Perhaps its time to take a cue from industry and add a mandatory e-stop button to these things.
In this case an "i-stop". A local press of this little red button (with a standard, well recognized symbol) disables all remote network features of a device, rendering it dumb again.
This button must be out-of-band. It physically disables networking hardware so a software hack to backdoor around it is impossible.
You can't design-out abuse potential. There are reasons you'd want these devices to not be trivial to disable, such as security devices (which have been around decades), or from people who don't have the right to turn them off (kids you may be monitoring). Put a PIN on it, and we're right back where you started because the abuser just won't give them the PIN.
Even if you did have devices with such a hard stop switch: Abusers wouldn't buy them. There's millions of IoT devices out there, they've existed since the early 1980s, and even if you were to pass a law in the US, other countries would still sell devices they could use. Throw the fact that it's trivial for an abuser to build their own from off the shelf parts in for good measure.
It may be impossible to completely design-out abuse potential, but it's still possible to reduce it. Security devices could remain active for a while after someone tries to disable them. Children can't disable devices you put out of their reach.
I also doubt that abusers wouldn't buy devices they can't use for abuse. In most cases I'd expect them to buy whatever is available on the market and only later realize their abuse potential. The fraction of abusers who know how to build such devices themselves is also likely vanishingly small. So if the default is for IoT devices to have a local killswitch, most installed devices will have a local killswitch.
There is no technological solution to all bad people, but there are technological solutions that deprive the vast majority of the opportunity to abuse them.
You absolutely can design things to minimize their abuse potential. Just because nothing can be 100% effective, doesn't mean it's not worth the effort. This is like arguing we shouldn't have seatbelt warning indicators just because someone could find a workaround.
Any security camera can be trivially disabled with a piece of cardboard. Just tape over the camera. Any microphone can be trivially disabled with water.
I don't see what your point is. Every IoT device needs an off switch. A home security camera, of course, can and should emit a warning with it is disabled.
And as discussed by the article, disabling the equipment can make the abuse worse. Nothing's more likely to put someone in a homicidal rage like "I poured water on your expensive microphone".
Under other names, absolutely. X10 home automation devices actually started showing up at Radio Shack in 1978. Now there's newer protocols, Insteon, Z-Wave, and ZigBee, and obviously, the capabilities of the hardware and the ease in which consumers can set them up has improved. But this isn't really new at all.
You might also think about a proprietary form of IoT devices that have been around a long time: Security systems are more or less proprietary IoT networks, and have very much merged with the home automation scene. You can see ADT, Comcast, etc. all selling proprietary connected home solutions now, but most of the underlying hardware is pretty much the same.
While there's probably people who'll meaninglessly nitpick about whether those things count as the "I" part of IoT, that's a pointless distraction.
I fly FPV quadcopters, and I remember back when I got my first 5GHz video setup, and put a high gain antenna on the receiver in my workshop at home, and hit the autotune button - it hopped around showing me snippets from a bunch of my neighbour's baby monitors and doorbell cameras. Plain unencrypted 5GHz video, and when I looked on the 2.4GHz band, even more there too. (this was 4-5 years back, and things have changed since then - so I see fewer plain video streams these days, but I still see signals which are almost certainly similar devices, and I'll bet if I cared it'd turn out to be relatively trivial to google up "secret keys" to those probably-homebrew-encrypted streams, and worse I'll bet the Mirai source code probably shows me how to p0wn many of those devices...)
People 100% have been putting technology in their houses with little or zero knowledge of how it works and the consequences on their privacy dictated by the security design, and never considering those possible consequences in the purchase decision and buying based on features and rice only. Connecting those non-security-focused devices to the internet is insane - but it's exactly what vendors are selling everywhere - as evidenced bu the power on the Mirai botnet...
I've said this before on other topics (new social network projects).
If you don't consider how your internet-thingie-service will handle/moderate abuse from the outset, your planning is fundamentally broken, and you will effectively be enabling abusers and harassers.
Proper security can often not be bolted onto products like this after-the-fact. Trying to ship a "minimum viable product" in the hardware space is extremely irresponsible, particularly if (like many IoT things) you have no facility for updating devices remotely.
