So you occasionally re-use passwords? And you didn’t use multifactor authentication for your Ring camera because, well, it just didn’t seem necessary?
LOS ANGELES – Two men – one from Wisconsin, the other from North Carolina – have been charged with participating in a “swatting” spree that, over a one-week span, gained access to a dozen Ring home security door cameras nationwide, placed bogus emergency phone calls designed to elicit an armed police response, then livestreamed the events on social media, sometimes while taunting responding police officers, the Justice Department announced today.
Kya Christian Nelson, a.k.a. “ChumLul,” 21, of Racine, Wisconsin, who is currently incarcerated in Kentucky in an unrelated case; and James Thomas Andrew McCarty, a.k.a. “Aspertaine,” 20, of Charlotte, North Carolina (who at the time of the alleged criminal conduct lived in Kayenta, Arizona), who was arrested last week on federal charges filed in the District of Arizona, are charged with one count of conspiracy to intentionally access computers without authorization. Nelson also was charged with two counts of intentionally accessing without authorization a computer and two counts of aggravated identity theft.
According to the indictment returned Friday afternoon by a federal grand jury in Los Angeles, from November 7, 2020, to November 13, 2020, Nelson and McCarty gained access to home security door cameras sold by Ring LLC, a home security technology company. Nelson and McCarty allegedly acquired without authorization the username and password information for Yahoo email accounts belonging to victims throughout the United States.
Then, they allegedly determined whether the owner of each compromised Yahoo account also had a Ring account using the same email address and password that could control associated internet-connected Ring doorbell camera devices. Using that information, they identified and gathered additional information about their victims, according to the indictment.
Nelson and McCarty allegedly placed false emergency reports or telephone calls to local law enforcement in the areas where the victims lived. These reports or calls were intended to elicit an emergency police response to the victim’s residence, the indictment alleges.
The defendants then allegedly accessed without authorization the victims’ Ring devices and transmitted the audio and video from those devices on social media during the police response. They also allegedly verbally taunted responding police officers and victims through the Ring devices during several of the incidents.
For example, on November 8, 2020, Nelson and an accomplice accessed without authorization Yahoo and Ring accounts belonging to a victim in West Covina. A hoax telephone call was placed to the West Covina Police Department purporting to originate from the victim’s residence and posing as a minor child reporting her parents drinking and shooting guns inside the residence of the victim’s parents.
Nelson allegedly accessed without authorization a Ring doorbell camera, located at the residence of the victim’s parents and linked to the victim’s Ring account, and used it to verbally threaten and taunt West Covina Police officers who responded to the reported incident.
The indictment alleges other similar Ring-related swatting incidents occurred in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.
This series of swatting incidents prompted the FBI in late 2020 to issue a public service announcement urging users of smart home devices with cameras and voice capabilities to use complex, unique passwords and enable two-factor authentication to help protect against swatting attacks.
An indictment contains allegations that a defendant has committed a crime. Every defendant is presumed innocent until and unless proven guilty beyond a reasonable doubt.
If they were to be convicted of the conspiracy charge in the indictment, each defendant would face a statutory maximum penalty of five years in federal prison. The charge of intentionally accessing without authorization a computer carries a maximum possible sentence of five years, and the charge of aggravated identity theft carries a mandatory two-year consecutive sentence.
The FBI is investigating this matter.
Assistant United States Attorney Khaldoun Shobaki of the Cyber and Intellectual Property Crimes Section is prosecuting this case.
Source: U.S. Attorney’s Office, Central District of California
For more details on this case, read Brian Krebs’ post, Hacked Ring Cams Used to Record Swatting Victims