The release said the 911-dialing code was hosted on a site with the name “Meet Desai.” A link posted on the TheHackSpot YouTube channel and one or more Twitter accounts then encouraged people to click on the link. Authorities said they found evidence it had been clicked 1,849 times. In an e-mail, the operator of the YouTube channel said: “The link does not contain anything harmful, and I am not associated with any type of personal hacking. Just a fun prank that many other big YouTube channels covered as well.”
According to an image Desai posted Thursday to Twitter, various pages on the site http://meetdesai.com—the address was unreachable on Friday, but a cached version of the site is temporarily available here—received more than 151,000 page views. It wasn’t entirely clear the links were the ones alleged to contain the attack code, and Desai didn’t respond to requests for an interview.
Still, if even a portion of those links caused phones to simultaneously dial 911, they had the potential to disrupt vital emergency systems. According to recently released research reported in The Washington Post by journalist Kim Zetter, a proof-of-concept attack devised by researchers in Israel required just 6,000 infected smartphones in a geographical area to tamper with the 911 system for the entire state of North Carolina. The researchers estimated 200,000 infected phones distributed across the US could significantly disrupt 911 services for the entire country.
According to Thursday’s release, Desai told detectives he was interested in discovering iOS bugs that he could privately report to Apple and receive cash and recognition under the company’s bug bounty program. Referring to Desai as “Meet,” it continued:
Meet also told investigators he had an online friend that provided him with a bug that they thought they should look into and tweak. Meet looked at the bug and discovered that he could manipulate the function and add annoying pop ups, commands to open email, and activate the telephone dialing feature on iOS cell phones by utilizing a java script code that he created. Meet claimed that his intention was to make a non-harmful, but annoying bug that he believed was “funny.”
Meet stated he did manipulate the bug to include the phone number for emergency services 1+911. Meet stated that although he did add that feature to the bug he had no intention of pushing it out to the public, because he knew it was illegal and people would “freak out.” Meet stated that he may have accidentally pushed the harmful version of the (911) bug out to the Twitter link instead of the lesser annoying bug that only caused pop ups, dialing to make people’s devices freeze up and reboot. Meet later claimed that he developed these malicious bugs and viruses to be recognized in the hacker and programming community as someone who was very skilled.
Desai was arrested and transported to Maricopa County Jail where he was booked on three counts of computer tampering. It’s not clear if he has yet entered a plea or what kind of penalties he faces. The charges constitute class 2 felonies because the 911 system is classified as critical infrastructure.
The incident underscores a couple of important points that are often lost on amateur hackers, especially those who are young. The first is that hacking devices or networks without the explicit permission and cooperation of their owners is dangerous and can result in significant legal penalties. The other is that to answer police questions without first consulting a competent defense attorney is almost never a good idea.