Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smart Lights, Speakers, Thermostats, Cameras and Other IoT Devices Are Being Increasingly Used as a Means For Harassment, Monitoring, and Revenge (nytimes.com)

Posted by msmash on from the other-side-of-the-coin dept.

Smart home devices are supposed to bring convenience to people's lives, but increasingly, their unintended consequences are surfacing, and are being exploited to harass others, an investigation by The New York Times has found. [Editor's note: the link maybe paywalled; syndicated source.] From the report: In more than 30 interviews with The New York Times, domestic abuse victims, their lawyers, shelter workers and emergency responders described how the technology was becoming an alarming new tool. Abusers -- using apps on their smartphones, which are connected to the internet-enabled devices -- would remotely control everyday objects in the home, sometimes to watch and listen, other times to scare or show power. Even after a partner had left the home, the devices often stayed and continued to be used to intimidate and confuse.

For victims and emergency responders, the experiences were often aggravated by a lack of knowledge about how smart technology works, how much power the other person had over the devices, how to legally deal with the behavior and how to make it stop. "People have started to raise their hands in trainings and ask what to do about this," Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence, said of sessions she holds about technology and abuse. She said she was wary of discussing the misuse of emerging technologies because "we don't want to introduce the idea to the world, but now that it's become so prevalent, the cat's out of the bag."

29 of 174 comments (clear)

  1. IoC by dehachel12 · · Score: 4, Insightful

    Internet of Crap. They usually are some cheap things released onto the market without serious security protection(who didn't see THAT coming ?). I'll never use them.

    1. Re: IoC by NicknameUnavailable · · Score: 2

      Bet you're starting to understand now why the Illuminati allows computer science to move forward but put the breaks on all physics developments attainable without a multi billion dollar particle accelerator.

    2. Re: IoC by Joce640k · · Score: 2

      "Brakes", the word you're trying to use is "brakes".

      https://en.wikipedia.org/wiki/...

      https://en.wikipedia.org/wiki/...

      --
      No sig today...
    3. Re:IoC by dehachel12 · · Score: 2

      > LED lights (dumb variety)
      so, not a Internet of Crap thing ...

    4. Re:IoC by Fly+Swatter · · Score: 2

      In hindsight, CF bulbs were necessary, but really a joke of a product. Only in todays world would a buyer tolerate ten times the pruchase price, slow starting, flickering, wrong color, gets dimmer with age, can't be dimmed, needs to be recycled because of mercury, doesn't last as long as claimed, and can't be used in half of the (fully enclosed) fixtures. But hey you saved on electricity!

      LED bulbs learned from all that, even the EnergyStar rating requires much longer warranties because the early CF lifespans were laughable.

      Off topic, but speaking of EnergyStar, modern dehumidifiers are like the old CF bulbs in that they do not last. As they inevitably fail in 1-2 years, the failure mode causes them to burn constant electricity until the owner realizes it isn't doing anything. How can something like this ever get an EnergyStar rating? I'm on my sixth one in 7 years - yea and look it up all the brands are like this.

    5. Re:IoC by 50000BTU_barbecue · · Score: 4, Insightful

      modern dehumidifiers are like the old CF bulbs in that they do not last.

      I was just at my parent's place and the Electrohome dehumidifier from the 1970s is still in the basement, chugging away.

      It may not be as energy efficient to operate, but considering it was built once almost 4 decades ago and no one needs to buy a new one, I think overall it's ahead of the game.

      It is built so sturdily I can easily sit on it, and the cooling coils are so thick and stiff I can't move them easily.

      Contrast this to the modern one I have in my house, the housing appears to be made from old pie plates and the cooling coil is so flimsy it shakes back and forth just from wiggling the unit.

      --
      Mostly random stuff.
    6. Re:IoC by sjwest · · Score: 2

      You and i might not use them but our friends at shodan.io will scan for them regardless.

    7. Re:IoC by Solandri · · Score: 4, Interesting

      The problem isn't the item or their network capability. These things would be fine if you were only able to access and control them over your LAN. The problem is some idiot thought it would be cool to be able to access them over the Internet. As a result the devices connect to some server on the Internet (no doubt allowing the manufacturer to collect marketing info), waiting for your smartphone app to contact the server and connect to the devices remotely.

      The way they should work is they should never connect to the Internet, and should limit their network activity to your LAN. If you want to control them from outside your home, you should set up a VPN server on your router (many of them come with one built-in now), and use the VPN client on your phone to access your LAN from the Internet, giving you access to those devices.

      Unfortunately, this is beyond the technical capabilities of the vast majority of users, and they don't want to learn how to do it, so we end up with these IoT devices which access the Internet directly. Same reason everyone sells their soul and shares their news and photos on Facebook, instead of setting up their own personal website/blog.

