Swatting as a Service

Motherboard is reporting on AI-generated voices being used for “swatting”:

In fact, Motherboard has found, this synthesized call and another against Hempstead High School were just one small part of a months-long, nationwide campaign of dozens, and potentially hundreds, of threats made by one swatter in particular who has weaponized computer generated voices. Known as “Torswats” on the messaging app Telegram, the swatter has been calling in bomb and mass shooting threats against highschools and other locations across the country. Torswat’s connection to these wide ranging swatting incidents has not been previously reported. The further automation of swatting techniques threatens to make an already dangerous harassment technique more prevalent.

Posted on April 17, 2023 at 7:15 AM21 Comments


S Dedalus April 17, 2023 8:09 AM

AI is a sideshow here. The ability to spoof Caller ID and effectively hide behind the curtain of shady VOIP services is 98% of the problem. If you attach a cannon fuse or a washing machine timer, a bomb is still a bomb and if you can smuggle either next to the target with impunity, there is now a marketable service. A lot of problems get solved by adding effective trace functions to the Frankenstein we have made from the POTS. Costs money, but the liabilities associated with complacency are mounting by the month.

AndrzejS April 17, 2023 10:22 AM

Well, I have been thinking that the problem may actually be located a bit earlier in the decision chain, specifically in overreacting to an unsubstantiated anonymous claim in the first place.

Think of it this was: you (I am not America) are mobilizing a paramilitary raid, severely disrupting a random place, literally because somebody on the internet or telephone line said so. There is no proof that anything is amiss in the first place, to justify such intrusive action. Then, what is the caller’s motive? If they wanted to blow the place up, they wouldn’t have called the police in the first place. The obvious aim is specifically to disrupt the place, almost certainly without any bomb being in place to begin with.

I think the correct approach would be to allow some assessment on the forces’ side and stop expecting automatic raiding if there is no reason to really suspect actual threat.

Clive Robinson April 17, 2023 10:23 AM

I was aware that “call in” threats against US Schools had become “common” (more than one every school day) and that actuall events were increasing quite rapidly[1].

Some indicated the FBI were investigating and looking towards a Middle East origin.

I also noted that trying to identify who was behind it would be difficult and suggested that the method Cliffod Stole gave in his book might be the only real clue due to the way emergency number calls and the POTS they are based on work.

This “voice synth” information is new to me, and it suggests that the generator of the calls “is a lot lot closer to home” than was suggested.

Sadly this is a “sour wine in new bottles” problem.

Back in the days of “the troubles” in NI terrorist bomb threats, all though placed by phone, did not use voice but DTMF tones. And whilst “swatting” is a couple of decades old and the more general “threats by phone” go back a century or more, the “new bottles” are,

1, Use of VoIP tech
2, Use of Voice synth

To make the “directing minds” anonymity even harder to unveil.

As I have noted in the past the POTS system even though “circuit switched” has neither security or effective traceability, and was originally designed on an “honour system” of trust…

Worse these issues have been well known since “phone phreaking” well over a half century or more ago and much earlier when dialling was 100% pulse, and phone boxes had the coin counter send line pulses that a fast finger on the hook switch could replicate to get free call time (a trick I learned to use to dial nunbers like the operator because of the high level of phone box vandalism by crowbar to get at the money in the box)…

But it was clear that the telcos cared not a jot as they externalised the risk and still got payed. However in the 1980’s and 1990’s when cellular phone fraud started to actually bite the telcos, belatedly they had to take action because of changes in legislation and regulation that stopped them externalising the risk. Which is why modern mobile phones are less open to fraud.

Thus having Law Enforcment “guns in hand” running into schools will have tragic consequences at some point because they are human and “to err is human”. So these calls are under the US legal WMD rules not just “terrorism” but “use of WMD”…

So maybe we should be asking how the issues should be “fixed” but unfortunately we know that can not be done with the current system or any augmentation to it we can currently think of.

Whilst a new system would reduce this risk but not eliminate it, the loss of privacy entailed we know will be unhealthy for society.

