Traditional IoT Security ThreatsSecurity professionals may look at the news from a different lens, that is, by keeping in mind the poor level of security that tends to characterize of the Internet of Things (IoT) including smart home devices like security cameras. Many of these products contain easily exploitable vulnerabilities, including common default passwords. Simultaneously, security researchers’ growing focus on these devices has made more severe vulnerabilities available to a wider audience of hackers. This isn’t mere innocent fun for the security conference stage. There are many IoT botnets that are currently active, engaged in large-scale distributed denial of service (DDoS) attacks or rented out as proxy networks. Probably more worryingly for device owners was the news reported by Motherboard last year that a hacker broke into a Ring camera installed in a children’s bedroom in Tennessee and spoke with one of the children. IoT devices have a deservedly bad reputation when it comes to security, but things are improving. Many manufacturers are taking security more seriously, while around the world, new laws have been written or are being debated to mandate certain IoT security practices while banning insecure ones, such as the use of common default passwords.
Don’t Forget About the Data!Traditional security threats aren’t the only concern for IoT devices. Devices that collect data, such as camera images or location data, typically store this information at a central location somewhere in the cloud. Even if such a server isn’t hackable, it will be a goldmine for law enforcement, governments and intelligence agencies, while the manufacturer may also be tempted to sell the data, possibly in some slightly anonymized form, to data brokers. Here, too, optimists may note that some of this damage could be mitigated. Laws could put high thresholds to both the access and sale of data. Companies could also be pressured into taking a privacy-first approach and limit the amount of data stored centrally in the first place.
IoT Security and AbuseBut, there is a third kind of security risk that is often overlooked and that can’t be as easily mitigated by legislation or better practices: that of an abusive (ex-)partner or stalker. For such an abuser, having access to a security camera, especially one that flies around the house, could give them information on their target they wouldn’t have been able to obtain otherwise. Simply knowing they are home could be enough. In other cases, the knowledge of things they weren’t supposed to know, even if innocent in itself, is used by an abuser in a power game: a lot of abuse is about power. From a traditional security viewpoint, this may seem preventable. The use of strong passwords and, where possible, multi-factor authentication could prevent unwanted access to the account. And one should never let a potential adversary come within close physical proximity to a device. But that ignores the complexities of abusive relationships. For many abuse survivors, it would simply not be safe to exclude the abuser’s access to their devices. Doing so could escalate the abuse and violence. There are also several ways in which intimate relationships are very different from the ‘relationship’ between a traditional malicious cyber-actor and their victim. In a paper published earlier this year, Karen Levy (Cornell) and Bruce Schneier (Harvard) looked at the privacy threat within intimate relationships. They noted, for example, how such relationships are often dynamic. Many abusive relationships start out as normal, healthy relationships in which shared access to devices and services is not only not a problem but often very desirable. A traditional threat model doesn’t consider such dynamic relationships. Another issue is that within relationships, even abusive ones, people often find themselves in the same physical location. Even in bad relationships, shared custody over children might make that necessary. For security, this means that not only the remote threat but also the risk of physical access to change settings or obtain permanent access needs to be considered. The shared knowledge among people who have been in relationships means knowledge-based security questions aren’t always a safe way to keep unwanted people out of accounts. More than two years ago, the New York Times reported on how smart home technology played a role in a lot of instances of domestic abuse. The problem has since gotten worse.
How Cybersecurity Professionals Can HelpThere is no obvious solution to the use of connected devices in abusive relationships. But anyone working with such products, whether as a manufacturer or as a security professional, should inform themselves of the complexities of abusive relationships and understand the role technology plays in them. For this is the privacy threat that could literally cost lives. So what can you, as a cybersecurity professional do, to reduce the likeliness of smart devices being used to enable domestic abuse? First, push IoT manufacturers to not only enable privacy by default but to also make sure that this privacy considers the threat from intimate partners. Secondly, support events like Domestic Violence Awareness month by offering support to those organizations working directly or indirectly with survivors. And thirdly and perhaps most importantly, inform yourself of the complexities of domestic abuse and listen to the stories of survivors.