Stolen email credentials are being used to hijack home surveillance devices, such as Ring, to call police in the US with a fake emergency, then watch the chaos.
They are being used to hijack smart home security systems to “swat” unsuspecting users, the Federal Bureau of Investigation warned this week. The announcement comes after concerned device manufacturers alerted law enforcement about the issue.
Prank
‘Swatting’ is a dangerous prank where police are called to a home with a fake emergency.
“Swatting may be motivated by revenge, used as a form of harassment, or used as a prank, but it is a serious crime that may have potentially deadly consequences,” the FBI statement explained
Home Security Device
By accessing a targeted home security device an attacker can initiate a call for help to authorities & watch remotely as the swat occurs. The FBI points out that by initiating a call for help from the actual security device lends authenticity & anonymity to the hacker.
Requests to the FBI for the specific manufacturers were not answered. However, the device category often is found to be insecure.
“Recently, offenders have been using victims’ smart devices, including video & audio capable home surveillance devices, to carry out swatting attacks,” The FBI’s public service announcement read.
E-mail Passwords
“To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device & hijack features, including the live-stream camera & device speakers.”
Previously the bad players would spoof the numbers to make the call appear as if it were coming from the victim, the FBI explained. This new version makes the call directly from the compromised device.
Victims’ Residence
“They then call emergency services to report a crime at the victims’ residence,” the FBI statement continued.
“As law enforcement responds to the residence, the offender watches the live stream footage & engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.”
Live Streaming Attacks
Live streaming swat attacks is not new. IN Dec. 2019, the publication Vice reported on a podcast called “Nulled Cast” which live streamed to the content sharing platform Discord an incident where criminal players hijacked a Nest & Ring smart home video & audio to harass them in all sorts of strange ways.
One incident captured showed a man talking to young children through the device in their bedroom, claiming to be Santa!
Viewpoint
“In a video obtained by WMC5 courtesy of the family, you can see what the hacker would have seen: A viewpoint that looms over the entire room from where the camera is installed in a far corner, looking down on their beds & dressers while they play, Vice reported last year.
“The hacker is heard playing the song ‘Tiptoe Through the Tulips‘ through the device’s speakers, & when one of the daughters, who is 8 years old, stops & asks who’s there, the hacker says, ‘It is Santa. It is your best friend.’”
Hacker Forums
Vice also reported finding posts on hacker forums offering simple Ring credential stuffing software for as little as $6.
By Feb. 2020, Ring had launched an added layers of security beyond its already mandatory 2-factor authentication, including requiring a one-time 6-digit code to log on, alerts when someone logs onto the account & tools to control access by 3rd-party service providers which could also be breached.
Ring is also preparing to roll out end-to-end video encryption, originally due by the end of the year.
“With End-to-End Encryption, your videos will be encrypted on the Ring camera, & you will be the only one with the special key (stored only on your mobile device) that can decrypt & view your recordings,” the Sept. 24 announcement read.
More Harm Than Help?
Just this month, an assessment from NCC Group of 2nd-tier smart doorbells including brands Victure, Qihoo & Accfly, found vulnerabilities rendered these devices more harmful than helpful classified the popular gadgets a “domestic IoT nightmare.” Top-flight smart home security brands Ring, Nest, Vivint & Remo were not included in the review.
The report outlined undocumented features, like a fully functional DNS service in the Qihoo device; digital locks that could be picked in a snap because their communications were not encrypted; & shoddy hardware which could easily be tampered with by criminals.
Victims
“Unfortunately, consumers are the victims here,” Erich Kron, security awareness advocate at KnowBe4 explained. “A trend I am happy to see among consumer devices is the requirement to set your own complex password during device setup, rather than having a default one set at the factory.
Kron added Ring’s MFA implementation, along with its other protections is a “step in the right direction.”
While applications like Ring continue to work to keep their customer data safe, if customer email accounts are compromised, bad players can easily grab 2FA & other verification codes & breach both accounts. That means it is up to individual users to take control of their privacy with strong password & basic security hygiene practices.
Listening for Commands
“Any organisation that sells devices that have the kinds of privacy impacts such as always-on video cameras or devices that are always listening for commands, has an obligation to provide a reasonable amount of education to their customers,” he commented.
“The consumer device field is extremely competitive, & purchases are often based on a price difference of a couple of dollars or less.
We must understand that adding any additional security features that are not required for every manufacturer can impact the price & therefore the organisation’s bottom line. Because of this, we must be reasonable with our expectations from the manufacturers.”
2021
Cyber News Group wish all their readers, delegates & event viewers a much happier, and a cyber-safe New Year!
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/
