Stolen email passwords are being used to hijack smart home security systems to “swat” unsuspecting users, the Federal Bureau of Investigation warned this week. The announcement comes after concerned device manufacturers alerted law enforcement about the issue.
Swatting is a dangerous prank where police are called to a home with a fake emergency.
By accessing a targeted home security device an attacker can initiate a call for help to authorities and watch remotely as the swat occurs. The FBI points out that by initiating a call for help from the actual security device lends authenticity and anonymity to the hacker.
Requests to the FBI for the specific manufacturers were not answered. However, the device category often is found to be insecure.
“Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks,” The FBI’s public service announcement read. “To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.”
In the past, the bad actors would spoof the numbers to make the call appear as if it were coming from the victim, the FBI explained. This new iteration makes the call directly from the compromised device.
“They then call emergency services to report a crime at the victims’ residence,” the FBI statement continued. “As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.”
Live Streaming Swatting Attacks
Live streaming swat attacks isn’t new. Last December, the publication Vice reported on a podcast called “NulledCast” which live streamed to the content sharing platform Discord an incident where criminal actors hijacked a Nest and Ring smart home video and audio to harass them in all sorts of creepy ways.
One incident captured showed a man talking to young children through the device in their bedroom, claiming to be Santa.
“In a video obtained by WMC5 courtesy of the family, you can see what the hacker would have seen: A viewpoint that looms over the entire room from where the camera is installed in a far corner, looking down on their beds and dressers while they play, Vice reported last year. “The hacker is heard playing the song ‘Tiptoe Through the Tulips‘ through the device’s speakers, and when one of the daughters, who is eight years old, stops and asks who’s there, the hacker says, ‘It’s Santa. It’s your best friend.'”
Vice also reported finding posts on hacker forums offering simple Ring credential stuffing software for as little as $6.
By Feb. 2020, Ring had rolled out an added layers of security beyond its already mandatory two-factor authentication, including requiring a one-time six-digit code to log on, alerts when someone logs onto the account and tools to control access by third-party service providers which could also be breached.
Ring is also preparing to roll out end-to-end video encryption, originally due by the end of the year.
“With End-to-End Encryption, your videos will be encrypted on the Ring camera, and you will be the only one with the special key (stored only on your mobile device) that can decrypt and view your recordings,” the Sept. 24 announcement read.
More Harm Than Help?
Just this month, an assessment from NCC Group of second-tier smart doorbells including brands Victure, Qihoo and Accfly, found vulnerabilities rendered these devices more harmful than helpful classified the popular gadgets a “domestic IoT nightmare.” Top-flight smart home security brands Ring, Nest, Vivint and Remo were not included in the review.
The report detailed undocumented features, like a fully functional DNS service in the Qihoo device; digital locks that could be picked in a snap because their communications were not encrypted; and shoddy hardware which could easily be tampered with by criminals.
“Unfortunately, consumers are the victims here,” Erich Kron, security awareness advocate at KnowBe4 told Threatpost. “A trend I am happy to see among consumer devices is the requirement to set your own complex password during device setup, rather than having a default one set at the factory.
Kron added Ring’s MFA implementation, along with its other protections is a “step in the right direction.”
While applications like Ring continue to work to keep their customer data safe, if customer email accounts are compromised, bad actors can easily grab 2FA and other verification codes and breach both accounts. That means it is up to individual users to take control of their privacy with strong password and basic security hygiene practices.
“Any organization that sells devices that have the kinds of privacy impacts such as always-on video cameras or devices that are always listening for commands, has an obligation to provide a reasonable amount of education to their customers,” he said. “The consumer device field is extremely competitive, and purchases are often based on a price difference of a couple of dollars or less. We must understand that adding any additional security features that are not required for every manufacturer can impact the price and therefore the organization’s bottom line. Because of this, we must be reasonable with our expectations from the manufacturers.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!