FBI Warns Assholes Are Now Combining Compromised IoT Devices With Swatting Because That's The Hell We Now Live In

from the living-continue-to-envy-the-dead dept

Late last year, it was discovered that yet another set of IoT devices were being turned against their owners by malicious people. It would be a stretch to call these losers "hackers," considering all they did was utilize credentials harvested from multiple security breaches to take control of poorly secured cameras made by Ring.

Password reuse is common and these trolls made the most of it. Streaming their exploits to paying users, the perpetrators shouted racist abuse at homeowners, talked to/taunted their children, and interrupted their sleep by blaring loud noises through the cameras' mics.

This string of events landed Ring in court. Ring claims this isn't the company's fault since the credentials weren't obtained from Ring itself. But Ring's lax security standards allowed users to bypass two-factor authentication and, until recently, didn't warn users of unrecognized login attempts or lock their accounts after a certain number of login failures.

There's another insidious twist to this new form of online/offline abuse. And it's caught the attention of the feds. The FBI says these cameras are now being combined with swatting to inflict additional misery on camera owners.

Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks. To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.

They then call emergency services to report a crime at the victims’ residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.

Combining two things people hate into one dangerous blend is someone's idea of a good time. Two recent incidents involving hacked devices and swatting fortunately ended without anyone being killed by law enforcement.

One Florida woman was called by a "hacker" and told to go outside and see if the local SWAT team was there. She was met by police shortly afterwards who told her they'd received a call she'd been murdered by her husband. No raid happened but officers were showered with insults and obscenities by "hackers" via the compromised Ring doorbell/camera for failing to provide the entertainment the online assholes were seeking.

A similar incident happened in Virginia, with the "hacker" taunting both the family and officers as they investigated a fake suicide call.

Through the family's four Ring cameras, a hacker screamed, "Help me!" as officers checked inside the home to make sure everyone was safe.

Back outside, the officers realized the intermittent screaming was coming from the home's Ring cameras.

A man started talking to the officers through the cameras, saying he hacked the homeowner's accounts and faked the 911 call.

[...]

Officer: “What is it that you need from us?”

Hacker: “Oh nothing, we were just [messing] around, after this we’ll log out, tell him to change his Yahoo password, his Ring password, and stop using the same passwords for the same [stuff]."

Chesapeake Police officers covered up the cameras and asked who was screaming. The hacker told officers it was him yelling for help, claiming he livestreamed the Ring cameras when officers arrived and charged people five dollars each to watch online.

So, that's where we're at, hellscape-wise. A nation full of devices that can be taken over by anyone with the right credentials and turned into entertainment for sociopaths. Of course, being better about locking down IoT devices won't stop these same sociopaths from weaponizing local law enforcement agencies. Choosing a strong, unique password isn't going to keep assholes from swatting people. It's only going to deprive them of their ability to witness the potentially deadly results of their actions.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fbi, iot, swatting


Reader Comments

Subscribe: RSS

View by: Thread


  • identicon
    Anonymous Coward, 5 Jan 2021 @ 12:29pm

    The only smart device is a dumb one.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jan 2021 @ 1:08pm

      Re:

      It's like the Battlestar Galactica reboot wasn't insanely popular at the time.

      Honestly i hate most pop culture references but come on.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Jan 2021 @ 2:03pm

        Re: Re:

        I wasn't referencing that. Moreso a fact of practicality. We've seen numerous examples of supposedly "smart" devices because either the company making them made securing their products a distant afterthought if at all (usually after it comes out their products were hacked) or were never properly configured once out of the box though I admit that last part is usually the less likely of the two.

        So until the Internet Of Poorly Secured/Broken Things is fixed, the best device to have is a dumb one.

        reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 5 Jan 2021 @ 12:35pm

    Dumb and stupid.

    So.
    They arnt hacking the homes, they are entering an internet site remotely, and doing all this?
    So the Site security is FAILED?
    All they need is basic info to get into the account?
    The scary part of this, is the devices are setup to AUTO CONNECT to the internet and bypass you modem and router.
    And for $100, you could setup the rasp pi, to be the in between, capture the data THEN the Pi could send anything important OUT to where its needed. NOT DIRECTLY to the net. Seem to many security systems like this.

    But they Should be able to be tracked.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jan 2021 @ 12:53pm

      Re: Dumb and stupid.

      All they need is basic info to get into the account?

      No, they need the password to access your devices. But people are dumb and use the same password for everything. If only one thing, such as email, gets hacked or you simply use very weak passwords then your password can be exposed. Once that happens all the attacker needs to do is guess which other online things you use and they've got access to those, too, such as online banking and Ring cameras.

      The scary part of this, is the devices are setup to AUTO CONNECT to the internet and bypass you modem and router.

      Also not true. Yes, they auto-connect when powered on but they connect to the same wifi in your house as everything else. They still have to connect via your router/modem. Not sure what that has to do with anything though.

      And for $100, you could setup the rasp pi, to be the in between, capture the data THEN the Pi could send anything important OUT to where its needed. NOT DIRECTLY to the net. Seem to many security systems like this.

      See above.

      Real home security systems do not use the internet at all. They connect directly to the cellular network. However, those services still offer online management of your home security system which is vulnerable to unauthorized access if you're dumb enough to use the same password for that as everything else.