    8. Re:IoC by b0s0z0ku · · Score: 4, Interesting

      Funny thing is that dumb phones and hardwired phones are still better at being phones than many smartphones today. Also, the actually wired phones don't blast your noggin with microwave radiation.

    9. Re:IoC by Anonymous Coward · · Score: 2, Informative

      Energy Star is a joke. A gasoline powered alarm clock received an energy star rating.

      https://www.zdnet.com/article/the-strange-story-of-how-a-completely-fake-gas-powered-clock-radio-got-its-energy-star-certification/

    10. Re:IoC by houghi · · Score: 2

      The reason this is not possible for the vast majprity is because ISPs want to milk the 'limited IP4' adresses as much as possible. Even though I am 24/7 connected and so is everybody else that has a cable or xDSL modem, they still do not hand out fixed IPs, unless you pay a lot of money.

      That means connecting to your server at home is not easy for many people.

      If people had a fixed IP, this would be a LOT easier. An I mean a LOT. It would cost the ISPs the extra income from companies that now pay for something that is not really needed to be paid for.

      --
      Don't fight for your country, if your country does not fight for you.
    11. Re:IoC by Anonymous Coward · · Score: 2, Insightful

      Yep, phones 20 years had better sound quality and connected faster than the ones we have today.

      Anyone else remember when you'd press buttons on the TV remote and the channel would change instantly? Remember when you'd put a video came in your console, power it on and start playing instantly?

      Tech products are getting worse and worse year by year, but hey, nobody needs a 4 year computer science degree when you can learn to code at a 2-week bootcamp. Because those are totally the same thing.

  2. its much worse than that. by nimbius · · Score: 3, Interesting

    As any Slashdotter knows, smart lights, switches, and power relays are poorly regulated and secured.
    If a coordinated attack were to take place against thousands, or millions of these devices,
    they absolutely could be used to shutter an electric grid in under a minute by inducing a triplen wave:

    https://electricalbaba.com/tri...

    --
    Good people go to bed earlier.
    1. Re: its much worse than that. by supremebob · · Score: 2

      The problem is that most people (mostly contractors) usually try to buy the cheapest thing that they find at the Home Depot when they can get away with it. We really need to try to save those people from themselves.

      We already have regulations in place that "dumb" switches aren't allowed to be so poorly made that they can catch your house on fire (no matter how cheap they are), so we should probably have something similar with the "smart" ones.

      Default "abc" or "123" passwords on an IoT device should probably be treated like a faulty ground wire at this point, since they are becoming just about as dangerous.

    2. Re:its much worse than that. by ctilsie242 · · Score: 2

      The problem is that IoT companies have no vested interest in security. If their devices are used for that, worse case is that the C-levels short their stock, make the announcement, and "mourn" the dead company on the deck of their new ship. The average person in the company has to choose between making deliverables or security... and deliverables are what keeps the badge from being disabled.

      Best way to fix? Don't buy that crap. If you want to buy a $3000 fridge (and have the ability to add a flue and a gas connection), buy a fridge that uses natural gas and electric, so your beer stays cold if power goes out. If a TV requires an always-on connection, return it as defective, which it is. By not buying insecure IoT stuff, it helps everyone.

  3. obMovieReference by cascadingstylesheet · · Score: 2

    "It's coming from inside the house!"

  4. Re:Stupid by Fly+Swatter · · Score: 4, Insightful

    You have 2 competitors and one has no security, they don't sell any products and the bar is raised.

    Wtf is 2018.

    You are right, it is 2018. So you have 100 competitors and one has security but costs more than the other 99 knockoffs that all came from the same factory. They don't sell any products and go out of business. That is 2018.

  5. weasel words by cascadingstylesheet · · Score: 4, Insightful

    "Increasingly", "many", "more"

    How many? How do you know?

    It makes a great story, but "many" of these kinds of stories don't have much to back them up, as to the size of the problem.

    It might be helpful to say "X percent of DV cases in {area} in 2017 involved smart home devices" or something.

  6. Re:Hate to victim blame by _Sharp'r_ · · Score: 2

    Yeah, these IoT devices are so very difficult for anyone in the home to deal with.

    I mean, if you have physical access, it's just waaaaaay to difficult too just unplug/disconnect something without understanding exactly how it works. Probably need a contractor for that...

    --
    The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  7. Fragmentation is bad - hubs need to be smarter... by b0s0z0ku · · Score: 2

    Imagine if a home had a single hub for the smart devices that acts as a VPN server. All traffic between the devices and the Internet would be mediated by that hub. Changing the password or key on the hub would automatically lock out all external devices.

    Compare this to the current paradigm, where there's a cloud provider for each brand of device, with different authentication information for each. It's easily possible to forget to change some of the passwords when someone moves out/is kicked out of your home. Fragmentation is the problem here.

