Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

Smart Lights, Speakers, Thermostats, Cameras and Other IoT Devices Are Being Increasingly Used as a Means For Harassment, Monitoring, and Revenge (nytimes.com) 174

Smart home devices are supposed to bring convenience to people's lives, but increasingly, their unintended consequences are surfacing, and are being exploited to harass others, an investigation by The New York Times has found. [Editor's note: the link maybe paywalled; syndicated source.] From the report: In more than 30 interviews with The New York Times, domestic abuse victims, their lawyers, shelter workers and emergency responders described how the technology was becoming an alarming new tool. Abusers -- using apps on their smartphones, which are connected to the internet-enabled devices -- would remotely control everyday objects in the home, sometimes to watch and listen, other times to scare or show power. Even after a partner had left the home, the devices often stayed and continued to be used to intimidate and confuse.

For victims and emergency responders, the experiences were often aggravated by a lack of knowledge about how smart technology works, how much power the other person had over the devices, how to legally deal with the behavior and how to make it stop. "People have started to raise their hands in trainings and ask what to do about this," Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence, said of sessions she holds about technology and abuse. She said she was wary of discussing the misuse of emerging technologies because "we don't want to introduce the idea to the world, but now that it's become so prevalent, the cat's out of the bag."

This discussion has been archived. No new comments can be posted.

Smart Lights, Speakers, Thermostats, Cameras and Other IoT Devices Are Being Increasingly Used as a Means For Harassment, Monito

Comments Filter:
  • IoC (Score:5, Insightful)

    by dehachel12 ( 4766411 ) on Monday June 25, 2018 @09:03AM (#56841924)
    Internet of Crap. They usually are some cheap things released onto the market without serious security protection(who didn't see THAT coming ?). I'll never use them.
    • by sjwest ( 948274 )

      You and i might not use them but our friends at shodan.io will scan for them regardless.

    • by inking ( 2869053 )
      Great for you. This “I will never connect my appliances to the internet” hand-waving reminds me a lot of refusal to use anything but dumb phones in early 2010s and anything but phones wired to a wall in early 2000s.
      • Re:IoC (Score:5, Interesting)

        by b0s0z0ku ( 752509 ) on Monday June 25, 2018 @10:24AM (#56842404)
        Funny thing is that dumb phones and hardwired phones are still better at being phones than many smartphones today. Also, the actually wired phones don't blast your noggin with microwave radiation.
        • Re: (Score:2, Funny)

          by inking ( 2869053 )
          And pigeons are not only warm to the touch, but can also be eaten in case of a famine. Got to be safe and all.
        • Re: (Score:2, Insightful)

          by Anonymous Coward
          Yep, phones 20 years had better sound quality and connected faster than the ones we have today.

          Anyone else remember when you'd press buttons on the TV remote and the channel would change instantly? Remember when you'd put a video came in your console, power it on and start playing instantly?

          Tech products are getting worse and worse year by year, but hey, nobody needs a 4 year computer science degree when you can learn to code at a 2-week bootcamp. Because those are totally the same thing.
          • Let's not forget the 10-20 seconds it takes to wake up 3 sleeping monitors because Windows has to re-negotiate HDCP handshakes with each of them, one by one. Made worse by the hellbent-determination of Windows to put monitors to sleep at every possible opportunity... even IF you try disabling that behavior. The next Windows update blows all the changes you made away, and you're back to reading manuals while twiddling the mouse with one hand to trick Windows into thinking it's active.

            Seriously, I think someo

          • Comment removed based on user account deletion
    • Re:IoC (Score:5, Interesting)

      by Solandri ( 704621 ) on Monday June 25, 2018 @10:19AM (#56842374)
      The problem isn't the item or their network capability. These things would be fine if you were only able to access and control them over your LAN. The problem is some idiot thought it would be cool to be able to access them over the Internet. As a result the devices connect to some server on the Internet (no doubt allowing the manufacturer to collect marketing info), waiting for your smartphone app to contact the server and connect to the devices remotely.

      The way they should work is they should never connect to the Internet, and should limit their network activity to your LAN. If you want to control them from outside your home, you should set up a VPN server on your router (many of them come with one built-in now), and use the VPN client on your phone to access your LAN from the Internet, giving you access to those devices.