Please please, if you have a partner installing these things in your home, have them show you:
1) How they installed it
2) Where the product's support is, and how to contact them
3) How to uninstall/remove/destroy it (also useful if the robot overlords take over the world)
I doubt many of the partners even want to know those details.
I know when I installed smart switches in our house, my wife didn't want to know any details other than "Which button do I press to turn all lights on and all lights off?" She didn't even want the controller app on her phone, she just texts me if she's out and thinks she forgot to turn the lights off or if she wants me to check in on the dog on the camera.
If I got hit by a bus and she had to remove it all, she can call an electrician.
In any case I doubt an abuser will want to tell his spouse how to disable everything.
I am really surprised at the amount of voice control units my security conscious friends have installed. I find them offensive. Sure we all want our house to be the starship enterprise, but it's not, it's a house. IoT means just another out of date linux box. I'll stick to using keys for my door.
I mean you could do these things properly. Have the voice control live on the device entirely without internet connection, make it absolutely clear when the device is listening at all etc. But that's not what these companies want to provide, because they want to capture dat sweet sweet data and the bulk of consumers don't care enough.
For me it just seems totally unnecessary. I can't find anything severely wrong with a light switch or a key and no amount of useless convenience is going to convince me to part with my money. That said, I was a caretaker for a disabled guy through college and can't imagine how much better IoT devices make life for people such as him.
I've heard alexa is huge for people with dementia. Checking the day/time. Pill reminders. Managing lights, music, etc. For people with disabilities, I think it's great. I wish it wasn't tied to an ad machine, but whatever.
People that are able bodied however, I don't think it's even that effective at managing lights, music, or whatever. It's mostly the novelty of arguing with a robot.
I'm perfectly able-bodied and I use my Echo almost exclusively to play music now, after having done it through stereos for decades. It's just easier (usually -- classical music is awful). I don't think I want it to control my lights or anything, but for weather, music, and alarms it's been great.
A lot of it is pretty gimmicky right now, granted, but that's not where things are going. The logical conclusion this is all heading towards is really all about coordination of device/thing across the household. Convenience is really at the heart of it, which means for a percentage of the population, it won't ever catch on, because as you say, there's nothing WRONG with a physical key for your house.
But we said the same about cars, but how much more convenient is it to just put your hand on the car door handle, and it unlocks and opens for you? How much easier is it to just get into the car and hit a button to start it because the key fob is in your pocket?
They're small improvements of quality of life, but added up, and it makes for a better experience moving through the world.
Security is a HUGE issue of course, and to a large extent we need to figure it out, but there's good progress being made. And IoT devices aren't (as another comment says) just another outdated Linux box. OTA (over the air) updates are a real thing now, and done securely are as safe as updating your desktop machine at home.
/me Looks at probably the only two devices from an entire production run from a startup in 2013 that're still getting updated.
I built the private ARCH pacman repo for these, and the GPG signed OTA software update mechanism running on the devices. I'm _still_ proud of it.
When the startup failed the hosting bills didn't get paid and the domains became "assets for sale" by the liquidator. Even though I'm still updating/securing things for my devices, I have no way to share those updates to the customers we sold em to...
Tell that to my sous vide. I've got an IoT litter box too. I'm aware of the problems, but I try to keep the number of extraneous IoT devices down and isolating them on my network. Just because some people are doing it well now, doesn't mean they all do. Most of it is a zigbee+arduino and a gnarly software stack.
Nope. August smart locks and Hue smart lights will continue accepting Bluetooth commands from previously-authorized clients while in offline mode.
There are only two viable choices:
1) Logout and/or factory reset all devices.
2) Delete the online accounts associated with all devices.
I recommend both, as otherwise there are edge cases where unsafety could remain.
Disclaimer: I did #2 when I left a long-term partner (along with a complete list of all credentials that needed to be rotated or disabled), both to be able to provide her absolute certainty that I could not somehow spy on her consummating her affair, and to ensure that I could not be placed into legal jeopardy by either of them as punishment for knowing that he existed at all. There is a serious legal risk if you retain access after moveout. Do not permit that risk to impact you.