[1] I commented on it the other day and indicated that from available data actuall school shooting events have been rising near exponentially since a low in 2009 which is why the response to any kind of call in is an “all available officers” event.

anon April 17, 2023 12:19 PM

I wonder how long it will be before someone feeds the writings of Brian Krebs to ChatGPT and uses it to send a letter to his local police office to cancel his personal anti-swatting protection.

A Dedalus April 17, 2023 12:39 PM

@Clive: I consider myself a digital civil liberty maximalist and perhaps my imagination is not sufficiently prolific. Can you illustrate some use cases for privacy erosion that is unique to voice call traceability? Any present mobile service subscriber has details reported to called parties, and under e911, there is even more information shared. Handsets not associated with mobile service plans can place 911 calls, but will still be traceable (and theoretically blockable) by IMEI. Land lines are even more constrained. VOIP services through ISPs, telcos and “legit” third parties also implement sufficient KYC to prevent systematic exploitation or at least pose substantial startup and operational expense and complexity. There are numerous point-to-point synchronous voice alternatives that do not permit access to activate emergency services.

So what are your compelling use cases for anonymous access to place POTS calls?

Untitled April 17, 2023 1:02 PM

So what are your compelling use cases for anonymous access to place POTS calls?

Depends what you mean by anonymous. In most countries you can hide your phone number from the other end by dialling a prefix code (*67 in the U.S.) so you’re anonymous from the person you’re calling but not, of course, from the telco.

lurker April 17, 2023 2:27 PM

@A Dedalus
re traceable by IMEI

IMEI is often (usually/always?) stored on flash memory. Think of a number.

S Dedalus April 17, 2023 3:33 PM


blockquote> In most countries you can hide your phone number from the other end by dialling a prefix code



And there are limits available to end users as a check on abuse of this feature. You can block all inbound calls that restrict Caller ID. Callers to toll free numbers are unmasked since the recipient is footing the bill. Pretty sure EMS numbers also unmask. Spoofed caller ID is another matter entirely.

Gunter Königsmann April 17, 2023 3:56 PM

I understand that VoIP services need to fake a local landline connected to a traditional telephone, especially in countries where most telephones are VoIP. But why has it to be this easy to fake any local number without any verification?

Gunter Königsmann April 17, 2023 4:01 PM

@ S Dedalus: You can tell blockin ound calls without caller ID. But at least in Germany it seems to be easy to fake the caller ID: Fraudsters on a regular base call VoIP telephones and make them show the caller ID “110” which is the German version of “911”.

Inez April 17, 2023 4:36 PM

@ S Dedalus,

The ability to spoof Caller ID and effectively hide behind the curtain of shady VOIP services is 98% of the problem.

The article talks about a 9-1-1 call, and makes no mention of anything being spoofed. Why would an emergency call center ever be using caller ID? Wikipedia says they use ANI, which is what I’d expect. Can that be so easily spoofed? (Traditionally, telcos never cared about Caller ID spoofing but did try to stop ANI spoofing, at least on outgoing calls, because that’s what they use for long-distance billing.)

Clive Robinson April 17, 2023 5:05 PM

“Can you illustrate some use cases for privacy erosion that is unique to voice call traceability?”

Not sure if you are asking technical or social erosion.

On the technical side I can use a mobile to place a VoIP call into an Asterix or similar server in a different national telco region. And get the server to drop the call into a POTS with both caller ID’s being removed or set to being fake.

There are services already set up that enable you to do that and a lot more, and there is effectively no trace back across the telco boundry, you get what you are given “on trust” which is worthless.

In part the POTS was set up this way because it stops/reduces telcos cheating each other on charging. Few outside of the industry realise that there are two way charges at every boundry crossing and agreements can have different rates for different types of calls at different times of day.

As for the social side it rather depends on how far you are behind on the “trust curve”. Way to many people trust way to much and that’s how people get hurt or killed (there was a case a day ago where a teenager got shot at the door, and others have been shot through the door they made the mistake of standing next to). The number of people that have been injured or killed due to trusting is going up…

I have as I’ve mentioned before “tinnitus” hearing issues and I don’t answer “unknown” or “witheld” phone calls as standard, likewise I don’t answer calls I don’t know the number of. Even when I know the number I often don’t answer it I wait and then “call them back” and say “sorry I was in the XXX”. On a number of occasions when involved with being involved in sorting out legal issues with Government agencies (OfCom), I’ve found that the POTS was not working as it should and the local “cell site” had the wrong ID and service type.

