
Thermostats, Locks and Lights: Digital Tools of Domestic Abuse - xbryanx
https://mobile.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html
======
noonespecial
Perhaps its time to take a cue from industry and add a mandatory e-stop button
to these things.

In this case an "i-stop". A local press of this little red button (with a
standard, well recognized symbol) disables all remote network features of a
device, rendering it dumb again.

This button must be _out-of-band_. It physically disables networking hardware
so a software hack to backdoor around it is impossible.

IOT goes haywire? Just hit the i-stop.

~~~
ocdtrekkie
You can't design-out abuse potential. There are reasons you'd want these
devices to not be trivial to disable, such as security devices (which have
been around decades), or from people who _don 't_ have the right to turn them
off (kids you may be monitoring). Put a PIN on it, and we're right back where
you started because the abuser just won't give them the PIN.

Even if you did have devices with such a hard stop switch: Abusers wouldn't
buy them. There's millions of IoT devices out there, they've existed since the
early 1980s, and even if you were to pass a law in the US, other countries
would still sell devices they could use. Throw the fact that it's trivial for
an abuser to build their own from off the shelf parts in for good measure.

There is no technological solution to bad people.

~~~
dannyw
You absolutely can design things to minimize their abuse potential. Just
because nothing can be 100% effective, doesn't mean it's not worth the effort.
This is like arguing we shouldn't have seatbelt warning indicators just
because someone could find a workaround.

Any security camera can be trivially disabled with a piece of cardboard. Just
tape over the camera. Any microphone can be trivially disabled with water.

I don't see what your point is. Every IoT device needs an off switch. A home
security camera, of course, can and should emit a warning with it is disabled.

~~~
ocdtrekkie
And as discussed by the article, disabling the equipment can make the abuse
worse. Nothing's more likely to put someone in a homicidal rage like "I poured
water on your expensive microphone".

~~~
toss1
right, so being able to disable the microphone without destroying it, by
pressing the little red button, would be quite useful in this instance.

------
fake-name
I've said this before on other topics (new social network projects).

If you don't consider how your internet-thingie-service will handle/moderate
abuse _from the outset_ , your planning is fundamentally broken, and you will
effectively be enabling abusers and harassers.

Proper security can often not be bolted onto products like this after-the-
fact. Trying to ship a "minimum viable product" in the hardware space is
extremely irresponsible, particularly if (like many IoT things) you have no
facility for updating devices remotely.

------
GabeWeiss_
Please please, if you have a partner installing these things in your home,
have them show you:

1) How they installed it 2) Where the product's support is, and how to contact
them 3) How to uninstall/remove/destroy it (also useful if the robot overlords
take over the world)

~~~
lozaning
Or at a minimum know where/what your modem is. Unplug that bad boy and all
your IOT stuff goes back ot being things, not of the internet.

~~~
floatingatoll
Nope. August smart locks and Hue smart lights will continue accepting
Bluetooth commands from previously-authorized clients while in offline mode.

There are only two viable choices:

1) Logout and/or factory reset all devices. 2) Delete the online accounts
associated with all devices.

I recommend both, as otherwise there are edge cases where unsafety could
remain.

Disclaimer: I did #2 when I left a long-term partner (along with a complete
list of all credentials that needed to be rotated or disabled), both to be
able to provide her absolute certainty that I could not somehow spy on her
consummating her affair, and to ensure that I could not be placed into legal
jeopardy by either of them as punishment for knowing that he existed at all.
There is a serious legal risk if you retain access after moveout. Do not
permit that risk to impact you.

~~~
jpindar
Hue lights are controlled by their bridge via Zigbee, not directly from a
client via Bluetooth.

Without an internet connection, they can still be controlled by a client that
is on the same LAN as the bridge.

~~~
floatingatoll
The bridge only permits authorized LAN clients. Pairing requires using the
physical “confirm” button in the center of the bridge itself. Being on the
same LAN is not sufficient.

EDIT: Oh, yes, you’re right about the “it’s not Bluetooth” nitpick, for
whatever good that is to this conversation :)

------
jumper_F00BA2
Ah, come on. It's time to get real about all the Spencer Gifts level of bells
and whistles added to all this technical garbage, as a convenience upsell.

Luxury items are exactly that. A luxury. When everything is perfect, a luxury
is wonderful.

But luxuries are suicidal to retain, in a crisis scenario.

The problem with the mindset of staple-gunning Specer Gifts luxury mode
convenience onto practicalities of critical infrastructure, is that you wind
up with a UV flourescent black light fire extinguisher. Which is awesome, if
you're playing lazer tag in a party time glow-bowl bowling alley, while
listening to Laser Floyd's Wall at the planetarium. But we're selling radical
day glow fire extinguishers to regular people, for daily use, in the home, to
Kmart shoppers.

