Ring Doorbell Cams Hijacked By Assholes To Provide Live Streams Of SWATtings
from the another-PR-coup-for-Ring dept
Amazon’s home security tech acquisition, Ring, has become a dominant player in this industry sector. Some of that is due to Amazon’s backing. A lot of this is due to extremely inappropriate relationships with law enforcement, which convert cops to Ring proselytizers whose public statements are subject to review by the company’s PR wing.
Ubiquity is great for Ring’s bottom line. But being everywhere means you’re a prime target for malicious behavior, especially when market expansion is prioritized over securing devices used by millions of customers.
Easily exploited credentials led to horror stories from Ring users. Hackings were livestreamed, with hackers yelling verbal abuse and racist slurs at unsuspecting camera owners. In some cases, cameras in children’s bedrooms were targeted, subjecting kids to abuse shouted by hateful idiots whose oxygen allowance is greatly in need of severe reduction.
Ring responded to its complete lack of security requirements by implementing a few tepid changes to the “do nothing” baseline. While this may have nudged more people towards 2FA by making it the new default, it appears there are plenty of unsecured devices still online, sharing data and recordings with Ring while being attack vectors for malicious hackers.
The latest news for Ring and its internet-of-mostly-unsecured-devices? Becoming the mute witness to SWATtings perpetrated for the amusement of hideous internet denizens. Brian Krebs has more details at his site:
Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then “swatting” them — falsely reporting a violent incident at the target’s address to trick local police into responding with force. Prosecutors say the duo used the compromised Ring devices to stream live video footage on social media of police raiding their targets’ homes, and to taunt authorities when they arrived.
Prosecutors in Los Angeles allege 20-year-old James Thomas Andrew McCarty, a.k.a. “Aspertaine,” of Charlotte, N.C., and Kya Christian Nelson, a.k.a. “ChumLul,” 22, of Racine, Wisc., conspired to hack into Yahoo email accounts belonging to victims in the United States. From there, the two allegedly would check how many of those Yahoo accounts were associated with Ring accounts, and then target people who used the same password for both accounts.
An indictment unsealed this week says that in the span of just one week in November 2020, McCarty and Nelson identified and swatted at least a dozen different victims across the country.
Note that 12 of these livestreamed attacks took place in November 2020, a full eight months after Ring rolled out new security measures meant to make it more difficult for people to gain access to customers’ cameras. The by-default 2FA only affected new users. And Ring appeared to add nothing that shoved existing users to better security, meaning there’s plenty of exploitable cameras still out there, thanks to Ring’s tireless marketing efforts and extremely tired approach to device security.
Old logins tied to older logins were the attack vector, says the DOJ:
According to the indictment returned Friday afternoon by a federal grand jury in Los Angeles, from November 7, 2020, to November 13, 2020, Nelson and McCarty gained access to home security door cameras sold by Ring LLC, a home security technology company. Nelson and McCarty allegedly acquired without authorization the username and password information for Yahoo email accounts belonging to victims throughout the United States.
Then, they allegedly determined whether the owner of each compromised Yahoo account also had a Ring account using the same email address and password that could control associated internet-connected Ring doorbell camera devices. Using that information, they identified and gathered additional information about their victims, according to the indictment.
Easy enough to do. And even easier to weaponize. It appears the indicted hackers believed they were pretty much untouchable. Not only did they interact with responding law enforcement, their SWATting campaign spanned the nation.
Nelson allegedly accessed without authorization a Ring doorbell camera, located at the residence of the victim’s parents and linked to the victim’s Ring account, and used it to verbally threaten and taunt West Covina Police officers who responded to the reported incident.
The indictment alleges other similar Ring-related swatting incidents occurred in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.
Is this Ring’s fault? No. Not directly. Just because something could be used for nefarious ends doesn’t mean it should be. All culpability for the harms perpetrated in these cases rests with the perpetrators. But if Ring had valued customer security over market expansion earlier, at the very least these horrible human beings would have been deprived of the vicarious thrill of watching their victims be victimized in real time. And that lack of visual thrill might have been enough to reduce the number of attacks, limiting the damage allegedly done by this pair.
Filed Under: live streams, ring, ring doorbell, swatting
Companies: amazon
Comments on “Ring Doorbell Cams Hijacked By Assholes To Provide Live Streams Of SWATtings”
Tech Enthusiasts: “I have a smart watch, a smart furnace, a smart doorbell, a smart fridge, an alexa…”
Tech workers: “I own a computer and a printer, and a gun to shoot them with if they do anything unexpected”
Re:
Meh, American tech workers maybe.
I’m happy to simply be aware of what I have, what the rewards and risks of having them are, and the ability to disconnect them if I disagree with that balance.
I think your concern with the above story should be that SWATting exists, not whether you’re allowed to shoot the device recording it.
Been working in “smart home”/”IoT” for two decades. Number of “smart” devices (willing to) owned: zero point zero.
Tech Enthusiasts
Tech Enthusiasts: “I have a smart phone, a smart watch, a smart thermostat, a smart door, a smart fridge, a smart dishwasher, a smart…”
Tech Workers: “I have a computer, a printer, and a loaded gun to shoot either of them if they start doing something unexpected”
A small good thing in the long run
At least these two idiots contributed to give a dozen more examples of the police completely giving up doing their job, and thus hopefully move public opinion in the right direction.
Re: disagree
The police did actually do their job – they were sent a report of a serious incident occuring, and they showed up to deal with it. In no cases (at least as reported above) did anyone get killed, which is surprising, given how SWATting stories usually seem to go down.
Not only this, but they tracked down, arrested and brought to trial the two people actually responsible.
I know we normally only see stories of bad police action here when they’ve abused someone’s rights, but in this case I don’t think they can be blamed.
Re: Re: devs advocate
could be argued that badgering the cops via the ring devices the second they reached the door probably disarmed them a bit in most cases.
what these guys were pointing out in the douchiest way possible is how ridiculous it is that two jagoffs in one week were able to get 12 different houses across the country invaded by jack booted thugs via anonymous phone calls placed to the proper authorities; who can harass, threaten at gunpoint, and kill anyone on the other side of that door with more or less total impunity. justice is not served by simply convicting them, the injustice lies in what they exploited, and whos to say a wiser crew couldnt pull this off at scale annonymously just for the lulz
Smart != Cloud
Seems like a lot of posters on here seem to want to blur the difference between “smart” and “cloud” stuff. Yeah, a lot of “smart” appliances are cloud based, but not all, and “smart” doesn’t necessarily have the inherent security problems that “cloud” stuff comes with. You can have a really intelligent, automated home (I do!) without anything phoning home or requiring internet access at all. And it’s pretty nice.
Pass the blame
Once again, blame a company for human stupidity. It is not the fault of Amazon/Ring that a user is an idiot.