FBI Warns Assholes Are Now Combining Compromised IoT Devices With Swatting Because That's The Hell We Now Live In

from the living-continue-to-envy-the-dead dept

Late last year, it was discovered that yet another set of IoT devices were being turned against their owners by malicious people. It would be a stretch to call these losers “hackers,” considering all they did was utilize credentials harvested from multiple security breaches to take control of poorly secured cameras made by Ring.

Password reuse is common and these trolls made the most of it. Streaming their exploits to paying users, the perpetrators shouted racist abuse at homeowners, talked to/taunted their children, and interrupted their sleep by blaring loud noises through the cameras’ mics.

This string of events landed Ring in court. Ring claims this isn’t the company’s fault since the credentials weren’t obtained from Ring itself. But Ring’s lax security standards allowed users to bypass two-factor authentication and, until recently, didn’t warn users of unrecognized login attempts or lock their accounts after a certain number of login failures.

There’s another insidious twist to this new form of online/offline abuse. And it’s caught the attention of the feds. The FBI says these cameras are now being combined with swatting to inflict additional misery on camera owners.

Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks. To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.

They then call emergency services to report a crime at the victims’ residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.

Combining two things people hate into one dangerous blend is someone’s idea of a good time. Two recent incidents involving hacked devices and swatting fortunately ended without anyone being killed by law enforcement.

One Florida woman was called by a “hacker” and told to go outside and see if the local SWAT team was there. She was met by police shortly afterwards who told her they’d received a call she’d been murdered by her husband. No raid happened but officers were showered with insults and obscenities by “hackers” via the compromised Ring doorbell/camera for failing to provide the entertainment the online assholes were seeking.

A similar incident happened in Virginia, with the “hacker” taunting both the family and officers as they investigated a fake suicide call.

Through the family’s four Ring cameras, a hacker screamed, “Help me!” as officers checked inside the home to make sure everyone was safe.

Back outside, the officers realized the intermittent screaming was coming from the home’s Ring cameras.

A man started talking to the officers through the cameras, saying he hacked the homeowner’s accounts and faked the 911 call.


Officer: “What is it that you need from us?”

Hacker: “Oh nothing, we were just [messing] around, after this we’ll log out, tell him to change his Yahoo password, his Ring password, and stop using the same passwords for the same [stuff].”

Chesapeake Police officers covered up the cameras and asked who was screaming. The hacker told officers it was him yelling for help, claiming he livestreamed the Ring cameras when officers arrived and charged people five dollars each to watch online.

So, that’s where we’re at, hellscape-wise. A nation full of devices that can be taken over by anyone with the right credentials and turned into entertainment for sociopaths. Of course, being better about locking down IoT devices won’t stop these same sociopaths from weaponizing local law enforcement agencies. Choosing a strong, unique password isn’t going to keep assholes from swatting people. It’s only going to deprive them of their ability to witness the potentially deadly results of their actions.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Warns Assholes Are Now Combining Compromised IoT Devices With Swatting Because That's The Hell We Now Live In”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Re:

I wasn’t referencing that. Moreso a fact of practicality. We’ve seen numerous examples of supposedly "smart" devices because either the company making them made securing their products a distant afterthought if at all (usually after it comes out their products were hacked) or were never properly configured once out of the box though I admit that last part is usually the less likely of the two.

So until the Internet Of Poorly Secured/Broken Things is fixed, the best device to have is a dumb one.

ECA (profile) says:

Dumb and stupid.

They arnt hacking the homes, they are entering an internet site remotely, and doing all this?
So the Site security is FAILED?
All they need is basic info to get into the account?
The scary part of this, is the devices are setup to AUTO CONNECT to the internet and bypass you modem and router.
And for $100, you could setup the rasp pi, to be the in between, capture the data THEN the Pi could send anything important OUT to where its needed. NOT DIRECTLY to the net. Seem to many security systems like this.

But they Should be able to be tracked.

Anonymous Coward says:

Re: Dumb and stupid.

All they need is basic info to get into the account?

No, they need the password to access your devices. But people are dumb and use the same password for everything. If only one thing, such as email, gets hacked or you simply use very weak passwords then your password can be exposed. Once that happens all the attacker needs to do is guess which other online things you use and they’ve got access to those, too, such as online banking and Ring cameras.

The scary part of this, is the devices are setup to AUTO CONNECT to the internet and bypass you modem and router.

Also not true. Yes, they auto-connect when powered on but they connect to the same wifi in your house as everything else. They still have to connect via your router/modem. Not sure what that has to do with anything though.

And for $100, you could setup the rasp pi, to be the in between, capture the data THEN the Pi could send anything important OUT to where its needed. NOT DIRECTLY to the net. Seem to many security systems like this.

See above.

Real home security systems do not use the internet at all. They connect directly to the cellular network. However, those services still offer online management of your home security system which is vulnerable to unauthorized access if you’re dumb enough to use the same password for that as everything else.

Some services offer two-factor authentication which requires more than just a password to log in. Most send you a 1-time code via text message but there are other factors that could be used. The dumb thing is that 2-factor auth is generally not used for consumer devices and services because it’s "too hard" for the average user.

Perhaps it’s time that all remote services start using 2FA and the public can just bloody well learn how to use it or do without those services. But whose fault is it, really? The companies who pander to the common denominator of dumb in the public to sell more stuff? Or the morons who fail to protect themselves?

ECA (profile) says:

Re: Re: Dumb and stupid.

you bypassed my comments.

See. Most of the systems Iv seen installed, May goto the Router, but they also DONT goto your system, they goto a location connected to the web. NOT to your system. Then they charge you for the service of watching the Vid, as well as storage.
I do know what a REAL security system is, but try to explain that to a person who WANTS CHEAP and easy.

I dont think the Kids are sitting around outside, connecting Wireless, within 100-200 feet away to this IOT.
Im also hoping that these kids ARNT connecting direct to the persons Computer or router or modem. Which is very doubtful they are.
So they are searching the net for a Mac address and finding it easy to get this IOT??? would be easier to signup with the business receiving the data. And then use the Password for the device. AND THAT falls back to the business.
This is bad on so many levels.

I really hate it when the camera’s bypass being stored onsite, rather then being Shipped out to remote. Its a Storage thing, and security problem. The company HAS TO DO the security. And if they allow any person to have an account, then ONLY need to insert the Proper Name/Password for the camera’s..to access ANY camera in the system. THAT ISNT GOOD.

Anonymous Coward says:

Re: new class of hacker

They’re not even that. There are lists of emails/username and passwords available all over the net. At the very most these "hackers" brute-force guessed someone’s password but more likely just read it on one of those lists then poked around to see what they could log into using the credentials.

They don’t know the first thing about "hacking".

hij (profile) says:

Fear the police

Using the police as a weapon should not be possible in the first place. If the police were not equipped to act like armed vigilantes it would not be possible to exploit them as a weapon to terrorize the public they are supposed to serve. At some point people will figure out how to use any weapon that is available to them and will do so. There are two wrongs here, and they most certainly do not add up to a right.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...