FBI Warns Assholes Are Now Combining Compromised IoT Devices With Swatting Because That's The Hell We Now Live In
from the living-continue-to-envy-the-dead dept
Late last year, it was discovered that yet another set of IoT devices were being turned against their owners by malicious people. It would be a stretch to call these losers "hackers," considering all they did was utilize credentials harvested from multiple security breaches to take control of poorly secured cameras made by Ring.
Password reuse is common and these trolls made the most of it. Streaming their exploits to paying users, the perpetrators shouted racist abuse at homeowners, talked to/taunted their children, and interrupted their sleep by blaring loud noises through the cameras' mics.
This string of events landed Ring in court. Ring claims this isn't the company's fault since the credentials weren't obtained from Ring itself. But Ring's lax security standards allowed users to bypass two-factor authentication and, until recently, didn't warn users of unrecognized login attempts or lock their accounts after a certain number of login failures.
There's another insidious twist to this new form of online/offline abuse. And it's caught the attention of the feds. The FBI says these cameras are now being combined with swatting to inflict additional misery on camera owners.
Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks. To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.
They then call emergency services to report a crime at the victims’ residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.
Combining two things people hate into one dangerous blend is someone's idea of a good time. Two recent incidents involving hacked devices and swatting fortunately ended without anyone being killed by law enforcement.
One Florida woman was called by a "hacker" and told to go outside and see if the local SWAT team was there. She was met by police shortly afterwards who told her they'd received a call she'd been murdered by her husband. No raid happened but officers were showered with insults and obscenities by "hackers" via the compromised Ring doorbell/camera for failing to provide the entertainment the online assholes were seeking.
A similar incident happened in Virginia, with the "hacker" taunting both the family and officers as they investigated a fake suicide call.
Through the family's four Ring cameras, a hacker screamed, "Help me!" as officers checked inside the home to make sure everyone was safe.
Back outside, the officers realized the intermittent screaming was coming from the home's Ring cameras.
A man started talking to the officers through the cameras, saying he hacked the homeowner's accounts and faked the 911 call.
[...]
Officer: “What is it that you need from us?”
Hacker: “Oh nothing, we were just [messing] around, after this we’ll log out, tell him to change his Yahoo password, his Ring password, and stop using the same passwords for the same [stuff]."
Chesapeake Police officers covered up the cameras and asked who was screaming. The hacker told officers it was him yelling for help, claiming he livestreamed the Ring cameras when officers arrived and charged people five dollars each to watch online.
So, that's where we're at, hellscape-wise. A nation full of devices that can be taken over by anyone with the right credentials and turned into entertainment for sociopaths. Of course, being better about locking down IoT devices won't stop these same sociopaths from weaponizing local law enforcement agencies. Choosing a strong, unique password isn't going to keep assholes from swatting people. It's only going to deprive them of their ability to witness the potentially deadly results of their actions.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
The only smart device is a dumb one.
[ link to this | view in thread ]
Dumb and stupid.
So.
They arnt hacking the homes, they are entering an internet site remotely, and doing all this?
So the Site security is FAILED?
All they need is basic info to get into the account?
The scary part of this, is the devices are setup to AUTO CONNECT to the internet and bypass you modem and router.
And for $100, you could setup the rasp pi, to be the in between, capture the data THEN the Pi could send anything important OUT to where its needed. NOT DIRECTLY to the net. Seem to many security systems like this.
But they Should be able to be tracked.
[ link to this | view in thread ]
Where is the FBI?
These are probably interstate calls which requires a federal response. Where is the FBI? Not enough money involved? No one "important" targeted yet? Waiting for a non-Trumpy administration to get back to work?
[ link to this | view in thread ]
Re: Dumb and stupid.
No, they need the password to access your devices. But people are dumb and use the same password for everything. If only one thing, such as email, gets hacked or you simply use very weak passwords then your password can be exposed. Once that happens all the attacker needs to do is guess which other online things you use and they've got access to those, too, such as online banking and Ring cameras.
Also not true. Yes, they auto-connect when powered on but they connect to the same wifi in your house as everything else. They still have to connect via your router/modem. Not sure what that has to do with anything though.
See above.
Real home security systems do not use the internet at all. They connect directly to the cellular network. However, those services still offer online management of your home security system which is vulnerable to unauthorized access if you're dumb enough to use the same password for that as everything else.
Some services offer two-factor authentication which requires more than just a password to log in. Most send you a 1-time code via text message but there are other factors that could be used. The dumb thing is that 2-factor auth is generally not used for consumer devices and services because it's "too hard" for the average user.
