The 'SWATing' Pranks
Starting around 2002, the increase in use of Internet technology to carry telephone traffic created a new practice: dialing public safety communications center, providing a false telephone number and address, and reporting a crime at a distant location. The practice is just like the age-old prank of ordering a pizza (or 10 pizzas) for someone, but this new style of prank creates an enormous risk for the public safety personnel who respond, and for the innocent homeowners who suddenly are faced with armed police.
The practice has become known as "SWATing," in recognition of the hoped-for response by those making the calls. In most cases, however, a SWAT team does not respond, simply because there's no time to assemble a team before the situation is confronted. SWATing calls are sometimes made individually and without much planning. But an underground culture also grew up around these calls, connected by Internet chat rooms and forums, that explained technically how to make the calls, what to tell the public safety dispatcher, and then would publicize the SWATing call among the group.
Essentially, there is no defense against individual, isolated attacks, although there are methods to mitigate against an all-attack attack. Read on…
Offense
Overall, there have been perhaps 60 incidents where law enforcement has responded after a false call, according to law enforcement officials. There is no real record of these calls tallied by comm centers.
These attacks are not "hacks" or intrusions into the 911 systems themselves, despite media stories that use that word. Since the nation's 911 systems are completely independent and not inter-connected, there is no ordinary way to actually intrude into a distant 911 system using either the local telephone network or the Internet.
Instead, all of the incidents have relied upon establishing a voice over Internet (VoIP) connection between the suspect's computer and a distant telephone network, and then dialing 911 to reach the distant public safety communications center.
The first series of very serious incidents occured in summer 2006 when a group of persons were identified by the FBI and arrested for making a series of 911 calls to PSAPs all over the country, usually reporting a home invasion by armed suspects. In all cases there was a substantial police response, the homes' occupants were confronted at gunpoint, and law enforcement officers never found any suspects at the locations. The FBI arrested suspects in Washington state, California, Ohio, Texas and New York state.
These suspects were charged in Texas, most pleaded guilty during 2007-2008 and were sentenced (read a press release here and here). You can listen to one of the hundreds of calls this group made here, to the Colorado Springs (Colo.) police comm center in 2005, reporting a suicidal gunman holding two hostages.
Update, Feb. 2009: Matthew Weigman, 18, pleaded guilty in a Texas federal court to several federal counts alleging 911 Swatting calls, witness intimidation and fraud. He received a sentence of 11 years in federal prison. Download (pdf) the U.S. Attorney's press release.
A second significant series were identified in late 2006 and early 2007 involving a suspect in Washington state and a victim family in southern California. Randal Ellis was arrested for calling the Orange County (S. Calif) Sheriff's Department from his home in Mukilteo (Wash.), reporting an armed robbery invasion at a home in the town of Lake Forest. The 19 year-old man was tracked down, arrested, charged, pleaded guilty and received three years in prison. The call for which he was arrested was allegedly just one of 194 prank calls he made over two years, law enforcement officials say. (Read story here and here and here).
A third, unsolved incident occurred in Dec. 2007 when the Monterey County (Calif.) comm center received a SWATing call from a man who claimed he was hiding in the closet of a Salinas apartment, and that three men with AK-47s were trying to break in. Dispatchers sent all 15 Salinas officers to the scene, along with a sheriff's deputy, only to find a clueless family. Investigators say a 15 year-old resident had been on-line with a person from Chicago, and had given that person some personal information that the suspect used to target the boy's apartment. In this case police say the suspect used a Skype connection to reach the county comm center, and to "spoof" (falsify) the address and phone number of the family's apartment so it appeared authentic when the 911 call was answered by the dispatcher.
More Info |
Finally, there were several low-level SWATing incidents during 2010 and early 2011, including one where police believe the caller was using a VoIP-spoffed number from a university building to call in street incidents, and one in Wisconsin reporting a hostage, shooting and kidnapping. In August 2010 a male caller talked to a Los Angeles (Calif.) sheriff's dispatcher for 28 minutes, reporting a medical emergency, a shooting and then a hostage situation. Deputies found nothing and the suspect hung up without being identified. (read more, listen to the call).
Police said the suspect sent an on-line message to the teen occupant asking him if he heard sirens. The suspect later called a local pizza parlor and ordered $127 worth of pizzas delivered to the boy's apartment. He also called back the comm center to ask why officers never arrived, but then hung up.
As of mid-2011 there have been no serious consequences from the incidents, although in the Lake Forest incident the homeowner heard noises outside his home, armed himself with a knife and went outside at night to investigate. He was confronted by a heavily-armed force of police officers. Fortunately he was safely disarmed, and police then learned about the SWATing call.