While not perfect, it still helps. The threat from an abusive ex with internet access is a lot larger than an abusive ex within bluetooth range.
I maintain a version of your "complete list of credentials" professionally - and every time I've left a job I've supplied that list saying: "Here are the company-related credentials to which I've had access. This list is best-effort and may not be complete. Please respond acknowledging I've advised you to change these and any other credentials I've ever had access to."
The bridge only permits authorized LAN clients. Pairing requires using the physical “confirm” button in the center of the bridge itself. Being on the same LAN is not sufficient.
EDIT: Oh, yes, you’re right about the “it’s not Bluetooth” nitpick, for whatever good that is to this conversation :)
The article calls this out to an extent. The problem here, is if you unplug it, the abuser knows, and often then physical retribution, or at least abuse escalation can occur. It's a VERY difficult problem to solve IMO.
At least being on equal footing with everyone in the household so it's not seen as an avenue of control (which most domestic abuse scenarios are all about) would be a great first step.
If there is one to be found, the solution to this is not going to be a technical one. Local switches and use of passwords can still be monitored or disabled. Tape on cameras will attract retribution. You literally cannot beat the house at its own game.
In a few states I'm aware of, if you commit any form of domestic abuse and deprive the victim access to a phone, it's a separate charge. It can't/doesn't stop it from happening but it disincentivizes it by making the punishment worse.
I suspect a lot of this IoT nonsense will eventually attract the same riders. A documented history of remotely tampering with locks or lights, blasting heat in the summer and blaring music at full volume in any context will eventually become factors in a case of abuse.
They can already be factors in a case of abuse today; it’s simply that few people know how to inspect and legally request the service access logs for their devices’ online services.
I agree with this. I think the real solution is going to be to rewrite laws to account for digital abuses. This is still true not just domestically, but a lot of the large criminal actions don't take into account digital equivalence. They're catching up, slowly but surely, but it's definitely a slow process.
If you're in a relationship where you fear retribution for turning off an annoying gadget, then the relationship is already abusive, and it's time to get out. The gadget is not the problem
Some people don't have the power to leave an abusive situation (children).
Source: spent my entire childhood in a domestic abuse and domestic violence situation.
Also abusers often work very hard to make it difficult for the abused to leave: make them quit their job, cut off their outside social ties, make them pregnant against their will, etc.
Victim shaming isn't acceptable. Sorry. You're blaming the person being abused for not leaving. There's a MULTITUDE of reasons (as other comments have already stated) that people aren't enabled to get out of an abusive relationship.
Yes, this seems like an important aspect of safety and trust in the home. Each partner and family member should know how the devices around them work and can be used.
The issue is that domestic abuse is one of the main drivers of technology adoption in the first place. E.g. look at the studies of consumer adoption of beepers and cell phones.
> domestic abuse is one of the main drivers of technology adoption in the first place. E.g. look at the studies of consumer adoption of beepers and cell phones.
Citation?
As someone who lived though both pager and cell phone adoption curves, your assertion sounds highly suspect and doesn’t match any market research I’ve ever seen. The earliest mass adopters of pagers were physicians and surgeons (high income on call demographics) followed by drug dealers (ditto) and then teenagers as the price dropped. Cell phone early adopters were heavily biased towards high wage adults who were fearful of breaking down on the road at night and needing assistance (early cell phones would fit under the seat of a car with the handset near the dash or in the glove compartment but were too big to fit in a briefcase or purse). I’m pretty sure you’ve bought into some made up revisionist urban legend here.
> The earliest mass adopters of pagers were physicians and surgeons (high income on call demographics) followed by drug dealers
That's why I specifically said consumer adoption. Doctors and drug dealers had good economic reasons for buying cell phones. But considering that the earliest cell phones were up to $10,000 inflation adjusted and weren't even remotely good, there were only a handful of non-business use cases for buying them for your family members.
