Teen hacker sentenced for serious disruption of Phoenix 911 system

If you’re a teen computer whiz trying to create an “annoying but harmless” online prank that will impress your friends and the “hacker community,” probably best not to aim it at anything having to do with real-life emergency services.

Hopefully Meetkumar Hiteshbhai Desai, 19, had learned at least that much by the time he was sentenced last week to three years probation for creating a bug a year ago that, between 24 and 26 October, almost shut down 911 services throughout Maricopa County, Arizona and beyond.

Law enforcement officials were definitely impressed, but not in a good way. According to the state Attorney General’s Office, Desai’s bug caused more than 300 hang-up calls – 100 of them within minutes on 25 October 2016 – in the county’s 911 operating systems, which include Phoenix, Scottsdale, Glendale and Mesa.

The Maricopa County Sheriff’s Office (MCSO) said the bug affected call centers in Avondale, Chandler, Surprise and the MCSO.

Desai pleaded guilty to one count of computer tampering. The sentencing agreement allows law enforcement to monitor his computer during the probation period.

Ars Technica reported that at the time of his arrest, authorities referred to Desai as an “iPhone app developer.” Which was a major stretch. But in a press release following the arrest, the MCSO said Desai (who they referred to as “Meet” since the web page that linked to the bug was called “Meet Desai”) told detectives that he was indeed hoping to impress the computer giant:

He was interested in programs, bugs, and viruses which he could manipulate and change to later inform Apple about (how) to fix their bug issues for further iOS updates. He claimed that Apple would pay for information about bugs and viruses and provide that particular programmer with credit for the discovery.

No word on whether Apple was impressed.

According to the MCSO, Desai told them that an online friend had shared a bug with him that they thought they could modify. He said he discovered that he could:

… add annoying pop ups, commands to open email, and activate the telephone dialing feature on iOS cell phones by utilizing a java script code that he created.

His intent, he told them, was just to create a, “non-harmful but annoying bug that he believed was ‘funny.’”

However, his project went from prank to crime when he modified the bug to include the 1+911 phone number for emergency services and – by mistake, he told detectives – pushed it out to the public.

Meet stated that although he did add that feature to the bug he had no intention of pushing it out to the public, because he knew it was illegal and people would “freak out”.

Probably not the kind of mistake someone looking to impress Apple would make. But Desai was right about the reaction – people indeed freaked out.

On the night of 25 October 2016, the MCSO heard from a surprised Surprise Police Department that their communications division had received more than 100 911 hang-up calls which, as the MCSO put it, put their Cyber Crimes Unit into, “full force after a serious disruption into the emergency 911 system for the entire Phoenix metro area and possibly even other states.”

Detectives tracked the 911-dialing code to the “Meet Desai” web page, hosted out of San Francisco. They were able to shut it down, “to stop the potential immediate threat to the 911 emergency systems, which could possibly have been compromised if enough users had clicked on the link.”

But by that time the link, which had been posted to the YouTube channel “TheHackSpot” and several Twitter accounts, had been clicked 1,849 times. When people clicked on it, it launched continuous calls to 911 and wouldn’t let the caller hang up.

According to the Arizona AG, Desai will not serve any jail time because he, “cooperated with authorities, expressed remorse and had never been in trouble before.”

But the incident demonstrates that the security of 911 services has a significant soft spot. This was a localized version of what sounds like a phone DDoS attack that could disrupt emergency services over a much wider area – possibly the entire nation. As Ars Technica noted at the time of Desai’s arrest last year:

According to recently released research reported in the Washington Post (paywall) by journalist Kim Zetter, a proof-of-concept attack devised by researchers in Israel required just 6,000 infected smartphones in a geographical area to tamper with the 911 system for the entire state of North Carolina. The researchers estimated 200,000 infected phones distributed across the US could significantly disrupt 911 services for the entire country.