for

00:35:24.723,00:35:28.059
all the held lookups is really
important. >>Go RC. >>Again that

00:35:28.059,00:35:33.264
depends on uh uh that depends on
the CA again. So we'll leave

00:35:33.264,00:35:36.001
you guys with a couple parting
shots um, as we said before

00:35:36.001,00:35:39.170
it's really vital that 911
always work for everyone because

00:35:39.170,00:35:42.874
lives really are at stake. Um
and there's a lot of work left

00:35:42.874,00:35:45.910
to be done to make sure that all
of these things are secure to

00:35:45.910,00:35:49.581
start with and become even more
secure down the line. So one of

00:35:49.581,00:35:52.650
the big reasons that that we uh
uh put in to present this year

00:35:52.650,00:35:55.387
was to to basically put out a
call for help to say our

00:35:55.387,00:35:58.456
community in public safety,
we're not as unfriendly as we

00:35:58.456,00:36:02.694
seem sometimes. We desperately
need the folks in this room um

00:36:02.694,00:36:05.563
to to be part of the community.
And one of the ways you can do

00:36:05.563,00:36:08.500
that is by joining us at dev dot
nina dot org. Thats our

00:36:08.500,00:36:10.869
standards development uh portal
for those of you who have used

00:36:10.869,00:36:14.906
covey before it's a it's a covey
site. Um and uh we would love to

00:36:14.906,00:36:17.275
have you if you wanna actively
participate, that's where to

00:36:17.275,00:36:19.944
sign up. >>It's it's like
it's a little scary given the

00:36:19.944,00:36:23.882
pervasive nature of 911. That
this is probably the largest

00:36:23.882,00:36:27.752
group of security professionals
that's ever been involved at

00:36:27.752,00:36:32.157
all in this type of security
research right? Like tha that

00:36:32.157,00:36:34.759
should scare people right?
[laughs] Like it's it's not

00:36:34.759,00:36:36.795
a good idea that 2 knuckleheads
are the guys that're are

00:36:36.795,00:36:40.198
leading research on this. Um and
so we'd ask you to do, if

00:36:40.198,00:36:42.333
you're interested in this, if
you have like a persistent

00:36:42.333,00:36:46.738
interest in NG sec and 911
security tonight at 4 pm at

00:36:46.738,00:36:49.441
Burger's we're gonna be
holding a meet up. Uh where uh I

00:36:49.441,00:36:52.977
will personally pay for one
round of drinks for half of you.

00:36:52.977,00:36:55.213
Depending on the number of
people who show up. [laughter]

00:36:55.213,00:36:57.782
Uh haha [laughs] so come for the
beer and the jokes and the

00:36:57.782,00:37:00.485
conversation but we wanna start
a community of people who

00:37:00.485,00:37:02.854
actually get involved in
research on this. You can make a

00:37:02.854,00:37:05.323
legit difference and we're
here to support for that. >>Also

00:37:05.323,00:37:08.860
shameless self promotion we will
have uh the first ever 911 uh

00:37:08.860,00:37:10.862
security conference this
october. It's gonna be in

00:37:10.862,00:37:14.833
Columbus Ohio, that garden spot.
Um and uh we'll we'll have

00:37:14.833,00:37:18.436
at least 4 or 500 uh uh security
pros or or mainly public safety

00:37:18.436,00:37:20.705
pros we're gonna be talking
through some of these issues. So

00:37:20.705,00:37:23.074
we'd love to have uh anybody
there that can join us. >>So

00:37:23.074,00:37:25.310
shout out to our team. We had a
couple of people who helped us

00:37:25.310,00:37:28.546
out. Tom Blackard with team
secure set, Jake Nelson with

00:37:28.546,00:37:32.250
team secure set and with team
Texas A and M university uh Walt

00:37:32.250,00:37:36.121
Magnesin and this really awesome
little network nerd uh Derek Lad

00:37:36.121,00:37:39.557
who just made it hop so cheers
to them. So now >>I have, I have

00:37:39.557,00:37:41.926
one personal shout out >>Yep,
please. >>This was not in

00:37:41.926,00:37:45.763
script. So um 2 years ago I came
here as a total noob. As a

00:37:45.763,00:37:48.500
fucking lawyer as someone who
had no business at all being at

00:37:48.500,00:37:51.236
Defcon and the guy >>It's true
>>Back here from queer con

00:37:51.236,00:37:53.938
brought me in and they are my
family now. They are wonderful

00:37:53.938,00:37:55.974
these badges are the coolest
thing you will ever see at

00:37:55.974,00:37:57.308
Defcon [applause] [cheers]
>>Right on! [applause] >>A big

00:37:57.308,00:38:01.546
hand. So thank you to you guys
for getting me up here.

