Why is it so hard to trace an anonymous bomb threat
For months, Jewish Community Centers have been targeted by near-daily bomb threats, with over 100 reports since the beginning of 2017. Last Friday seemed to offer some respite, with the arrest of an individual responsible for some of the threats, and a new order from the FCC stripping anonymity protections from anyone dialing into a JCC. But the days after the order was issued saw even more threats, which led to evacuations at a Florida day school, a Delaware community center, a Brooklyn Children’s Museum, and the Anti-Defamation League headquarters in Manhattan. This weekend, as many centers prepared for Purim, six more threats hit Jewish centers in Milwaukee, Indianapolis, and other cities.
“AntiSemitism of this nature should not, and must not, be allowed to endure in our communities,” the North American JCC Association wrote to Attorney General Sessions, in a direct plea for help. “We insist that all relevant federal agencies, including your own, apply all the resources available to identify and bring the perpetrator… to justice.”
But even with the FCC’s help, tracking down perpetrators has proved harder than one might expect. The only arrest so far related to the threats — that of disgraced journalist Juan Thompson — was made because the caller identified themselves multiple times as either Thompson or his girlfriend. The FCC order means JCCs can now see an originating number for every call that comes in, sidestepping the usual restrictions on tracking by carriers — but in most cases, simply getting that number isn’t enough.
In theory, anonymous calls should be simple to stop. Unlike the internet, the telephone network is a closed system, with static infrastructure with no anonymity networks like Tor to conceal where a call is coming from. All phone numbers are directly provisioned by a handful of companies, all with close relationships to law enforcement. But despite the best efforts of law enforcement, anonymous calling services have continued to flourish in the US, enabling anything from simple threats or swatting attacks.
The reason for that is two-fold: digital attacks and unsecured phone systems. As businesses have moved from copper lines to IP-based phone systems, they’ve created a new threat called PBX hacking, in which criminals can compromise systems remotely. It’s easy to scan the internet for vulnerable systems, and there’s no shortage of small businesses relying on poorly maintained installations of freeware setups like Freeswitch. Hackers can use their access to run up big phone bills on their victim’s behalf — an attack that cost businesses an estimated $7.4 billion in 2015 — but more savvy criminals can also rent out those compromised networks as a way to make anonymous calls, like using a stolen car as a getaway vehicle.
Many experts suspect PBX hacking has played a role in the ongoing campaign — and is part of why the FCC order hasn’t led to more arrests. “If the call was spoofed from somebody’s laptop into a hacked Freeswitch from anonymouscalling.com, then there will be another problem,” says Richard Shockey, a network expert who’s consulted on the IETF’s anti-spoofing task force. “It’s just like the email [spam] problem. There’s an endless number of attack vectors.”
Call privacy settings — like the ones waived by the FCC last week — can make PBX attacks harder to identify and clean up. By shielding the source of a call, hackers can keep a hijacked system undetected for longer. “Because of the nature of the calling network, they can skirt around the edges,” Shockey says. “The track-and-trace methods that we have are not very good.” As a result, investigators are left sifting through dozens of hacked systems across dozens of services.
But there may be a fix to the problem on the horizon. Since 2013, the Internet Engineering Task Force has organized a string of working groups to secure identity on phone networks, drawing together engineers from all the major phone and network companies. There’s no formal agreement, but plenty of ideas have gained support, including verifying phone calls using cryptographic signatures, similar to the encryption currently used to verify websites. Unverified calls would be accompanied with visual warnings, with an option for blocking them entirely. The system is still in the works, but it gives carriers and regulators a path forward for eventually cracking down on spoofed calls.
And pressure to crack down is coming from the highest reaches of government. New FCC chairman Ajit Pai has already proposed new rules to block robocalling, preventing calls from being originated by non-allocated numbers. It’s only a first step, but it’s exactly the kind of crackdown on suspicious network behavior that many anti-spoofing advocates have been pushing for years.
Combined with the recent waiver, it’s convinced some that Pai could lead the fight for a more secure phone network. “Even a conservative Republican can look at this and say it’s time to regulate,” says Shockey. “This is literally what Title II was designed to do.”