      Unfortunately, this is beyond the technical capabilities of the vast majority of users, and they don't want to learn how to do it, so we end up with these IoT devices which access the Internet directly. Same reason everyone sells their soul and shares their news and photos on Facebook, instead of setting up their own personal website/blog.
      • by inking ( 2869053 )
        That’s RIGHT! Technology should be as inaccessible and inconvenient as is humanly possible to keep us safe from manufacturing globalists who want to gather data on how their products are used for EXCLUSIVELY nefarious purposes. I take great offense with your proposed solution though. You forgot to mention the most important point: it should be 100 PERCENT GPL-compliant and be so free—really, there is only one kind of “free”; all else is slavery—that even Stallman would be willi
      • Comment removed based on user account deletion
        • by ncc74656 ( 45571 ) *

          The reason this is not possible for the vast majprity is because ISPs want to milk the 'limited IP4' adresses as much as possible. Even though I am 24/7 connected and so is everybody else that has a cable or xDSL modem, they still do not hand out fixed IPs, unless you pay a lot of money.

          Most routers support dynamic DNS. If you want your stuff accessible through a domain you control, you can create a CNAME entry on your domain that points to the dynamic-DNS hostname (so that home.example.tld gets redirecte

        • Someone (in France, I think) came up with an entirely reasonable compromise a few years ago -- Carrier-grade NAT with a static shared public IP, and 16-1024 port addresses (out of the 65,535 possible) permanently forwarded to the private IP assigned to each customer. End users configure their router as always (except technically, now double-NAT'ing). The only difference is, ports 1-32768 are shared by everyone sharing the public IP, and only a known range of upper ports gets forwarded to you (say, 49153-501

    • by jythie ( 914043 )
      But.. wireless!... apps!.. things!..
  • When spyware makers don't put security in their systems such that they can't be held responsible for being the only party capable of selling user information. They deserve what they get for using the devices.
  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Monday June 25, 2018 @09:07AM (#56841942)
    Comment removed based on user account deletion
    • The problem is that IoT companies have no vested interest in security. If their devices are used for that, worse case is that the C-levels short their stock, make the announcement, and "mourn" the dead company on the deck of their new ship. The average person in the company has to choose between making deliverables or security... and deliverables are what keeps the badge from being disabled.

      Best way to fix? Don't buy that crap. If you want to buy a $3000 fridge (and have the ability to add a flue and a

      • Do any TVs actually require an always-on connection to display ATSC or HDMI video signals? (!)
  • It didn't make the problem MAD, it made the problem WORSE.

    -Legal.Troll (a /. hero who can't post because of negative karma)

  • by cascadingstylesheet ( 140919 ) on Monday June 25, 2018 @09:24AM (#56842034) Journal
    "It's coming from inside the house!"
  • Internet of Simple Home Invasion Tactics. That's what we need to start calling this. "IoSHIT."
  • Easily duped is not smart.

  • Hate to victim blame, but anyone who buys an IoT thingy and actually plugs it in to the internet is all but asking for it. If it can't do it's job not connected, don't buy it, and if it does, don't connect it.
    • Yeah, these IoT devices are so very difficult for anyone in the home to deal with.

      I mean, if you have physical access, it's just waaaaaay to difficult too just unplug/disconnect something without understanding exactly how it works. Probably need a contractor for that...

      • by Mashiki ( 184564 )

        Well some stuff is so leaky it's stupid. Look at the recent bit with baby monitors for example. We're not talking about a lack of passwords, but rather that the devices are so badly designed that any form of protection is easy to bypass, much like all of those "smart locks" that idiots have been pushing.

      • For some of these devices, like thermostats and light switches, it is difficult for people without any experience with circuitry or electronics to replace them.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Monday June 25, 2018 @10:00AM (#56842242)
      Comment removed based on user account deletion
    • by idji ( 984038 )
      The victim didn't buy this stuff, the perp did, installed it, and the left, leaving the victim with unknown tech in the house. So there is nothing to blame the victim for. If "he" installed the internet router and other geek IoT things, how is "she" supposed to know what it is without paying an electrician $100+ to go through and explain what the junk is. "She" knows if she touches anyhting herself the internet and tv probably stop working.
      This is abuse of secret knowledge by a geek "he" over a non-geek "s
    • Hate to victim blame, but anyone who buys an IoT thingy and actually plugs it in to the internet is all but asking for it. If it can't do it's job not connected, don't buy it, and if it does, don't connect it.