Perhaps it's time that all remote services start using 2FA and the public can just bloody well learn how to use it or do without those services. But whose fault is it, really? The companies who pander to the common denominator of dumb in the public to sell more stuff? Or the morons who fail to protect themselves?
[ link to this | view in thread ]
Re:
It's like the Battlestar Galactica reboot wasn't insanely popular at the time.
Honestly i hate most pop culture references but come on.
[ link to this | view in thread ]
Re: Where is the FBI?
The FBI is warning people i guess? Hiw do you know what else they are doing?
/feels slightly ill over being rationally charitable toward fbi
[ link to this | view in thread ]
Re: Where is the FBI?
Ummmm... did you even read the F'ing headline? Here, let me help you:
[ link to this | view in thread ]
new class of hacker
[ link to this | view in thread ]
Fear the police
Using the police as a weapon should not be possible in the first place. If the police were not equipped to act like armed vigilantes it would not be possible to exploit them as a weapon to terrorize the public they are supposed to serve. At some point people will figure out how to use any weapon that is available to them and will do so. There are two wrongs here, and they most certainly do not add up to a right.
[ link to this | view in thread ]
Best Headline Ever
Thanks, Tim - needed that!
Ehud
[ link to this | view in thread ]
De-escalation
It would be great if police departments wouldn't be so militarized, such that if they receive a swatting call, then they don't immediately show up guns-a-blazin'. Maybe call the homeowner back first, and don't trust some ridiculous phone call. Investigate a LITTLE, first.
[ link to this | view in thread ]
Re: Where is the FBI?
...did you...read the first three letters in the headline?
[ link to this | view in thread ]
Re: new class of hacker
They're not even that. There are lists of emails/username and passwords available all over the net. At the very most these "hackers" brute-force guessed someone's password but more likely just read it on one of those lists then poked around to see what they could log into using the credentials.
They don't know the first thing about "hacking".
[ link to this | view in thread ]
Re: Re:
I wasn't referencing that. Moreso a fact of practicality. We've seen numerous examples of supposedly "smart" devices because either the company making them made securing their products a distant afterthought if at all (usually after it comes out their products were hacked) or were never properly configured once out of the box though I admit that last part is usually the less likely of the two.
So until the Internet Of Poorly Secured/Broken Things is fixed, the best device to have is a dumb one.
[ link to this | view in thread ]
It is amazing that, after having read these and other stories, people still willingly pay good money to have these things installed in their houses.
[ link to this | view in thread ]
Re:
Probably cause there isn't any other alternative??
[ link to this | view in thread ]
Re: Re: Dumb and stupid.
you bypassed my comments.
See. Most of the systems Iv seen installed, May goto the Router, but they also DONT goto your system, they goto a location connected to the web. NOT to your system. Then they charge you for the service of watching the Vid, as well as storage.
I do know what a REAL security system is, but try to explain that to a person who WANTS CHEAP and easy.
I dont think the Kids are sitting around outside, connecting Wireless, within 100-200 feet away to this IOT.
Im also hoping that these kids ARNT connecting direct to the persons Computer or router or modem. Which is very doubtful they are.
So they are searching the net for a Mac address and finding it easy to get this IOT??? would be easier to signup with the business receiving the data. And then use the Password for the device. AND THAT falls back to the business.
This is bad on so many levels.
I really hate it when the camera's bypass being stored onsite, rather then being Shipped out to remote. Its a Storage thing, and security problem. The company HAS TO DO the security. And if they allow any person to have an account, then ONLY need to insert the Proper Name/Password for the camera's..to access ANY camera in the system. THAT ISNT GOOD.
[ link to this | view in thread ]
Re: Re:
Alternative .. lol
I do not need an internet connected doorbell just like I do not need an internet connected tea pot. And I certainly do not need internet connected trolls creating havoc. I prefer the direct approach.
[ link to this | view in thread ]
Re: Re:
There is a user controlled alternative called home assistant, and even YouTube channels that will tell you how to set it up and use it.
[ link to this | view in thread ]
Re: Re: Re:
no, i referred to it. what?
[ link to this | view in thread ]
Re: Re:
you... have to be bloody kidding.
never mind one perfectly viable alternative is: nothing, just like they've been doing fine with all along. but there have long been plenty of others.
[ link to this | view in thread ]
Asshole
Is Asshole a legal term now? Was the government using this term? I expect better of you
[ link to this | view in thread ]
Re: Re: Re:
A young burglar broke off the back door 25 years ago, doors are expensive. We don't need one, anyway
[ link to this | view in thread ]