    The traffic would of course be peer-to-peer (i.e. phone-to-hub via Internet) in my paradigm, not going through a bunch of 3rd-party servers to be mined, sliced, diced, and spied upon.

  8. Re:Hate to victim blame by Mashiki · · Score: 2

    Well some stuff is so leaky it's stupid. Look at the recent bit with baby monitors for example. We're not talking about a lack of passwords, but rather that the devices are so badly designed that any form of protection is easy to bypass, much like all of those "smart locks" that idiots have been pushing.

    --
    Om, nomnomnom...
  9. Re:Hate to victim blame by worf_mo · · Score: 4, Insightful

    Hate to victim blame, but anyone who buys an IoT thingy and actually plugs it in to the internet is all but asking for it.

    Not all victims bought or installed the IoT devices in the first place. This is often a case of an abusive person that installs an IoT device in their (ex) home to keep their (ex) partner under surveillance or to harass them.

    FTA:

    Usually, one person in a relationship takes charge of putting in the technology, knows how it works and has all the passwords. This gives that person the power to turn the technology against the other person.

  10. Re:Hate to victim blame by idji · · Score: 2

    The victim didn't buy this stuff, the perp did, installed it, and the left, leaving the victim with unknown tech in the house. So there is nothing to blame the victim for. If "he" installed the internet router and other geek IoT things, how is "she" supposed to know what it is without paying an electrician $100+ to go through and explain what the junk is. "She" knows if she touches anyhting herself the internet and tv probably stop working.
    This is abuse of secret knowledge by a geek "he" over a non-geek "she".
    And yes, I know couples where she changes the light-bulbs and he is clueless, because he doesn't know the difference between 20W and 40W and doesn't know which way to screw in the lightbulb (clockwise?? counterclockwise??)

  11. Advice to Victims by omfglearntoplay · · Score: 3, Insightful

    Unplug the bad device from the network... as in unplug that wire that isn't power. No wire because WiFi?... realistically 99% of the IoT stuff is WiFi, do this to keep it disconnected:

    1. Change the password on your WiFi router, and do not update it on your IoT devices.

    2. If you don't know how to do that, throw away your old WiFi router and buy a new one, which will force you to make a new password.

  12. I will never have one of these devices by Anonymous Coward · · Score: 2, Insightful

    in my house. Ever. Working IT security for years and understanding how this stuff works has put me off of it long before Nest, Echo, Google Home, et al ever made the scene. To knowingly allow blatant spies into you midst is a sign of absolute carelessness. No one needs their house to be "automated" unless they're handicapped. My Honeywell HVAC system is simply good enough. I don't need or want an app to control anything in my home. I don't want or need a "connected' home. Being tethered to my on-call mobile phone is bad enough. When I'm home, I want to be away from connectivity as a whole unless I'm gaming.

  13. Re:None in my house, ever by geekmux · · Score: 2

    ...or just install a Clapper...

    Hello Time Traveler! Mind if I call your answering machine and leave a message? I have this cool 5-minute recording of random clapping noises. I keep it on a cassette tape labeled Your Shit was Never Secure...

  14. Re:Stop being ridiculous by drinkypoo · · Score: 3, Interesting

    Yes, there is someone out there making their partner a veritable slave in their home. But we've taken this so extreme you won't actually ever encounter it in life situation and act like it is everywhere

    The easier it becomes to do a thing, the easier it becomes to do an uncharacteristic thing in a moment of weakness. Little girls don't lock their diaries because even they think the lock can't be broken, any more than people lock their front doors because they think their lock can be broken. It's because lots of people will just walk in, and plenty of people will just take something that isn't nailed down. A simple lock that's easily defeated stops the impulsive, if not the determined.

    These systems are so vulnerable that they practically invite snooping. If someone can get into your camera just by googling the stuff written on it, the odds go way up that they will. This is actually true of malicious actors as well as the bored and curious; a notable portion of them are incompetent.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  15. Re:Hate to victim blame by quantaman · · Score: 2

    Hate to victim blame, but anyone who buys an IoT thingy and actually plugs it in to the internet is all but asking for it. If it can't do it's job not connected, don't buy it, and if it does, don't connect it.

    Except in this case if the victim protested they were liable to get punched.

    This isn't a story about devices being hacked. This is a story about abusers installing smart home tech in order to control and monitor their partner.

    --
    I stole this Sig
  16. IoT is a fad. by Qbertino · · Score: 2

    Said it 1.5 years ago, will say it again.
    IoT is a fad and it will die off pretty soon because of precisely this problem mentioned in TFA.

    Nobodies Toaster needs a webserver.

    --
    We suffer more in our imagination than in reality. - Seneca