A few weeks ago, the technology news site The Verge reported a new ring security camera, which is actually a drone flying around your house. The Always Home camera, which will be available early next year, is designed to give homeowners a complete picture of their home without having to use multiple cameras. Those who are afraid of burglary or other suspicious activities may like the idea of being a fly on the wall in every room of the house, even if they are not at home.
Traditional threats to the security of IoT
Security professionals can view the news from a different angle, i.e. taking into account the low level of security typically associated with Internet-based objects (IoTs), including smart home appliances such as security cameras. Many of these products contain simple vulnerabilities, including common standard passwords. At the same time, the growing attention of security researchers for these devices has made important vulnerabilities accessible to a larger number of hackers.
It’s not just innocent fun on the security conference stage. Many IdO botnets are currently active, involved in large-scale distributed denial of service (DDoS) attacks, or leased as a proxy network. The news that the motherboard reported last year that a hacker broke into a camera installed in a children’s room in Tennessee and spoke to one of the children is perhaps even more disturbing to the owners of the equipment.
IoT devices have a well-deserved poor safety record, but the situation is improving. Many manufacturers are taking security more seriously because new laws have been enacted or are under discussion worldwide that require certain IoT security methods and prohibit the use of unsecured passwords, such as common standard passwords.
Don’t forget the data!
Traditional security threats are not the only problem with IoT devices. Devices that collect data, such as camera images or location data, usually store this information centrally, somewhere in the cloud. Even if such a server is not hacked, it becomes a goldmine for law enforcement, government and intelligence agencies, while the vendor may also be tempted to sell the data, perhaps in a somewhat anonymous form, to data intermediaries.
And here the optimists may note that some of this damage could have been mitigated. The laws may set high thresholds for both access to and sale of data. In addition, pressure could be exerted on companies to ensure confidentiality in the first place and to limit the amount of centrally stored data.
Security and misuse of IoT
However, there is a third type of security risk that is often overlooked and is not so easily limited by laws or best practices: the risk of a wrongful (former) partner or prosecutor.
For such an intruder, access to a security camera, especially one that flies around the house, could give him information about his destination that he otherwise wouldn’t be able to get. Just knowing they’re home can be enough. In other cases, knowledge that they should not have known, even if innocent in itself, is used by an abuser in the power game: Many wrongs are about power.
From a traditional safety perspective, this may seem avoidable. The use of strong passwords and, if possible, multi-factor authentication can prevent unwanted access to the account. And we must not allow a potential opponent to be in physical proximity to the device.
But it ignores the complexities of an abusive relationship. For many survivors, it would simply not be safe to deny the abuser access to their equipment. This can lead to an escalation of abuse and violence. There are also many ways in which intimate relationships are very different from those between a traditional perpetrator and his or her victim.
In an article published earlier this year, Karen Levy (Cornell) and Bruce Schneier (Harvard) investigated the threat to privacy in an intimate relationship. They noted, for example, that these relationships are often dynamic. Many reprehensible relationships begin as normal, healthy relationships in which sharing equipment and services is not only not a problem, but often highly desirable. The traditional threat model does not take these dynamic relationships into account.
Another problem is that people in relationships, even when abusing them, are often in the same physical location. Even in bad relationships, joint custody of the children may make this necessary. In terms of security, this means that you not only have to consider the remote threat, but also the risk of physical access to change settings or gain permanent access. Due to the exchange of knowledge between people who have had a relationship, knowledge-based safety issues are not always a safe way to keep unwanted people away.
More than two years ago, the New York Times reported on the role that smart home technology has played in many cases of domestic violence. The situation has deteriorated since then.
Because computer and network security specialists can help
There is no obvious solution to the problem of using connected devices in a malicious relationship. But anyone who works with such products, whether as a manufacturer or as a safety expert, must be aware of the complexity of abuse relationships and understand the role that technology plays in them. Because it’s a threat to privacy that can literally cost lives.
As a cyber security expert, what can you do to reduce the resemblance of smart devices for domestic violence?
First, it must be ensured that IoT providers not only guarantee data protection by default, but also take into account the threat from intimate partners. Second, supporting activities such as the Month of Awareness of Domestic Violence by providing support to organizations that work directly or indirectly with victims. And thirdly, and perhaps most importantly, tell each other about the difficulties of domestic violence and listen to the stories of survivors.
About the author : Martijn Grooten is a cybersecurity expert based in Europe who wants to give priority to the weakest in the field of digital security. Previously he was editor of Virus Bulletin and now he is a consultant for various organizations. He is a special advisor to the Coalition against Stalker Software and a member of the Civic Sphere laboratory.
Editor’s note : The opinions expressed in this guest post are those of the author alone and do not necessarily reflect the views of Tripwire, Inc.License Type: Read Only