Mizuku Ito's book Personal, Portable, Pedestrian has a good overview of cell phone adoption and usage patterns. And there have been papers about cell phones being used for partner stalking for decades, e.g.:
Or for a more recent example, look at the uproar over Facebook instituting their Real Names policy because of how many people were using the site to stalk former intimate partners, among other issues.
The uproar over the Real Names policy had nothing to do with stalking former partners. It was about transgendered and queer individuals not wanting to be forced to use their legal/birth names rather than their transitional/post-transition names, and politically active individuals in oppressive countries not wanting to be publicly identified by their legal names on a publicly accessible website.
People could send hatemail and death threats in the mail before landlines existed. Sure, technology makes it easier to send anyone anything but progress has been made to make certain things more private. You can block someone on facebook or heavily lock your profile down to be invisible anyone but friends. You can block numbers easily on phones now. Encrypt your phone or computer (by default now!) to prevent people from installing tracking apps or spyware. You can use things like whatsapp to talk without the cell carrier recording phone numbers. GPS trackers are still an issue, I can't think of any way to get around that other than using a GPS jammer which is illegal and wouldn't block a tracker that uses cell towers as well. Cell phones and pagers used to be just as dumb as a landline, they receive everything and track everything but you can stay much more "off the grid" while still remaining in contact now.
Ah, come on. It's time to get real about all the Spencer Gifts level of bells and whistles added to all this technical garbage, as a convenience upsell.
Luxury items are exactly that. A luxury. When everything is perfect, a luxury is wonderful.
But luxuries are suicidal to retain, in a crisis scenario.
The problem with the mindset of staple-gunning Specer Gifts luxury mode convenience onto practicalities of critical infrastructure, is that you wind up with a UV flourescent black light fire extinguisher. Which is awesome, if you're playing lazer tag in a party time glow-bowl bowling alley, while listening to Laser Floyd's Wall at the planetarium. But we're selling radical day glow fire extinguishers to regular people, for daily use, in the home, to Kmart shoppers.
This shit has nothing to do with domestic violence. It has to do with priorities, and graceful degradation. None of these special smartphone app convenience bonuses degrade gracefully, so that the core functionality may be retained, while stripping out the extra technical fluff of packet switched, TCP/IP, GSM 4G LTE, broadband wi-fi global availability, so that you can bounce your playlist off a router attached to satelite phone at a sub-station in antarctica for two factor authentication, because the QT library for the UI had a bug forcing you to turn it off and then back on again, so you can log back in, and change the channel on your smart TV with your phone without having to get up from the couch to find the remote control, because blu ray disks won't let you use the play button to watch the movie, and only the remote has the OK/enter button, and none of the buttons on the set-top-box player will start the movie.
It would seem prudent for devices that include WAN remote management features to include some kind of prominent 'manual/local mode' switch to silently disable remote management where practical, for cases where victims might face retribution for disabling it, or simply if an account has been compromised.
Unfortunately this doesn't seem to be a consideration to manufacturers. Even if they are meant to work offline, this is going to be the least-tested path. IIRC there have been cases with certain internet-enabled thermostats failing to do the core thing (regulate the temperature) because they couldn't phone home.
The solution if you want something without such surprises is to work with open or semi-open devices (e.g. can be controlled by your own home automation server) that don't just magically connect to the internet and just work.
The problem with this is that using your own home automation server requires a degree of knowledge not readily found in the population at large, and can in many cases give even more control to the partner who installed it over an internet-of-things solution.
It does seem to me that a lot of home automation devices are marketed as being about being able control things that were operated by a switch by a remote control that can work from another country, rather than about better regulating light or heat or security. Perhaps some people see such tools as they are marketed as a way to gain power over others.
By definition, disabling remote management will be visible to the attacker. But a recording hub that can prove an attacker did things would be possible to deploy undetectably.
Digital locksmiths who can update a home network and cloud footprint are now a feature of middle class life; most divorce lawyers know one or two.
And don't forget the cars. You'd be surprised at how small a gps tracker can be. And cars with on-board compute power can do funky things like use the backup cameras to watch the surrounding area...
I appreciate the constructive idea about what device makers could actually do to help, rather than just bringing our hands. If you have any others, I'd be interested to hear what you think would help.