Why? Because spoofing Caller ID numbers etc is way way to easy to do as is putting in the equivalent ofva stingray or similar. So I have no reason to trust the POTS or Mobile Networks as far as incoming calls are concerned and therefor I don’t trust them.

In fact no more than I trust someone unknown or unexpected knocking on my door or rattling the letter flap etc. In part due to the fact I’m sick and tired of junk being pushed through the door and mail gettibg “pulled back” to be used for identity theft by a criminal from a family of local criminals who stabed me in the head when I caught him trying to break in. Then a while later his moronic brother unhappy about me standing as witness against his screwdriver happy brother then pushed a burning newspaper through the letter box to try to burn my house down as revenge. Unfortubately that’s not the only troubles I’ve had in the past some “absent landlords” of adjacent properties letting out to both drug addicts who went “postal” and others letting to “drug growers” who tried to steal electricity as well as grow their plants in my garden back at a time when I used to travel on long business trips abroad a lot and was away from home for long periods…

So I take precautions like I don’t have a letter box any more and the door is A60 and very solid and there is a sprinkler system above it on both sides.

So I don’t answer or stand close to the door. Which means any unknown or unexpected persons have to walk away from the door into the middle of the garden as I call down at them from an upstairs window and tell them to do so, if they don’t then the sprinkler is easy to turn on… If they don’t get wet, then I tell them they will have to make an apointment by post, and in either case I tell them to get off the property as I regard them as trespassing with intent. If they claim to “have authority” and some idiots do, I’ve a paint bucket on a rope they can drop their “ID” into so I can pull it up and check it safely. By phoning those they claim to have authority from or the local police.

Oddly I don’t get letters to make appointments, from them, so I assume they must have been upto no good.

You might think this is “extream behaviour” but note it’s all been in response to events caused by people who can not be trusted.

The things that have happened to me are increasingly happening to others give it ten years and collect it all won’t be just SigInt agencies any more it will be any “prod-nose” with a bit of spare money. In the US there are warrents for “areas” not “individuals” so everyones phone calls etc are getting “sucked up” examined and retained.

So the way they wilk be naking the system “apparently” more trust worthy will have two effects,

1, Make collect it all less visable and much wider spread.
2, Actually by what is effectivelt propaganda make people less cautious than they should be, thus come to harm.

In the latter case we’ve already seen this happen with LEO’s pushing backdoored “secure phones” at people have a look at EuroChat and similar. Those using them trusted them thus were not cautious or circumspect like they used to be with POTS.

Our host @Bruce had made comment about the progression of attacks from accadrmics down in short order to script kides and the like.

Well those doing surveillance have the same curve, thus it goes from alleged “Serious Organised Crime” to “trying to catch some old age pensioner putting used teabags in the wrong bin” (this has actually happened already).

Peter A. April 18, 2023 8:23 AM

Re: pulse dialing

Many years ago I used to attend a local SF society. There was an office where some members volunteered and took turns answering calls, receiving membership applications etc. Some apparently had been stealing calls, the bills went way up. As a countermeasure, the rotary dial had been ripped off of the phone. I was surprised by the look of it and asked the vice president of the society why it is so, and she told me why. I said it’s not enough and that they shall request the phone company to block outgoing calls instead. She did not believe me. Then I remembered that we just had talked about another member she wanted to talk to but he had to stay home that day. I asked her: do you want to talk to M. now? She said yes. I picked up the phone with a wry smile and tapped his number on the hook, then handed her the handset. She was shocked.

Last time (a couple years ago?) I tried the technique on my landline it still worked. I haven’t retried recently, it’s now connected to a VoIP capable IP router/Ethernet switch/WiFi AP/NAS/DECT telephony base/answering machine/printer server combo box sitting in a dark and tight place.

