Teen arrested for mistakenly sharing exploit that almost brought down 911

Here is a news story that has been circulating that shows just how fragile 911 communications can be.

The Maricopa County Sheriff’s Office Cyber Crimes Unit arrested Meetkumar Hiteshbhai Desai, an 18-year-old teenager from the Phoenix area, for flooding the 911 emergency system with hang-up calls.

According to a press release from the Maricopa County Sheriff’s Office, Desai created a JavaScript exploit, which he shared on Twitter and other websites with his friends.

People accessing Desai’s link from their iPhones saw their phone automatically dial and redial 911.

Desai shared the wrong version of his iOS exploit

As Desai told Maricopa County officers, he was only interested in discovering bugs in iOS, which he could report to Apple and thus possibly earn money or recognition among his friends.

Desai said that he received a tip about a bug in iOS, which he successfully exploited. During his tests, the teenager created several weaponized versions of this bug which would constantly dial a phone number, or show annoying popups.

The teenager says he wanted to prank his friends, thinking it would be “funny,” but when he shared the weaponized link online, he shared a version that instead of showing annoying popups, redialed a phone number, which in this case was 911.

One 911 call center almost crashed

Authorities said Desai shared the link on Twitter with over 12,000 followers. A later investigation revealed that over 1,849 people clicked on the link.

Investigators say that the iOS devices of these individuals started calling 911 numbers all over the US and hanging up. Emergency systems from Texas to California said they experienced a spike in hang-up calls.

The most affected was the Phoenix area, where Desai and most of his friends lived. The Peoria Police Department and the Maricopa County Sheriff’s Office said they received a large number of 911 hang-up calls, but the most affected was the Surprise Police Department, which received over 100 calls in a short amount of time, almost knocking its system offline.

Desai arrested and booked on Monday

Maricopa officers arrested and booked Desai into the 4th Avenue Jail on three counts of felony computer tampering, on Monday, October 24.

In August, at the Black Hat USA security conference, Apple announced it’s official bug bounty program, but said it would only invite a small group of vetted researchers in the beginning.

In September, scientists from the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel published research showing that it only takes around 6,000 smartphones to DDoS a US state’s 911 emergency system.