The US has no central system for recording SWATting attacks, but there is growing evidence the problem is going from bad to worse.
According to The New York Times, the latest victim was Instagram CEO Adam Mosseri, whose houses in New York and San Francisco were surrounded in early November by heavily armed SWAT (Special Weapons and Tactics) teams after hoax phone calls claimed hostages were being held there.
After what is described as “tense, hours-long standoffs” the police realised there were no hostages and so the incident wad filed along with the lengthening list of SWATting hoaxes the media has reported on.
But that’s the power of a successful SWAT. Once the wheels of response are in motion, it can be hard for the authorities to distinguish a real incident from an imaginary one designed to intimidate and harass.
The motive for the attack? The newspaper speculated that it was probably Instagram’s recent crackdown on political content which violates its rules, fuelled by a dark web awash with the contact numbers and home addresses or prominent executives.
Tech companies, including Facebook, have become such a regular target for SWATting that a growing number of companies have reportedly had to brief executives that they believe might be targeted.
Things are so bad that registries of at-risk individuals have reportedly been drawn up in at least one US city so local police can check first before sending out SWAT teams.
From prank to DoS
SWATting seems to have gone viral around 15 years ago, driven largely by gamers getting back at rivals. For the most part it was written up as a largely harmless (albeit a huge waste of policing resources) prank.
Then a man whose address police had been sent to as part of a gaming wager was shot and killed and the penny finally dropped – suddenly SWATting wasn’t harmless after all.
SWATting has also been used to attempt to silence and intimidate journalists – as Brian Krebs found out in 2017 – and even senior US politicians.
Interestingly, SWATting has recently evolved beyond the idea of targeting the homes of individuals to take on entire transport systems and schools, as was the case in a 2018 incident that targeted a United Airlines flight.
The authorities must now be worried that SWATting is rapidly turning into a viable type of denial-of-service (DoS) attack on physical assets that could, like its internet equivalent, turn into an economic drag.
Heading this off will mean addressing underlying weaknesses that make SWATting possible, starting with the eagerness with which US police forces send heavily armed officers to attend incidents without checking whether that’s necessary.
It hasn’t escaped attention that SWATting is largely a US phenomenon, aided by the devolved nature of policing in the country which gives them leeway over the criteria set for armed response.
Naturally, there have been moves to make punishments tougher but this will never be a solution on its own – it’s simply too easy to spoof calls from anywhere in the world, so many culprits will remain hard to trace or beyond the reach of US laws. Closing that hole requires technical solutions that could take years to come to fruition.
For individuals at least, there is a simpler solution – make it harder for SWATters to find YOU by being more careful about keeping home addresses and phone number private.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.