      Some services offer two-factor authentication which requires more than just a password to log in. Most send you a 1-time code via text message but there are other factors that could be used. The dumb thing is that 2-factor auth is generally not used for consumer devices and services because it's "too hard" for the average user.

      Perhaps it's time that all remote services start using 2FA and the public can just bloody well learn how to use it or do without those services. But whose fault is it, really? The companies who pander to the common denominator of dumb in the public to sell more stuff? Or the morons who fail to protect themselves?

      reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 5 Jan 2021 @ 4:05pm

        Re: Re: Dumb and stupid.

        you bypassed my comments.

        See. Most of the systems Iv seen installed, May goto the Router, but they also DONT goto your system, they goto a location connected to the web. NOT to your system. Then they charge you for the service of watching the Vid, as well as storage.
        I do know what a REAL security system is, but try to explain that to a person who WANTS CHEAP and easy.

        I dont think the Kids are sitting around outside, connecting Wireless, within 100-200 feet away to this IOT.
        Im also hoping that these kids ARNT connecting direct to the persons Computer or router or modem. Which is very doubtful they are.
        So they are searching the net for a Mac address and finding it easy to get this IOT??? would be easier to signup with the business receiving the data. And then use the Password for the device. AND THAT falls back to the business.
        This is bad on so many levels.

        I really hate it when the camera's bypass being stored onsite, rather then being Shipped out to remote. Its a Storage thing, and security problem. The company HAS TO DO the security. And if they allow any person to have an account, then ONLY need to insert the Proper Name/Password for the camera's..to access ANY camera in the system. THAT ISNT GOOD.

        reply to this | link to this | view in chronology ]

  • icon
    Improbus (profile), 5 Jan 2021 @ 12:53pm

    Where is the FBI?

    These are probably interstate calls which requires a federal response. Where is the FBI? Not enough money involved? No one "important" targeted yet? Waiting for a non-Trumpy administration to get back to work?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jan 2021 @ 1:11pm

      Re: Where is the FBI?

      The FBI is warning people i guess? Hiw do you know what else they are doing?

      /feels slightly ill over being rationally charitable toward fbi

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jan 2021 @ 1:11pm

      Re: Where is the FBI?

      Ummmm... did you even read the F'ing headline? Here, let me help you:

      FBI Warns Assholes Are Now Combining Compromised IoT Devices With Swatting Because That's The Hell We Now Live In

      reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 5 Jan 2021 @ 1:19pm

      Re: Where is the FBI?

      ...did you...read the first three letters in the headline?

      reply to this | link to this | view in chronology ]

  • identicon
    Mcjay, 5 Jan 2021 @ 1:13pm

    new class of hacker

    Yes It would be a stretch to call these losers "hackers," by most definitions you have white hat hackers who hack for good reasons, black hats who so it for selfish reasons and grey hats who are a little of both. Lets call these guys a$$hat hackers

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jan 2021 @ 1:38pm

      Re: new class of hacker

      They're not even that. There are lists of emails/username and passwords available all over the net. At the very most these "hackers" brute-force guessed someone's password but more likely just read it on one of those lists then poked around to see what they could log into using the credentials.

      They don't know the first thing about "hacking".

      reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 5 Jan 2021 @ 1:13pm

    Fear the police

    Using the police as a weapon should not be possible in the first place. If the police were not equipped to act like armed vigilantes it would not be possible to exploit them as a weapon to terrorize the public they are supposed to serve. At some point people will figure out how to use any weapon that is available to them and will do so. There are two wrongs here, and they most certainly do not add up to a right.

    reply to this | link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 5 Jan 2021 @ 1:15pm

    Best Headline Ever

    Thanks, Tim - needed that!

    Ehud

    reply to this | link to this | view in chronology ]

  • icon
    Koby (profile), 5 Jan 2021 @ 1:16pm

    De-escalation

    It would be great if police departments wouldn't be so militarized, such that if they receive a swatting call, then they don't immediately show up guns-a-blazin'. Maybe call the homeowner back first, and don't trust some ridiculous phone call. Investigate a LITTLE, first.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jan 2021 @ 3:15pm

    It is amazing that, after having read these and other stories, people still willingly pay good money to have these things installed in their houses.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jan 2021 @ 3:52pm

      Re:

      Probably cause there isn't any other alternative??

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Jan 2021 @ 4:32pm

        Re: Re:

        Alternative .. lol

        I do not need an internet connected doorbell just like I do not need an internet connected tea pot. And I certainly do not need internet connected trolls creating havoc. I prefer the direct approach.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Jan 2021 @ 5:06pm

        Re: Re:

        There is a user controlled alternative called home assistant, and even YouTube channels that will tell you how to set it up and use it.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Jan 2021 @ 7:57pm

        Re: Re:

        you... have to be bloody kidding.

        never mind one perfectly viable alternative is: nothing, just like they've been doing fine with all along. but there have long been plenty of others.

        reply to this | link to this | view in chronology ]

  • identicon
    Unlicensed Bozo, 6 Jan 2021 @ 8:52am

    Asshole

    Is Asshole a legal term now? Was the government using this term? I expect better of you

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.