Though now that I think about it a bit more, it treads a fine line between being a back door for monitoring activity, though maybe you could log something super limited like when an account initiated a remote action, without recording anything about what the action was.
For a thermostat, it would likely not be immediately visible to the attacker unless they cross-reference their smart energy meter readings. It might possibly escape detection for lights, doorbells and music depending on the degree of video/audio surveillance.
The key part of the original post is to SILENTLY disable the remote interface. This only leaks if there are two devices (a thermostat and temperature sensor) that don't know about each other or the other's secret offline status.
With a doorbell, the assumption is that the app would be made to show 'ringing doorbell' when the doorbell is actually offline and silent - not as presently implemented where the Internet of Shit app doesn't have any fault handling and simply HTTP GETs {"doorbell":"ring"} and discards the response.
Same for the thermostat, as for the Android privacy APKs that show bogus location data, white noise from the mic, bogus contacts, or the inside of a lens cover from the camera to apps that request those permissions needlessly.
Abuse survivors/advocates have been warning about this for years. I'm glad it's going mainstream so the people who make them will hear and think about how to make them less dangerous.
My opinion on this remains chiefly that IoT devices like any other powerful tool can be used for good or evil. This weekend, I set automation up for my grandma to help her remain living independently longer.
My smart home software is currently single user in design, but I'd likely have to make changes when I share my home. But chiefly, I don't believe in abusing power technology grants me: If there was a separation, I'd sever any control of devices that they kept and make sure they were able to get into them.
At the end of the day, the solution to technology being used by domestic abusers is to get rid of the domestic abusers.
Unfortunately, a lot of what our tech can be used to abuse or dominate others. This article mentioned "smart" thermostats, locks, and lights. Another tech is cell phones. Cell phones have information about where a person is, and even, with some apps, what audio is in the environment. Unfortunately, all mainstream security models assume physical security. When that assumption is violated, all our security and encryption falls flat.
I've seen comments that the first thing women's shelters do when sheltering domestic abuse victims is 86 their cell phone.
Personal note, had thought at one time of making a private lojack for cars. Personal meaning it just responds to transmission from a remote device without going through a server. Handy when someone steals your car in SF. But that seemed way too useful to a wife beater for my comfort level.
What does it mean to “86 your cell phone”? I am aware that Star-8-6 is the number to retrieve voicemail on some networks. Is “86ing” just switching a phone off?
The attack surface was always the biggest reason not to install IoT crap, but it's 10 times worse when the adversary isn't just someone random trying his luck from a faraway locale, but rather someone who has or used to have physical access, ownership, the admin password etc and is specifically targeting you.
A notion I'm thinking over is the root meanings of near and far, and the implications of mediated experience.
Near is a cognate of nigh, whose superlative is next: "The Old English progression was neah - near - niehsta, for "nigh - near - next." Things which are near share borders, or cross few borders. Or, from close, are confined within a common border or boundary.
I'm reading through a collection of Greek and Roman myths (H.A. Grueber, 1907), and it comes to mind that the Greek god of messengers -- that is, of intermediate agency, media, distance -- was also a the trickster god: Hermes (Mercury).
Which brings us back to the Times piece, and the subject of which maany of us form our livelihoods.
Digital gadgets give the illusion of immediateness, nearness, and simplicity, but in truth they are too often complex, rely on remote capabilities, and may respond to many masters.
Drawing in one more allusion, driving victims mad by regulating environmental ssystems was a key plot device of R.A. Heinlein's The Moon is a Harsh Mistress (1966).
> "Near is a cognate of nigh, whose superlative is next"
Wow, that makes a number of things in English and other languages make more sense ("[as] the next person" in one of your links, the superlative -ste in German "nächster", the former Icelandic restaurant "Á Næstu Grösum", and the Portuguese "próximo!" to summon the person at the front of a line).
Sorry other readers didn't like your etymological excursion; it reminds me of Lewis Thomas after he got ahold of a PIE reference (maybe the American Heritage Dictionary). Maybe people didn't feel it was relevant enough?