This shit has nothing to do with domestic violence. It has to do with
priorities, and graceful degradation. None of these special smartphone app
convenience bonuses degrade gracefully, so that the core functionality may be
retained, while stripping out the extra technical fluff of packet switched,
TCP/IP, GSM 4G LTE, broadband wi-fi global availability, so that you can
bounce your playlist off a router attached to satelite phone at a sub-station
in antarctica for two factor authentication, because the QT library for the UI
had a bug forcing you to turn it off and then back on again, so you can log
back in, and change the channel on your smart TV with your phone without
having to get up from the couch to find the remote control, because blu ray
disks won't let you use the play button to watch the movie, and only the
remote has the OK/enter button, and none of the buttons on the set-top-box
player will start the movie.

------
WiseWeasel
It would seem prudent for devices that include WAN remote management features
to include some kind of prominent 'manual/local mode' switch to silently
disable remote management where practical, for cases where victims might face
retribution for disabling it, or simply if an account has been compromised.

~~~
olefoo
By definition, disabling remote management will be visible to the attacker.
But a recording hub that can prove an attacker did things would be possible to
deploy undetectably.

Digital locksmiths who can update a home network and cloud footprint are now a
feature of middle class life; most divorce lawyers know one or two.

And don't forget the cars. You'd be surprised at how small a gps tracker can
be. And cars with on-board compute power can do funky things like use the
backup cameras to watch the surrounding area...

~~~
WiseWeasel
For a thermostat, it would likely not be immediately visible to the attacker
unless they cross-reference their smart energy meter readings. It might
possibly escape detection for lights, doorbells and music depending on the
degree of video/audio surveillance.

~~~
jpindar
Sure it would be. If they turn up the desired temperature and the measured
temperature doesn't go up, they know the thermostat is disconnected.

~~~
LeifCarrotson
The key part of the original post is to SILENTLY disable the remote interface.
This only leaks if there are two devices (a thermostat and temperature sensor)
that don't know about each other or the other's secret offline status.

With a doorbell, the assumption is that the app would be made to show 'ringing
doorbell' when the doorbell is actually offline and silent - not as presently
implemented where the Internet of Shit app doesn't have any fault handling and
simply HTTP GETs {"doorbell":"ring"} and discards the response.

Same for the thermostat, as for the Android privacy APKs that show bogus
location data, white noise from the mic, bogus contacts, or the inside of a
lens cover from the camera to apps that request those permissions needlessly.

------
rainbowmverse
Abuse survivors/advocates have been warning about this for years. I'm glad
it's going mainstream so the people who make them will hear and think about
how to make them less dangerous.

------
ocdtrekkie
My opinion on this remains chiefly that IoT devices like any other powerful
tool can be used for good or evil. This weekend, I set automation up for my
grandma to help her remain living independently longer.

My smart home software is currently single user in design, but I'd likely have
to make changes when I share my home. But chiefly, I don't believe in abusing
power technology grants me: If there was a separation, I'd sever any control
of devices that they kept and make sure they were able to get into them.

At the end of the day, the solution to technology being used by domestic
abusers is to get rid of the domestic abusers.

------
RcouF1uZ4gsC
Unfortunately, a lot of what our tech can be used to abuse or dominate others.
This article mentioned "smart" thermostats, locks, and lights. Another tech is
cell phones. Cell phones have information about where a person is, and even,
with some apps, what audio is in the environment. Unfortunately, all
mainstream security models assume physical security. When that assumption is
violated, all our security and encryption falls flat.

~~~
Gibbon1
I've seen comments that the first thing women's shelters do when sheltering
domestic abuse victims is 86 their cell phone.

Personal note, had thought at one time of making a private lojack for cars.
Personal meaning it just responds to transmission from a remote device without
going through a server. Handy when someone steals your car in SF. But that
seemed way too useful to a wife beater for my comfort level.

