Law enforcement agencies in the US have reported increases in swatting attacks. Swatting refers to a hoax call being made to the police that reports a violent crime in progress at the home of a swatter’s victim. The hoax call often results in armed response units (SWAT) breaking into innocent people’s homes to apprehend a fictitious assailant, sometimes with a deadly result. Swatting originally came into the public domain in 2005 when Matthew Wegman reported a hostage incident that resulted in a SWAT team breaking into a young woman’s home. An FBI investigation into the incident discovered that Wegman called the police because his victim had refused to take part in phone sex with Wegman days earlier (Kibbe, 2019).
Why inflict swatting on other people?
Swatting often includes footage from a hijacked Internet of Things (IoT) home surveillance device. Footage is uploaded to the Internet so that others can view the outcome of the hacker’s activities.
The most worrying outcome of Swatting is its potential to become a very deadly activity: On 28th December 2017 Casey Viner, made a hoax phone call to Wichita Police claiming to be a gunman who had killed his father and was holding his mother at gunpoint. Wichita Police sent an armed response team to the “gunman’s address” and shot Andrew Finch (the innocent victim of the ‘prank) dead after he opened his front door. Later investigation found that Finch and Viner had argued over events in a recent game of Call of Duty, resulting in Viner’s swatting prank. Viner was sentenced to 20 years for his part in the death of Finch in 2019 (Wired, 2019).
How often does swatting really happen?
The FBI has reported that swatting was becoming more commonplace with insecure IoT devices. NordVPN discovered that unencrypted communication between Ring devices and the ring application makes it possible to conduct a man-in-the-middle hijacking session on the device. NordVPN state that some devices have not only allowed hackers to see people in their own home but have allowed them to talk to their victims and the police via the IoT device. Users have also reported that they were able to log into their account with a previously used password even if two factor authentication was enabled suggests that the security in Ring is flawed (NordVPN, 2019).
So what can be done to stop swatting?
To tackle swatting IoT developers must address security vulnerabilities as a matter of urgency because by not doing so they supply the means for misguided and malicious hackers to carryout their swatting pranks resulting in emotional and in some cases physical harm to their victims.
It has also been argued that users enable hackers to gain access to their devices by using weak passwords and by using the same password for different personal accounts. It is important that users of IoT ensure they only use any password once, make them long and complex and manage their passwords via a password vault.
IoT developers should also take some responsibility in the management of passwords by enforcing the use of long and complex passwords and ensuring login portals remember at least 24 earlier passwords. If possible, an IoT product should also add routine password ageing and two factor authentication (2FA) to the account profile. Given the gravity of the outcomes of swatting it is important that responsible IoT service providers and their customer’s take responsibility to protect people from this awful crime.
For practical advice on how to secure IoT read Practical Internet of Things Security: Design a security framework for an Internet connected ecosystem by Drew Van Duran