On Monday, the Department of Justice indicted two men from Wisconsin and North Carolina for gaining access to a dozen Ring surveillance cameras and using them to live stream swattings—placing fake emergency calls to spur an armed police response—in some cases taunting officers using the internet-connected doorbell cameras.
To hack into the Ring surveillance cameras, Kya “ChumLul” Nelson and James “Aspertaine” Thomas Andrew McCarty allegedly acquired victims’ Yahoo email usernames and passwords, determined whether the owners of the compromised accounts had Ring accounts using the same login information, and then took control of their Ring cameras while collecting more information about the owners. From here, prosecutors allege that they placed fake calls to police to try and get cops to swarm homes with Ring surveillance cameras and used the live footage to stream what happened on social media.
Videos by VICE
In one example, on November 8 2020, prosecutors allege that Nelson and an unnamed accomplice were able to gain access to a Ring surveillance camera in West Covina, then placed a fake police call pretending to be a child “reporting her parents drinking and shooting guns inside the residence of the victim’s parents.” Nelson then used the Ring camera to “verbally threaten and taunt West Covina Police officers.” They allegedly continued on with a string of similar hacks happening across 9 other states.
In response to these and other swatting hacks, the FBI issued a public service announcement warning surveillance camera users to ensure their devices were protected with complex passwords along with two-factor authentication to prevent hackers from gaining access.
“Because offenders are using stolen email passwords to access smart devices, users should practice good cyber hygiene by ensuring they have strong, complex passwords or passphrases for their online accounts, and should not duplicate the use of passwords between different online accounts,” the FBI said in its announcement. “Users should enable two-factor authentication for their online accounts and on all devices accessible through an internet connection in order to reduce the chance a criminal could access their devices.”
An even better solution might be to avoid getting a surveillance camera altogether. Not only are they are fundamentally invasive tools used to spread paranoia, terrorize Amazon workers, and normalize increasingly pervasive and ambitious attempts by corporations and police departments to expand private surveillance networks, but there have also been other documented incidents of hackers gaining access to them using, for example, automated password checking tools. Re-using passwords exposed in other breaches only increases the risk for customers.
Nelson of Wisconsin—who’s already in jail for an unrelated case—along with McCarty of North Carolina are being charged with one count of conspiracy to intentionally access computers without authorization, along with two counts of intentionally accessing without authorization a computer and two counts of aggravated identity theft. McCarty is also being charged with a count of conspiracy to intentionally access computers without authorization.