~~~
manicdee
What does it mean to “86 your cell phone”? I am aware that Star-8-6 is the
number to retrieve voicemail on some networks. Is “86ing” just switching a
phone off?

~~~
lozaning
It refers to being "86'ed" AKA kicked out of a bar among other things.
[https://en.wikipedia.org/wiki/86_(term)](https://en.wikipedia.org/wiki/86_\(term\))

------
jedberg
Sadly, much like everything else connected to the internet, the problems
aren't new, just the scale and efficiency. :(

------
rdiddly
The attack surface was always the biggest reason not to install IoT crap, but
it's 10 times worse when the adversary isn't just someone random trying his
luck from a faraway locale, but rather someone who has or used to have
physical access, ownership, the admin password etc and is specifically
targeting you.

------
dredmorbius
NB: Light discussion a few days back, and multiple submissions, but well-worth
considering.

[https://news.ycombinator.com/item?id=17382829](https://news.ycombinator.com/item?id=17382829)

[https://hn.algolia.com/?query=Thermostats%2C%20Locks%20and%2...](https://hn.algolia.com/?query=Thermostats%2C%20Locks%20and%20Lights%3A%20Digital%20Tools%20of%20Domestic%20Abuse&sort=byDate&dateRange=all&type=story&storyText=false&prefix&page=0)

------
dredmorbius
A notion I'm thinking over is the root meanings of _near_ and _far_ , and the
implications of mediated experience.

Near is a cognate of _nigh_ , whose superlative is _next_ : "The Old English
progression was neah - near - niehsta, for "nigh - near - next." Things which
are _near_ share borders, or cross few borders. Or, from _close_ , are
confined within a common border or boundary.

[https://www.etymonline.com/word/near](https://www.etymonline.com/word/near)

[https://www.etymonline.com/word/nigh](https://www.etymonline.com/word/nigh)

[https://www.etymonline.com/word/close](https://www.etymonline.com/word/close)

Conversely, _far_ comes from the PIE root * per-, "base of words for 'through,
forward,' with extended senses such as 'across, beyond'".

To be distant is to stand apart, to be unconnected or not directly connected.
To be distant is to move bacck or push away.

[https://www.etymonline.com/word/far](https://www.etymonline.com/word/far)

[https://www.etymonline.com/word/distant](https://www.etymonline.com/word/distant)

[https://www.etymonline.com/word/remote](https://www.etymonline.com/word/remote)

PIE roots are fun for all the derived words they point to -- they're the
superhubs of language:

[https://www.etymonline.com/word/*per-](https://www.etymonline.com/word/*per-)

 _Media,_ from _medium_ , is that which stands between: "intermediate agency"
Or, from the above, media is the agent of distance.

[https://www.etymonline.com/word/medium](https://www.etymonline.com/word/medium)

I'm reading through a collection of Greek and Roman myths (H.A. Grueber,
1907), and it comes to mind that the Greek god of messengers -- that is, of
intermediate agency, media, distance -- was also a the trickster god: Hermes
(Mercury).

[https://en.wikipedia.org/wiki/Hermes](https://en.wikipedia.org/wiki/Hermes)

Which brings us back to the _Times_ piece, and the subject of which maany of
us form our livelihoods.

Digital gadgets give the illusion of immediateness, nearness, and simplicity,
but in truth they are too often complex, rely on remote capabilities, and may
respond to many masters.

Drawing in one more allusion, driving victims mad by regulating environmental
ssystems was a key plot device of R.A. Heinlein's _The Moon is a Harsh
Mistress_ (1966).

[https://en.wikipedia.org/wiki/The_Moon_Is_a_Harsh_Mistress](https://en.wikipedia.org/wiki/The_Moon_Is_a_Harsh_Mistress)

~~~
schoen
> "Near is a cognate of nigh, whose superlative is next"

Wow, that makes a number of things in English and other languages make more
sense ("[as] the next person" in one of your links, the superlative -ste in
German "nächster", the former Icelandic restaurant "Á Næstu Grösum", and the
Portuguese "próximo!" to summon the person at the front of a line).

Sorry other readers didn't like your etymological excursion; it reminds me of
Lewis Thomas after he got ahold of a PIE reference (maybe the _American
Heritage Dictionary_ ). Maybe people didn't feel it was relevant enough?

~~~
falsedan
It’s not relevant in the slightest to the horrible ethical void in software
engineer (except as an example of the kind of petty fussiness that is more
welcomed than ethics & how it crowds out actual concerns which affect real
live humans right now)

~~~
dredmorbius
If you realise that adding complexity -- software, hardware, networks,
sensors, service contracts -- all serve to increase distance and indirection,
you have a frame for seeing potential problems, such as those highlighted by
the article.

I'm not sure if the same frame offers particular ways _out_ of those problems,
or if it largely serves to say "don't go there". I'm still thinking on that.

As for etymologies, I'm finding them fascinatiing for uncovering root meanings
and similarities between concepts. I'm also impressed by how many terms
related to information, truth, trust, etc., are profoundly physical in their
origins.

I don't know that this will prove useful. It's quite interesting, though, to
me at least.

[https://www.etymonline.com/word/interest](https://www.etymonline.com/word/interest)

------
basicplus2
This is an easy one.. all such products should have a manual 3 position switch
with off-Auto-On/manual

~~~
GabeWeiss_
As it not only says in the original article, but also in many of the comments,
you can't just do that because the abuser knows if you've superseded their
control, and abuse can escalate into physical if that action is taken.

It's not simple.

------
internetman55
Sigh, wish we could do better as humans

~~~
pietroglyph
We should focus on what we as technologists and developers can do. There are
features that can mitigate the potential for abuse in IoT devices, and we are
the ones who have to care enough to make these features exist. Things as
simple as clearly labelled and positioned reset buttons, or more advanced
features like access monitoring (even physical lights or indicators that show
remote access or surveillance) are all things that can help with this problem.
We can't stop people from being abusive, but we can stop them from abusing the
things we make.

------
lkrubner
Why was the comment by GabeWeiss_ made "dead"? It's not an entirely
unreasonable thing to say, in the context of domestic abuse.

