Hackers have livestreamed police raids on innocent households after hijacking their victims’ smart home devices and making a hoax call to the authorities, the FBI has warned.
It said offenders had even spoken to responding officers via the hacked kit.
It marks the latest escalation of a crime known as “swatting”, in which offenders fool armed police or other emergency responders to go to a target’s residence.
The FBI said there were “deadly” risks.
A fake call about a hostage situation led to police shooting a man in Kansas three years ago, and there have been non-fatal injuries in other cases.
The FBI said it believed the latest twist on the “prank” was able to be carried out because the victims had reused passwords from other services when setting up their smart devices.
Lists of hacked credentials are frequently bought and sold via illegal markets.
And offenders often run the details stolen from one service through others to find where passwords have been reused.
There have also been reports of security flaws in some products, including smart doorbells, which have allowed hackers to steal network passwords and gain access to other smart devices sharing the same wi-fi.
The apps and websites used to set up such products often store the user’s name and address in their account settings in order to offer location-specific services.
“The [perpetrators] call emergency services to report a crime,” the alert issued by the FBI states.
“The offender watches the livestream footage and engages with the responding police through the camera and speakers. In some cases, the offender also livestreams the incident on shared online community platforms.”
The notice does not refer to any specific incident, but there have been related press reports in recent weeks.
In November, NBC News highlighted a case in which police went to a Florida home after receiving a fake 911 call from a man saying he had killed his wife and was hoarding explosives.
When they left the building after discovering it to be a hoax, officers reported hearing someone insult them via the property’s internet-connected Ring doorbell.
In another incident the same month in Virginia, police reported hearing the hacker shout “help me” after arriving at the home of a person they had told might be about to kill himself.
When they questioned the attacker via the device, he claimed to have compromised four different cameras at the location and to be charging others $5 to watch online.
“After this we’ll log out, tell him to change his Yahoo password, his Ring password, and stop using the same passwords for the same [stuff],” the offender was quoted as saying by local news station WHAS11.
A further event was also reported in Georgia in which the attacker shouted racial abuse at his victims after the police stood down, and claimed to have carried out more than a dozen such hacks that day.
Ring has denied its own systems have been compromised. It uses two-step verification, which means device owners can only access their accounts from a new computer if they enter a code emailed or sent to them via text message.
However, if either of those forms of communication are also compromised the user remains vulnerable.
As a consequence, the FBI has advised smart device owners to ensure they provide a different complex passcode to each online service they use.
“Users should also update their passwords on a regular basis,” it adds – although the UK’s National Cyber Security Centre has suggested this additional step itself poses a risk if it encourages people to opt for weaker codes.