The story began on November 29th, 2021, with a Reddit post entitled, “Pixel prevented me from calling 911.”
The user described how his phone failed to place a call to 911 as his grandmother was having a stroke, and that the dialer app ended in an unrecoverable state where no further phone calls could be placed. To her credit, the user’s grandmother insisted on having a landline, which the grandson successfully used to summon an ambulance and take her to the hospital.
The incident raised the big question: why did the user’s phone app crash when he tried to call 911?
Google’s official Reddit account quietly pointed the finger to a culprit: Microsoft Teams.
We believe the issue is only present on a small number of devices with the Microsoft Teams app installed when the user is not logged in, and we are currently only aware of one user report related to the occurrence of this bug. We determined that the issue was being caused by unintended interaction between the Microsoft Teams app and the underlying Android operating system.
It is worth mentioning that Penn State’s organizational policy enforces an automatic sign-out for Microsoft Teams after just a few short hours of inactivity, and this issue unknowingly affected the author of this very blog post for months.
The next question: how was Microsoft Teams – or any other app on an Android device, for that matter – able to block a phone call to the most important phone number in the United States and Canada?
The answer, according to Mishaal Rahman, was an integer overflow in the PhoneAccount subsystem, combined with a poor choice on the part of Microsoft to have Teams register itself as a new dialer app every time the app started. The PhoneAccount class used the hashCode function as a tiebreaker between the dozens of identical dialer apps from Teams in order to determine which dialer app on the phone to use to place the call to 911. But when PhoneAccount subtracted those hashes from each other, Rahman said, there is a chance that the resulting difference could be far above or below the acceptable values for an integer – causing an integer overflow and bringing the entire PhoneAccount stack down with it.
Google showed a damning lack of urgency regarding the issue. The time between the original post on Reddit and the reply from Google was nearly ten full days, and Google did not make any effort to spread awareness of the issue beyond their Reddit comment. And although Microsoft released a patch for Teams on December 10th to correct their side of the issue, Google decided that the situation – recognized as a critical denial-of-service vulnerability – was not critical enough to release an update immediately, but rather with the standard January 2022 security update. Not to mention the fact that generations of Android devices, my own phone included, will not be receiving this critical security fix as a result of the hopelessly fragmented Android ecosystem.
In short, Google did not take responsibility for its actions and omissions, and did not treat the situation with the care that it deserved. Real people could have suffered mortal injuries from this vulnerability, and we may never know if anyone else was killed or seriously injured by this bug. Landlines may still prove useful as a redundant way of calling 911, and I will be purchasing an iPhone quite soon, because I cannot in good conscience keep using a phone that is liable not to reach 911 when I need it the most.