      Except in this case if the victim protested they were liable to get punched.

      This isn't a story about devices being hacked. This is a story about abusers installing smart home tech in order to control and monitor their partner.

  • There are always some power-hungry fuckups that do it. At least these here are obvious about it, unlike the NSA, the GCHQ and other groups of no ethics whatsoever.

  • weasel words (Score:5, Insightful)

    by cascadingstylesheet ( 140919 ) on Monday June 25, 2018 @09:38AM (#56842106) Journal

    "Increasingly", "many", "more"

    How many? How do you know?

    It makes a great story, but "many" of these kinds of stories don't have much to back them up, as to the size of the problem.

    It might be helpful to say "X percent of DV cases in {area} in 2017 involved smart home devices" or something.

  • Imagine if a home had a single hub for the smart devices that acts as a VPN server. All traffic between the devices and the Internet would be mediated by that hub. Changing the password or key on the hub would automatically lock out all external devices.

    Compare this to the current paradigm, where there's a cloud provider for each brand of device, with different authentication information for each. It's easily possible to forget to change some of the passwords when someone moves out/is kicked out of your home. Fragmentation is the problem here.

    The traffic would of course be peer-to-peer (i.e. phone-to-hub via Internet) in my paradigm, not going through a bunch of 3rd-party servers to be mined, sliced, diced, and spied upon.

    • And before you say "Dynamic IP", Dynamic IP doesn't require use of a cloud intermediate. Only some type of dynamic DNS service (doesn't literally need to be DNS) to point devices to the right place.
    • I've preferred that model. Have everything communicate via Z-Wave, Bluetooth, or similar to a hub, which is hardened, and has a manifest/profile for every device including what it can talk to (and 0.0.0.0/0 as a netmask is not going to be allowed.) Perhaps 2-3 hubs for redundancy, if that is what is wanted. This way, there is a hardened device doing all the Internet stuff, rather than devices made in the cheapest Chinese factories with software made by the sloppiest, "get 'er done, it builds, ship it" me

  • People have attempted to gain dominion over others since the dawn of time. The whole desire to put everything you own, and everything that monitors yourself, your baby, your food, your laundry, the loks on your door, your car and make it near-public, it is expected that people will abuse the opportunities you offer. This does not mean that the owner is to blame, but it does mean that the owner puts him or herself in a lot of risk. Sometimes that goes wrong... If you roll the dice, you sometimes roll a 1. Is
  • ...and unexpected this is. :-|

  • Yes, there is someone out there making their partner a veritable slave in their home. But we've taken this so extreme you won't actually ever encounter it in life situation and act like it is everywhere and are conflating the idea with hundreds of things that aren't that to create the illusion it is everywhere and women terrified.

    All spouses of all genders have suspicious and paranoid moments and everyone tries to startle others and laughs when they jump sometimes. You and your spouse ARE both entitled to n
    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday June 25, 2018 @10:21AM (#56842382) Homepage Journal

      Yes, there is someone out there making their partner a veritable slave in their home. But we've taken this so extreme you won't actually ever encounter it in life situation and act like it is everywhere

      The easier it becomes to do a thing, the easier it becomes to do an uncharacteristic thing in a moment of weakness. Little girls don't lock their diaries because even they think the lock can't be broken, any more than people lock their front doors because they think their lock can be broken. It's because lots of people will just walk in, and plenty of people will just take something that isn't nailed down. A simple lock that's easily defeated stops the impulsive, if not the determined.

      These systems are so vulnerable that they practically invite snooping. If someone can get into your camera just by googling the stuff written on it, the odds go way up that they will. This is actually true of malicious actors as well as the bored and curious; a notable portion of them are incompetent.

      • "These systems are so vulnerable that they practically invite snooping. If someone can get into your camera just by googling the stuff written on it, the odds go way up that they will. This is actually true of malicious actors as well as the bored and curious; a notable portion of them are incompetent."

        I don't deny that at all. But this isn't about third parties gaining unauthorized access, this is about painting a spouse as an abuser if they access these devices in their own home.
        • Actually, using a home security system to spy on a partner IS abuse. It's a violation of privacy.