00:38:01.546,00:38:03.882
[applause] >>So, now is the
dangerous part of the talk. We

00:38:03.882,00:38:07.919
open to comments, prayer
requests, song dedications but

00:38:07.919,00:38:11.723
>>No smug assertions of info sex
superiority. >>Amen. >>So there

00:38:11.723,00:38:13.825
should be microphones I think
some place. There's one down

00:38:13.825,00:38:18.096
here. ONe over there some place.
[inaudible voices] >>Go up to

00:38:18.096,00:38:23.101
the mic and ask question kay.
>>Hello um, since the hipaa

00:38:27.005,00:38:32.343
standard actually deals with 911
and emergency centers where the

00:38:32.343,00:38:35.680
patient cannot die simply
because your computer aren't

00:38:35.680,00:38:42.587
up uh I was wondering how much
have you actually looked at and

00:38:42.587,00:38:45.924
it's really scary if you
actually consider uh um

00:38:45.924,00:38:49.761
emergency room security and
improvement but actually it

00:38:49.761,00:38:52.363
might be. How much of that
standard have you actually

00:38:52.363,00:38:56.467
looked at versus trying to
reinvent the wheel? >>So um eh

00:38:56.467,00:39:00.405
hipaa applies in some very
specific and relatively narrow

00:39:00.405,00:39:03.575
circumstances. There are certain
types of information in certain

00:39:03.575,00:39:06.578
types of transit that have to be
protected certain ways. Um the

00:39:06.578,00:39:10.415
objective of the i3 and NG sec
specs was to make sure that that

00:39:10.415,00:39:14.919
was at least a minimum um so
that we were not uh uh we're

00:39:14.919,00:39:17.255
we're not trying to reinvent
the wheel um. A lot of that

00:39:17.255,00:39:19.791
should be baked in now
personally because our our

00:39:19.791,00:39:23.027
organization just this past
year, we did the first ever nist

00:39:23.027,00:39:28.333
gap assessment uh uh of a 911
center. And uh what we found was

00:39:28.333,00:39:32.937
frankly somewhat terrifying um
because uh eh it looked like

00:39:32.937,00:39:35.640
basically a house with no
windows and no doors and maybe

00:39:35.640,00:39:38.743
only part of a roof that was
mostly on fire. Um and [laughs]

00:39:38.743,00:39:41.913
so uh we're we're a little
bit scared about where that is.

00:39:41.913,00:39:45.650
Um we have had just this year
about 6 or 8 hit with ransomware

00:39:45.650,00:39:48.286
and thankfully those guys were
just in interested in getting

00:39:48.286,00:39:50.488
paid but they would have equally
been interested in taking

00:39:50.488,00:39:53.458
people's data. Um and so we're
we're very conscious of the

00:39:53.458,00:39:56.561
need to protect uh sensitive
health information. >>Well no,

00:39:56.561,00:39:59.264
uh I was thinking it in more of
a strategic level here for a

00:39:59.264,00:40:02.600
second because I've been
making the case like the like

00:40:02.600,00:40:05.036
the risk management in a case
with with a doctor. I mean

00:40:05.036,00:40:07.639
it's risk management case is
you're not gonna die in 15

00:40:07.639,00:40:12.010
minutes. We're fine, what's
the risk? Okay and the

00:40:12.010,00:40:14.779
information security case says
okay they're not gonna die in

00:40:14.779,00:40:17.982
15 minutes why would you spend
1,000 dollars on security versus

00:40:17.982,00:40:23.221
a heart monitor? Okay uh and
that's the risk management

00:40:23.221,00:40:25.924
case really that you're
facing. Which is >>So we should

00:40:25.924,00:40:28.359
absolutely talk about that but I
want >>Ok >>[inaudible words] So

00:40:28.359,00:40:31.496
catch up with us at 4 o'clock at
Burger's and we will

00:40:31.496,00:40:34.198
definitely talk about that.
>>Who's next? This guy. >>I've

00:40:34.198,00:40:37.835
got a question preferenced with
an explanation for you. >>Go for

00:40:37.835,00:40:42.240
it. >>Um my question is how
robust is the load uh

00:40:42.240,00:40:47.245
distribution and uh psap spin up
process? >>How what was it?