It’s not relevant in the slightest to the horrible ethical void in software engineer (except as an example of the kind of petty fussiness that is more welcomed than ethics & how it crowds out actual concerns which affect real live humans right now)
If you realise that adding complexity -- software, hardware, networks, sensors, service contracts -- all serve to increase distance and indirection, you have a frame for seeing potential problems, such as those highlighted by the article.
I'm not sure if the same frame offers particular ways out of those problems, or if it largely serves to say "don't go there". I'm still thinking on that.
As for etymologies, I'm finding them fascinatiing for uncovering root meanings and similarities between concepts. I'm also impressed by how many terms related to information, truth, trust, etc., are profoundly physical in their origins.
I don't know that this will prove useful. It's quite interesting, though, to me at least.
Some of his columns (I guess in the NEJM) were reflections on etymology, and then he apparently published an entire book about it called "Et Cetera, Et Cetera".
But in light of language change, I'm not sure that using these observations to form an argument -- especially at the kind of distances that exist between PIE and English -- will escape being accused of the etymological fallacy. Maybe if I re-read some of those Lewis Thomas essays, I might be concerned at the size of some of the historical leaps. There's that famous story that a king praised the design of St. Paul's Cathedral as "amusing, awful, and artificial" (although apparently there's only strong evidence for the "artificial" part).
I'm not so interested in making an argument about how language ought be used today as three other major objectives:
First, to understand how we got here. Looking back at either the evolution of words, or the relationships between words, of topics of current significance.
Second, to understand older language and writing in the meanings of its time. Words shift. The word perfect meant, in the late 18th / early 19th century, not "flawless", but "fully developed", a distinction that's particularly critical in looking at discussions of biology and evolution. The term "art" (or artifice) for example, today might mean or carry connotations of deception, but in the 17th century would have a far stronger sense of craft.
Another phrase with an interesting evolution is sophisticated, originally meaning "adulterated" or "perverted", now meaning "worldly" or "advanced". That shift occurred principally ~1930 - 1950, a date from which I've several dictionaries, showing the shift. A friend turned up the earlier sense from an 1880s dictionary. The word pollution has a markedly different connotation today than it would have even a century ago. And the etymology of vodka is (retrospectively) obvious and amusing.
Combine this with use of Google's Ngram Viewer to trace the prevalence of words (or phrases) in usage, and evolution of language becomes even more fascinating. The modernity of a tremendous number of contemporary concepts is stark -- and I'm excluding the information-technology field. The 1930s, 50s, and 70s in particular seem to be watersheds, especially for terms about or concerning economics and politics or political issues (areas on which I've somewhat focused). The number of pat phrases which are unabashadly political, say, "Rugged Individualism* (February, 1928, Herbert Hoover).[1]
There's the case of an editorial war over British and U.S. editions of an encyclopaedia I turned up a ways back, concerning the concept of "free trade", showing a certain evolution of meaning and/or acceptance:
Third, there's looking at notions which today are so infused with their present meaning that we're much as David Foster Wallace's fish contemplating water: "what's water?" The terms typically used in physics are one set ("mass" comes from "barley cake", as an example), and concepts of truth, trust, knowledge, understanding, and communication quite particularly, as mentioned above. Some economic terms as well -- monopoly as an example:
As it not only says in the original article, but also in many of the comments, you can't just do that because the abuser knows if you've superseded their control, and abuse can escalate into physical if that action is taken.
We should focus on what we as technologists and developers can do. There are features that can mitigate the potential for abuse in IoT devices, and we are the ones who have to care enough to make these features exist. Things as simple as clearly labelled and positioned reset buttons, or more advanced features like access monitoring (even physical lights or indicators that show remote access or surveillance) are all things that can help with this problem. We can't stop people from being abusive, but we can stop them from abusing the things we make.
In this case an "i-stop". A local press of this little red button (with a standard, well recognized symbol) disables all remote network features of a device, rendering it dumb again.
This button must be out-of-band. It physically disables networking hardware so a software hack to backdoor around it is impossible.
IOT goes haywire? Just hit the i-stop.