          • We aren't neccesarily talking about a home security system there are likely cameras and microphones on a dozen or more devices in your home and dozens of other smart devices that could definitely be exploited to provide insight into movement and activity in the home. An intelligent individual could fingerprint and monitor known activities and usages throughout the home with nothing more than smart monitoring of power usage.

            Privacy violation along with most things can certainly be used as a tool of abuse. It
  • Advice to Victims (Score:4, Insightful)

    by omfglearntoplay ( 1163771 ) on Monday June 25, 2018 @10:08AM (#56842290)

    Unplug the bad device from the network... as in unplug that wire that isn't power. No wire because WiFi?... realistically 99% of the IoT stuff is WiFi, do this to keep it disconnected:

    1. Change the password on your WiFi router, and do not update it on your IoT devices.

    2. If you don't know how to do that, throw away your old WiFi router and buy a new one, which will force you to make a new password.

    • by Anonymous Coward

      Great advice, but how does this help the victims? The vast majority of them will never see such a thing. You're preaching to the choir here. I'd imagine most /. readers are well aware of the dangers of the IoT and have either taken measures or decided they don't care.

      This needs a solution that can be implemented once (or possibly on a political level), rather than one that needs to be implemented in every household in the connected world.

    • by Anonymous Coward

      The IoT device might default to any available open network if it can't find encrypted networks it has credentials for. Local bad actors can take advantage of this by making an open network nearby. IoT devices are terrible in all ways.

  • by Anonymous Coward

    in my house. Ever. Working IT security for years and understanding how this stuff works has put me off of it long before Nest, Echo, Google Home, et al ever made the scene. To knowingly allow blatant spies into you midst is a sign of absolute carelessness. No one needs their house to be "automated" unless they're handicapped. My Honeywell HVAC system is simply good enough. I don't need or want an app to control anything in my home. I don't want or need a "connected' home. Being tethered to my on-call mobile

  • by Anonymous Coward

    as designed. Just ask Google.

    The reality is, the internet and its "things", browsers included, is a heedless goldrush where risk indifferent short sighted megalomaniacs -Jack Dorsey comes to mind as a prototype- inflict socially destructive , pointless services and gadgets on shortsighted people who are having the real consequences of their participation, subscription or purchase systematically and deliberately hidden from them.

    In the end, people will sort it out, vote with their wallets and eyeballs and so

  • Why do you want hackers to control your house?
  • I was responding to this blog post -- especially the conclusion and Marx quote at the end (quoted here):
    "Return of the Slave Society"
    https://thesphinxblog.com/2017... [thesphinxblog.com]
    "... There's a substantial tradition, especially in the nineteenth century, of contrasting ancient slave society with modern capitalism. I always recall the Aristotle quote with which I started from Marx's evocation of it in Das Kapital: foolish Greek, thinking that machinery would lead to a life of leisure, rather than being the surest method

  • Fools bought into all this stuff in the first place with blinders on not even wanting to see that they were just creating more avenues for attacks on their privacy and now you all scream bloody murder over it. I'm laughing so hard I may dislocate a rib.
  • Nothing can be perfect and there always exists a loop hole. Proper coordination between the devices and their security feature is not known to most of the common users.
  • Why is Slashdot suddenly full of luddites?

    My home is full of smart stuff. My fiance has full access to that smart stuff. If she leaves... I can easily revoke her access with one (ok, two) touches of a button in the settings of my iPhone (to revoke her access to Homekit). She won't be able to do anything with my house past that point.

    This has absolutely NOTHING to do with "crappy IOT security"... or any such scare mongering thing. All that's wrong here is that people don't know how their own devices work

    • And furthermore, this article isn't even about the technology being insecure. It's about people abusing their already-granted access to exert power and control over their partner in an abusive relationship.

      I feel like the commenters here just see the term "IoT Devices" and see it as an excuse to get on their holier-than-thou anti-Google/Amazon/Nest/etc soapbox. Guess what? No one gives a crap that you still use a flip-phone and "refuse to have an always-listening microphone" in your house. You're not s
  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Monday June 25, 2018 @01:14PM (#56843396)

    Said it 1.5 years ago [slashdot.org], will say it again.
    IoT is a fad and it will die off pretty soon because of precisely this problem mentioned in TFA.

    Nobodies Toaster needs a webserver.

You know you've landed gear-up when it takes full power to taxi.

Working...