A recent wave of a vicious prank known as “swatting,” in which mischief-makers call 9-1-1 and use special equipment to make it appear as if their phone number is coming from the home of the person they are targeting, is generating nationwide attention.
The hoax, which is not new but has seen significant upticks in incidents of late, gets its name because the perpetrators behind it typically report bogus incidents that are so serious sounding – “There has been a murder” – that they prompt SWAT teams to be dispatched. Victims mostly have been celebrities, but about three months ago, well-known security journalist Brian Krebs also was hit, presumably out of revenge for his cyber crime investigations.
Chester Wisniewski, senior security adviser at Sophos, said that while swatting is vile, its cause is not much different than something most people have accepted as merely a nuisance: email spam. “It all comes back to the same problem,” he said. “We built these systems with inherent trust, but we have no trust.”
He explained that all modern-day telephony networks – whether it's a private branch exchange (PBX) or voice-over-internet-protocol (VoIP) connection – are susceptible. “The identification of the caller is trusted by the recipient and is created by the sender,” Wisniewski said. “As long as we're talking about a digital connection to the phone system, you can send anything you want.”
As swatting becomes more prevalent, state lawmakers have introduced legislation that would stiffen penalties for offenders. But while new laws may offer a deterrent, there's little technically that can be done to prevent the prank.
“Nine out of 10 times we conduct a security assessment on an organization's VoIP implementation, we are able to demonstrate caller ID spoofing,” said Peter Thermos, CTO of Palindrome Technologies, a security services firm. “In fact, in one of the engagements last year, we were able to bounce calls from the internet through a company's VoIP system and impersonate calls originating from California, but we were actually in New Jersey.”
One potential solution is for emergency call centers to implement automatic number identification services, but such initiatives are costly, Wisniewski said. Plus, hackers could still spoof calls by using proxy services, such as TTY, a phone service created for the deaf. This tactic is tempting to swatters because federal laws require that TTY calls remain confidential.