Three researchers have shown that using thousands of infected phones could trigger automated DDoS attacks, and drop the US emergency telephone system "for days".
The theoretical attack uses a malware that covers the International Mobile Subscriber Identity of a Phone (IMSI). Malware shows only the International Mobile Station Identity Identity (IMSEI) number, which hides the origin of the attacks and does not allow the device to be identified and added to a blacklist.
Researchers Mordechai Guri, Yisroel Mirsky and Yuval Elovici from Ben-Gurion University report that malicious software could make calls without the owners of the device knowing it.
So at 911 DDoS: Threat, Analysis and Mitigation [PDF] report that with 6.000 infected smartphones they could block a local US emergency call system (911).
"A rootkit that is placed within the firmware baseband of a mobile phone can also cover random cellular identifiers, creating a device that has no real recognition within the mobile network."
"Such anonymous phones can make repeated emergency calls and cannot be blocked from the network or emergency call centers, technically or legally."
So, according to 200.000 researchers, infected devices could drop emergency services across the US.