PORTLAND, Ore. (KTVZ) --This week, the Oregon FBI’s Tech Tuesday segment focuses on building a digital defense against smart home "swatting" attacks.
Nationally, smart home device manufacturers have notified law enforcement that offenders have been using stolen email passwords to access smart devices with cameras and voice capabilities to carry out swatting attacks.
What is Swatting?
Swatting is a term used to describe a hoax call made to emergency services, typically reporting an immediate threat to human life. The goal is to draw a response from law enforcement and the SWAT team to a specific location. Confusion on the part of homeowners or responding officers has resulted in health-related or violent consequences in some other parts of the country. These attacks also pull limited resources away from valid emergencies.
Swatting may be motivated by revenge, used as a form of harassment, or used as a prank, but it is a serious crime that may have potentially deadly consequences.
Offenders often use spoofing technology to anonymize their own phone numbers to make it appear to first responders as if the emergency call is coming from the victim’s phone number. This enhances their credibility when communicating with dispatchers.
How is this version of Swatting carried out?
Recently, offenders have been using victims’ smart devices to carry out swatting attacks. To gain access to the devices, offenders are likely taking advantage of customers who reuse their email passwords for their smart device. The offenders use stolen email passwords to log into the device and hijack features, including the live-stream camera and device speakers.
They then call emergency services to report a crime at the victim’s residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also livestreams the incident on shared online community platforms.
Protection and Defense
If you have smart home devices with cameras and/or voice options, there are a few basic ways to protect yourself:
- Use complex passwords or passphrases for online accounts, and don’t reuse passwords across different accounts.
- Use multi-factor authentication (MFA) for all online accounts and any device that touches the internet. Best bet – don’t use a secondary email address for that secondary layer of authentication. Use a mobile phone number, virtual or physical tokens, or biometric options (such as a face or fingerprint scan).
Next week, we will talk more about how to create strong passphrases without driving yourself crazy.
If you have been victimized in this kind of crime, make sure to file a report with your local police department. If you believe your email or other smart device credentials were compromised, you should also report the incident to the FBI’s Internet Crime Center at www.ic3.gov or call your FBI local office.