00:40:47.245,00:40:50.581
>>How robust is it in NG911 and
the reason that I'm asking

00:40:50.581,00:40:54.953
that question is that uh there
was a fantastic 101 on thursday

00:40:54.953,00:40:59.824
regarding uh virtual PDX switch
uh sip access and being able to

00:40:59.824,00:41:05.596
spam a phone number with a shit
load of phone calls. So if say a

00:41:05.596,00:41:09.400
person who want to cause chaos
in a certain town could by 500

00:41:09.400,00:41:12.737
sip lines and then spam 10,000
calls an hour. >>So so nevermind

00:41:12.737,00:41:15.673
NG911 at all. Forget that exists
for second. We're just in

00:41:15.673,00:41:20.178
today's E911 world. The
average 911 center has a grand

00:41:20.178,00:41:24.849
total of 5 or 6 inbound trunks.
You pop one enterprise

00:41:24.849,00:41:28.152
callmanager at a small business,
not even a medium business.

00:41:28.152,00:41:31.889
>>Yep. >>You can overload a
region. Um easily and that is

00:41:31.889,00:41:34.258
the and we don't have any way
to defend against that. Like

00:41:34.258,00:41:37.362
there's no you know it it
get's difficult and terrifying

00:41:37.362,00:41:39.230
and and so I you know we we
don't know what to do about

00:41:39.230,00:41:41.399
that yet. >>And I'd I'd also
say if >>Don't do that >>So

00:41:41.399,00:41:44.602
if you go if you [laughter] ya
right? So and remember it's

00:41:44.602,00:41:48.339
just a lab environment but uh
computationally uh it's a spin

00:41:48.339,00:41:51.542
up uh a virtual piece app so
that took that took about an

00:41:51.542,00:41:55.213
hour and a half to get that, to
get that set. Um but like that

00:41:55.213,00:41:58.883
thing eats like a hog right? So
if you throw enough traffic at

00:41:58.883,00:42:01.085
it, not just from like uh a
telecom denial of service

00:42:01.085,00:42:04.255
perspective, but if you make
that thing eat enough it's

00:42:04.255,00:42:06.624
gonna, it's gonna take itself
down. So we had to be really

00:42:06.624,00:42:08.826
careful about our implementation
and I'll be honest, I DOS'd

00:42:08.826,00:42:12.663
myself twice. Right, like your
it's gonna happen um so ya

00:42:12.663,00:42:14.832
there it's not as robust as it
needs to be. >>Is there a way to

00:42:14.832,00:42:17.602
mitigate that on your guys'
check list? >>Not yet. >>Not yet

00:42:17.602,00:42:19.670
uh there there are some and
there have been attacks by the

00:42:19.670,00:42:23.074
way people have DOS psaps uh
over the admin lines >>Ya >>Um

00:42:23.074,00:42:26.310
international sib gateway
exchanges uh have have really um

00:42:26.310,00:42:29.080
messed up messed with em. >>Go
for it. >>Uh I have 2 questions.

00:42:29.080,00:42:31.749
First of all the database that
you mentioned earlier that has

00:42:31.749,00:42:34.519
all the uh addresses does that,
>>Location information server

00:42:34.519,00:42:38.322
>>Ya but >>Is there a G or an E?
>>Is there one one database or

00:42:38.322,00:42:40.858
does every telephone company
have there own database is it

00:42:40.858,00:42:43.861
proprietary uh eh? >>So it it
depends on which one you're

00:42:43.861,00:42:46.164
talking about. If you're
talking about in the E911 world

00:42:46.164,00:42:48.699
can you scroll back to that
while I talk? >>Ya. >>Um In the

