SAN FRANCISCO – The influx of connected products in the home – from smart thermometers to connected locks – presents a disturbing new threat surface for victims of domestic abuse.
That’s what Lisa Green, senior director of operations at Independent Security Evaluators, is warning conference-goers at RSA on Thursday, during a session that highlighted unique IoT issues that can lead to real-world privacy attacks.
When it comes to domestic abuse in general, Green told Threatpost, most people don’t think of the security, privacy and other implications of their connected devices during a breakup.
But, “say your significant other is the one who registered the account and registered the password,” she said. “After a bad breakup, they could change the locks on your door – and without your credentials, the provider wouldn’t reset the password for you. It leaves victims in a bind.”
It may come as no surprise that many Internet of Things devices have a striking lack of security that could lead to precarious situations for end users.
In July, fitness device maker Polar Flow suspended the Explore tracking feature on its mobile app after researchers discovered profile and geolocation data of high-ranking military personnel and “spies” that were being exposed to the public on its network.
In February, the European Commission issued a recall for a popular smartwatch for children, citing “serious” privacy issues that could allow a bad actor to track or communicate with kids remotely.
Many of those flaws extend to the smart home: Just this month, researchers discovered a serious flaw in the popular Ring smart doorbell that could allow an attacker on a shared Wi-Fi network to spy on families’ video and audio footage.
Consumer spyware has also been a huge problem for years, with cases of abusive partners placing spyware on computers or mobile devices, or stealing passwords to check in on victims. But the IoT presents a different issue: Not only can domestic abusers spy on their partners, but they can also launch an array of malicious attacks – from turning off the air conditioning during a hot day to unlocking a door.
“With IoT, everything is considerably much more difficult in domestic abuse situations,” said Christopher Boyd with Malwarebytes in a post. “A lot of IoT tech is incredibly insecure because functionality is where it’s at; security, not so much. That’s why you see so many stories about webcams beamed across the Internet, or toys doing weird things, or the occasional Internet-connected toaster going rogue.”
Making these cases more difficult, many connected devices are shared in a home by two partners – so if they break up, and the abuser set up the password, they don’t need much to break into the IoT device.
Unfortunately, the issue is not yet top of mind for IoT device manufacturers and lawmakers, Green said. In fact a research paper from University College London (UCL) on IoT devices and domestic abuse found that tech-abuse is currently not a factor in the risk assessment of victims for law enforcement or women’s shelters – but it should be.
“More education and awareness is needed about what the devices can do and what harmful things could happen,” said Green. “When you think of domestic abuse, you think it’s physical or mental – but messing with people’s livelihoods through their devices is not something you usually think about.”
However, end users can take steps to ensure that their IoT devices are locked down during a nasty breakup, said Green.
“Any IoT device you get, always have access to the password, even if you have a joint account,” she said. “Don’t let anyone else set up their device for you. And if you go through a breakup, treat all your devices like they’re compromised.”
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.