In all these cases the suspect used a VoIP telephone line, and one or more techniques to spoof a phony telephone number and address to the comm center, which is then displayed as ANI/ALI information to the calltaker. At the PSAP, the call appears to be routine, and indeed it is--the call appears to have originated locally, and the ANI/ALI displays a proper telephone number and address.
The victims are either known to the suspect in some manner, usually casually through Internet games or chat rooms, or they are complete strangers, selected randomly (although the suspect may actually have some type of criteria in mind when he/she picks the person or house).
Also check these news stories:
- 2011 - Suspect calls St. Johns County Sheriff's Office (Fla.), say he's had an accident on I-95 and other incidents, used voice-alteration software, FBI investigation traced the calls to Mason Seckar in Milwaukee (Wis.). Case pending.
- 2011 - Suspect called an insurance agent using VoIP, agent dialed 911. Suspect said he was from England, his GPS was broken, his wife was ejected from car during accident near Westwood (Kan.).
- 2011 - An unknown suspect calls Greenville (SC) E911, stays on the line and then dials again to apparently try to tie up several 911 lines at once. An investigation is underway.
Defense
At the moment, there is no technical defense against these VoIP/spoofing attacks for public safety comm centers who receive them. Technically, the VoIP provider simply transports the voice and any of the caller's dialing commands across the Internet, and dumps them into the public telephone system at a distant location. There is no method for the VoIP provider to tag the transmission as coming from a VoIP line (or, for that matter, any method for PSAPs to receive such a data packet with today's technology), or to identify the origin of the call while it's being made.
However, there are investigative methods for identifying the origin of VoIP calls afterwards, although it takes a considerable amount of expertise, time and multi-agency assistance to accomplish. In fact, this seems to be the biggest hurdle in the investigation of these incidents--the anonymity of the caller, a lack of law enforcement contacts at VoIP providers, no phone numbers or e-mail addresses to report such incidents, and lack of resources within VoIP provider companies for investigating these incidents. The U.S. Attorney in the Texas prosecution praised the 40 agencies which cooperated to arrest their suspects--not an unusual number of agencies in these types of incidents.
At the same time, these prank callers are adept at providing enough information to spark a police response, but not enough to identify themselves to the calltaker. The calls are always "in-progress" types of incidents, with the callers saying they saw intruders with guns entering a nearby home, they are holding a hostage, etc. In most cases, even with the best questioning techniques, the calltaker was unable to detect that the call was a prank.
So, here's what's common among the SWATing incidents, all intended to obscure the caller's identify and to provoke a heavily-armed response:
- The caller is using a VoIP connection to make the call, either Skype or any of several other services. They can use a service such as SpoofCard to assume the identify of some other telephone or address when making the call.
- The caller is a witness only, reporting something they just saw, usually several armed people or
- The caller is the suspect, and makes threats to shoot people, and makes complex demands
- The caller describes multiple, heavily-armed suspects
- The caller is very detailed in the descriptions of the suspects and the situation
- The caller is cooperative, giving proper names and addresses (which they've usually researched prior to calling)
The best tactic for handing these calls is the same for handling an authentic call--obtain as much specific information as you can about the caller, the location they're reporting, the people and activity they see, etc. Do not make assumptions about the authenticity of the incident, but simply obtain and document the information, and pass it along to the responding units for their appropriate action.
A dispatcher should also refer to any available databases of information to research the caller, the reported address and any other names. A telephone call to the premise may be advisable in order to avoid a confrontation between armed law enforcement and any innocent occupants of the location being reported. The call should be made at an appropriate time, for example, after officers have contained the premise and have "eyes-on."
Your agency and comm center must have a pre-planned procedure for handling authentic incidents of this type, intended to mitigate the danger to involved and un-involved persons. These same procedures would be just as effective for prank calls.
Investigation
If you discover that call was placed by a SWATing prankster, you should immediately begin a local law enforcement investigation, compiling all the available information about the caller, calls, the reported incident and the public safety response.
You should also immediately involve the FBI for investigative assistance. The FBI is the contact for the regional, multi-agency technical groups that bring together law enforcement and private technology experts, with the expertise, experience and contacts to handle the inter-state tasks that are required to track down and prosecute SWATing suspects.
WIRED Magazine has posted a long article on the culture of telephone hacking and SWATing, which provides great insight into their methods and thinking.
In Sept. 2009 "Rolling Stone" magazine published a long story on Matthew Weigman, who is now serving 11 years in federal prison for his telephone and 911 offenses. The story focuses on Weigman's early years, his family upbringing and how his blindness affected his behavior.
This video new report describes the Dec. 2007 incident in Salinas (Calif.):
This video news report describes the Randal Ellis case:
