Hacked home cams being used to livestream police raids
January 8, 2021 |
The Internet of Things, with gadgets and devices previously stand alone now connected to the internet, has always been blighted by vulnerabilities to cyber attack. The stories of baby monitors being hacked and taken over by criminals or just garden variety creeps are legion and have passed into cyber security folk lore. Invariably the cause of the hack of a baby monitor is down to the usual problems with any form of security involving a device connected to the internet with some specific issues involving videos; poor security of wireless routers, no or a lousy password for the monitor (often factory settings are left in place), reusing stolen credentials, default log ins and easy to access settings and not updating or patching software as and when required.
The BBC reports that the hackers have, disturbingly, gone further than standard interference with a device. Hackers goes beyond accessing home cameras of a residence and now engage in swatting, where they contact or otherwise get police or other emergency responders to go that residence and film the resulting fracas. This development is covered by the BBC in Hacked home cams used to livestream police raids in swatting attacks.
The article provides:
Hackers have livestreamed police raids on innocent households after hijacking their victims’ smart home devices and making a hoax call to the authorities, the FBI has warned.
It said offenders had even spoken to responding officers via the hacked kit.
It marks the latest escalation of a crime known as “swatting”, in which offenders fool armed police or other emergency responders to go to a target’s residence.
The FBI said there were “deadly” risks.
A fake call about a hostage situation led to police shooting a man in Kansas three years ago, and there have been non-fatal injuries in other cases.
Shouted insults
The FBI said it believed the latest twist on the “prank” was able to be carried out because the victims had reused passwords from other services when setting up their smart devices.
Lists of hacked credentials are frequently bought and sold via illegal markets.
And offenders often run the details stolen from one service through others to find where passwords have been reused.
There have also been reports of security flaws in some products, including smart doorbells, which have allowed hackers to steal network passwords and gain access to other smart devices sharing the same wi-fi.
The apps and websites used to set up such products often store the user’s name and address in their account settings in order to offer location-specific services.
“The [perpetrators] call emergency services to report a crime,” the alert issued by the FBI states.
“The offender watches the livestream footage and engages with the responding police through the camera and speakers. In some cases, the offender also livestreams the incident on shared online community platforms.
“The notice does not refer to any specific incident, but there have been related press reports in recent weeks.
In November, NBC News highlighted a case in which police went to a Florida home after receiving a fake 911 call from a man saying he had killed his wife and was hoarding explosives.
When they left the building after discovering it to be a hoax, officers reported hearing someone insult them via the property’s internet-connected Ring doorbell.
In another incident the same month in Virginia, police reported hearing the hacker shout “help me” after arriving at the home of a person they had told might be about to kill himself.
When they questioned the attacker via the device, he claimed to have compromised four different cameras at the location and to be charging others $5 to watch online.”
After this we’ll log out, tell him to change his Yahoo password, his Ring password, and stop using the same passwords for the same [stuff],” the offender was quoted as saying by local news station WHAS11.
A further event was also reported in Georgia in which the attacker shouted racial abuse at his victims after the police stood down, and claimed to have carried out more than a dozen such hacks that day.
Ring has denied its own systems have been compromised. It uses two-step verification, which means device owners can only access their accounts from a new computer if they enter a code emailed or sent to them via text message.
However, if either of those forms of communication are also compromised the user remains vulnerable.
As a consequence, the FBI has advised smart device owners to ensure they provide a different complex passcode to each online service they use.
“Users should also update their passwords on a regular basis,” it adds – although the UK’s National Cyber Security Centre has suggested this additional step itself poses a risk if it encourages people to opt for weaker codes.