Clive Robinson April 18, 2023 9:19 AM

@ Peter A.,

Yes many were surprised about the issue, and that it still worked long after DTMF was the norm.

“Last time (a couple years ago?) I tried the technique on my landline it still worked.”

Same here, only it was not a couple of years ago… Last time I looked at the UK regulations pulse dial was still required to be supported on POTS.

Thus I suspect even though POTS is fading, it will remain as long as POTS does, which might be a very long time, because “rural service” still often works better with pulse dialing especially with multi “party lines”. But also other protocols where “flashing” is required, is why that button is still on many DTMF phones…

Alphonse April 18, 2023 2:34 PM

“Same here, only it was not a couple of years ago… Last time I looked at the UK regulations pulse dial was still required to be supported on POTS.”

I don’t know what the actual regulations are, but Bell Canada still bills touchtone dialling as an “extra” service on landlines. Mandatory on any line connected in the last 20-30 years, and not removable if ever added; but, in theory, people with older lines might not be paying for it (and may or may not have to set their phones to pulse mode). That kind of sucks for my grandmother: I convinced her to upgrade her line in the 1990s so I could redial BBSes faster when at her house, and now she’s forever wasting something like $50/year with no benefit.

(My parents ordered the service on the mistaken belief, apparently fueled by phone company advertising, that they needed it to do telephone banking. In fact, I think most non-rotary phones from that era would switch from pulse to tone if you pressed “*”. And of course one could use an external dialer, which could also bypass the “security” of a “non-diallable” phone. But their original line is long-gone anyway.)

vas pup April 18, 2023 7:39 PM

Forgive or forget: What happens when robots lie? +++

“Imagine a scenario. A young child asks a chatbot or a voice assistant if Santa Claus is real. How should the AI respond, given that some families would prefer a lie over the truth?

The field of robot deception is understudied, and for now, there are more questions than answers. For one, how might humans learn to trust robotic systems again after they know the system lied to them?

Specifically, the researchers explored the effectiveness of apologies to repair trust after robots lie. Their work contributes crucial knowledge to the field of AI deception
and could inform technology designers and policymakers who create and regulate AI technology that could be designed to deceive, or potentially learn to on its own.

“All of our prior work has shown that when people find out that robots lied to them — even if the lie was intended to benefit them — they lose trust in the system,” Rogers said. “Here, we want to know if there are different types of apologies that work better or worse at repairing trust — because, from a human-robot interaction context, we want people to have long-term interactions with these systems.”

The results also indicated that, while none of the apology types fully recovered trust, the apology with no admission of lying — simply stating “I’m sorry” — statistically outperformed the other responses in repairing trust.

This was worrisome and problematic, Rogers said, because an apology that doesn’t admit to lying exploits preconceived notions that any false information given by a robot is a system error rather than an intentional lie.

“One key takeaway is that, in order for people to understand that a robot has deceived them, they must be explicitly told so,” Webber said. “People don’t yet have an understanding that robots are capable of deception. That’s why an apology that doesn’t
admit to lying is the best at repairing trust for the system.”

Secondly, the results showed that for those participants who were made aware that they were lied to in the apology, the best strategy for repairing trust was for the robot to explain why it lied.

!!!”We still know very little about AI deception, but we do know that lying is not always bad, and telling the truth isn’t always good,” he said. “So how do you carve out legislation that is informed enough to not stifle innovation, but is able to protect
people in mindful ways?”

Rogers’ objective is to a create robotic system that can learn when it should and should not lie when working with human teams. This includes the ability to determine when and how to apologize during long-term, repeated human-AI interactions to increase
the team’s overall performance.

“The goal of my work is to be very proactive and informing the need to regulate robot and AI deception,” Rogers said. “But we can’t do that if we don’t understand the problem.”

Clive Robinson April 18, 2023 9:24 PM

@ vas pup,

It might just be me, but did you post your above in the thread you wanted to?

As there are a couple of other adjacent or near adjacent threads on AI it could have gone into.