00:42:48.699,00:42:51.469
E911 world the there's a
master street address guide in

00:42:51.469,00:42:56.674
each town. Basically, there is a
uh selective routing database

00:42:56.674,00:42:59.777
and an ally automatic location
identification database. In

00:42:59.777,00:43:01.579
theory >>So who who >>For each
carrier but in practice they're

00:43:01.579,00:43:04.715
all out sourced to about 3
companies. >>Ya. >>So the uh

00:43:04.715,00:43:09.587
data's proprietary or? >>Yes.
>>Okay. >>For now. >>Uh my

00:43:09.587,00:43:13.691
second question is regarding the
uh NCS get system. Are they

00:43:13.691,00:43:16.060
having uh >>Yep. >>similar
problems in transitioning do

00:43:16.060,00:43:19.263
they use ez uh ezzy net? >>So
funny story actually, we used to

00:43:19.263,00:43:22.967
work at DHS in the component
that runs WPS and gets and um.

00:43:22.967,00:43:25.303
>>Thanks for knowing about it.
You're the guy. >>Ya, ya. >>Ya

00:43:25.303,00:43:28.606
>>You're the one. Um they they
are actually working now on next

00:43:28.606,00:43:30.708
generation gets and WPS. I
don't know where it is cause

00:43:30.708,00:43:33.311
I've been out of that now for
6 years but ya, that that's

00:43:33.311,00:43:35.279
definitely happening. >>You
might consider pen testing that

00:43:35.279,00:43:38.449
too. >>Ya i mean uh it still
uses underlying compromised you

00:43:38.449,00:43:42.086
know like infrastructure right
like SS7 um and a lot of other

00:43:42.086,00:43:45.122
infrastructures. So NGN gets is
not as secure as you might

00:43:45.122,00:43:48.192
believe it to be because it's
not TDM based. >>alright >>So

00:43:48.192,00:43:51.863
most of this is new to me. um Is
any of this 911 stuff crossover

00:43:51.863,00:43:57.969
with the amber alert system?
>>No. >>Okay, cool. >>[inaudible

00:43:57.969,00:44:02.640
voices] [laughter] [applause]
>>Boom [laughs] >>So we'll say

00:44:02.640,00:44:05.610
excellent talk. Um you mentioned
funds are a major issue in a

00:44:05.610,00:44:07.979
severely aging infrastructure.
Especially in some of the more

00:44:07.979,00:44:12.083
rural areas in Texas. >>Yes sir
>>As well um that being said,

00:44:12.083,00:44:14.485
I'm a self, I'm a
firefighter and first responder

00:44:14.485,00:44:18.322
so I have unique um viewpoint
rather dealing with city

00:44:18.322,00:44:21.559
management for funds not only
for fire gear but everything

00:44:21.559,00:44:24.161
else. >>Yes sir. >>You start
talking about a lot of this

00:44:24.161,00:44:26.998
stuff to city employees and
everybody else they're gonna

00:44:26.998,00:44:29.066
start looking like you know
you're a heretic and wanna burn

00:44:29.066,00:44:32.436
you so how do you, >>Yes. >>How
are you going to approach that?

00:44:32.436,00:44:35.706
>>Very carefully. [laughter] uh
but no that that is like that's

00:44:35.706,00:44:38.176
the biggest thing for lour
organization. Being the 911

00:44:38.176,00:44:41.546
association. We just decided you
know what, burn us at the stake

00:44:41.546,00:44:43.514
if you want we are gonna talk
about this until it's all

00:44:43.514,00:44:47.451
fixed. >>Ya. LIke dude this has
to happen for police, fire, EMS,

00:44:47.451,00:44:50.955
civil servants, also just people
right? Just everybody else like

00:44:50.955,00:44:53.624
my nightmare scenario is
somebody screws the geolocation

00:44:53.624,00:44:56.160
coordinates up and they send
your guys into a building and

00:44:56.160,00:44:58.696
that's a chem fire instead of
a regular fire right? That

00:44:58.696,00:45:01.065
that's a cluster fuck so this
has to get taken care of.

00:45:01.065,00:45:02.800
>>Okay. >>Thank you guys,
you've been wonderful >>Thank

00:45:02.800,00:45:06.671
you >>You guys rock. [applause]