Taming the Insecurity of Cellular Emergency Services (9-1-1): From Vulnerabilities to Secure Designs

Cellular networks, vital for delivering emergency services, enable mobile users to dial emergency calls (e.g., 9-1-1 in the U.S.), which are forwarded to public safety answer points (PSAPs). Regulatory requirements allow anonymous user equipment (UE) without a SIM card or valid mobile subscription to access these services. However, supporting emergency services for anonymous UEs introduces different operations, expanding the attack surface of cellular infrastructure. In this study, we explore the insecurity of cellular emergency services, identifying six security vulnerabilities. These vulnerabilities can be exploited for free data service attacks against carriers and data DoS/overcharge and denial of cellular emergency service (DoCES) attacks against mobile users. Experimental validation in networks of three major U.S. carriers and two major Taiwan carriers demonstrates the global impact of our findings. Finally, we propose and prototype standard-compliant remedies to mitigate these vulnerabilities.