Gabriel April 25, 2023 12:01 AM

Attacks inspired by the Bible are hard to defend against, because they seem sanctioned:

‘And he turned back, and looked on them, and cursed them in the name of the LORD. And there came forth two she bears out of the wood, and tare forty and two children of them.’ 2 Kings 2:24.

Only the cold chains of atheism would bound such a spectre . . .

Junior April 26, 2023 11:37 PM

@Peter A
I picked up the phone with a wry smile and tapped his number on the hook

How do you “tap a number on the hook” on a landline?

Clive Robinson April 27, 2023 5:08 AM

@ Junior, Peter A,

Re : POTS and Pulse Dialing.

Pulse dialing was the original workable way to send the number to be called down the line without using “girls” at switch boards.

Pulse dialing was invented long prior to anything even remotely close to the electronics required to detect tones reliably was invented. The nearest some decades later were a form of an electro-mechanical switch using a mechanical resonator like those found in harmonicas, that had quite a few issues.

It’s around 40 years since I taught trainee telephone engineers so my memory maybe a little rusty in that respect, but the last time I designed an instrument interface was in the mid 1990’s when it was at the point of “just drop in an IC” that fascilitated both pulse and tone dialing[1].

So basically most POTS lines to a customer are a pair of wires that are energized in the exchange by an ~48Volt supply, applied to the wires via two “relay coils” of either 600 or 1200 ohms coil impedence and quite some inductance. The phone pair is actually a twisted pair transmission line of again aproximately 600 ohms impedence (not resistance). In effect the “customer loop circuit” is designed to treat AC and DC seperately. AC is the desired “voice signal” and DC for signalling.

As there is only a single “loop circuit” of unknown length thus resistance which is distantly energised at the exchange, the signalling options are limited to “current signaling” via opening and closing the loop thus the current through the relay coils.

There are three basic currents,

1, Zero open circuit instrument.
2, Maximum short circuit instrument.
3, Operating that is due to the instrument impedence in series with the line.

The “pulse dial” goes by a rotary dial switch in series with the “hook switch” open circuiting the line in rapid pulses.

You would have one pulse for 1 and 10 pulses for 0.

As the rotary dial switch is in series with the hook switch you can simulate the rotary dial by rapidly tapping the hook switch.

All it takes is “practice”.

There is a section on a Wikipedia page that also explains “hook switch dialing” and how attempts were made to stop it with slow hook switches, some European nations webt from 10 pulses per second for dialing to twebty pulses per second which puts hook switch dialing beyond most peoples abilities, but causes all sorts of other issues for the telephone company.

However the Wikipedia page also contains a link to the “Anarchists Cookbook v2000” thus I would advise against clicking on it and why I’ve not provided the link… As it is suspected / suggested / stated by some that such links are “Honey Pots” for various nations security forces including the UK and USA, where under terrorism legislation you can be imprisoned indefinitely for having a copy in your possession or even proof that you looked at it.

[1] The German telco test people would not test the “instrument interface” with any scrutiny if you used a certain well known German manufactures IC and “recommend circuit” from the data sheet. Thus using the chip would save you a lot not just on test fees but time to certification by months. The fact that the German company –like Crypto AG in Switzerland– was later revealed to have had US Inteligence Community funding/ownership as well as control through the BND is a matter of history. But is slightly funny because the company got fined $800million in a bribary scandle at the turn of the century. Bribery of which a significant fraction would have been at the behest of the US IC getting certain equipment into certain countries networks (a crime the US now accuses others nations electronics companies of…).

Australia April 27, 2023 6:42 AM

Thanks for the discourse Clive on old school POTS. Brings back memories of PHRACK ascii ‘zine and phreak boxes of various colours for mimicing tones and accessing BBS’s far away.
I also recall the party trick of hook dialling – why did phone companies attempt to obstruct it?

FYI in Australia all public phones are free to use.
Telstra the criminal company that operates them decided to make them available. I suppose data harvesting from the minimal use they still receive, is their one hope. And cheaper than having them all physically removed. Plus on public safety grounds they realise they must be seen to continue to provide the service. The phone boxes are also Wi Fi hubs.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.