How to Keep Your Smart-Home Technology Secure From Domestic Abusers

This article contains references to domestic violence and abuse.

Last June, technology reporter Nellie Bowles of The New York Times (Wirecutter’s parent company) exposed how domestic abusers use smart-home technology to monitor, control, and intimidate their partners. Abusers, using smartphones connected to the devices, spy on private conversations through pet cams, change digital lock codes daily, and manipulate smart thermostats.

Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence, says smart-home tech misuse is a growing trend, especially in the Silicon Valley region of California. Although statistics on smart-home abuse are hard to find, domestic abuse is prevalent in the US, as is the proliferation of smart-home devices. One in three people have experienced physical violence or stalking by an intimate partner, according to a 2017 Centers for Disease Control report (PDF). (The CDC tracked unwanted calls, emails, texts, and social media messages, but not smart-home tech misuse.) The same survey found that nearly half of all people have experienced psychological aggression from an intimate partner, which includes everything from name-calling and controlling their appearance to monitoring their movements and threatening them with violence.

However, you don’t have to feel helpless. There are simple ways to safeguard your smart home—and even use some of that tech to create a safer environment.

Know what’s in your home

Wirecutter recommends that families discuss smart-home gadgets before a purchase is made, and decide where they’ll go, how they work, and who will have access once they’re installed. All adults in a household should have equal access to the controls of any smart-home device. (The National Domestic Violence Hotline has advice on how to communicate effectively with your partner.) If an abuser has solitary control of household gadgets and you don’t know what’s been installed, you can still easily spot devices. Look for a camera on a bookshelf, lights that automatically dim, and standalone voice-enabled speakers. Covert gadgets that can be misused include automatic pet-food dispensers with built-in cameras, smart window-AC units, and motion sensors installed in corners of a room. (You can always find information on the latest smart-home gadgets on our website.)

To find some of the not-so-obvious smart-home devices connected to your network, you can tap into your router. You can do this by typing the router’s admin URL and password into any Web browser from your home computer. This information is listed on the side or back panel of many routers, but some use the default address of 192.168.1.1, which you can type into your browser. You can also start fresh by contacting your service provider to swap out your existing router or consider buying one. (This won’t work for Bluetooth-connected devices, such as many smart door locks or some sensors. For these, you can remove the batteries to disable the device, or reset it using one of the methods described below. )

Once you know what’s in your home, find out who has access to its dashboard website or corresponding app. Even if you have access to the settings, others in the household might too, and one of those people may be a master administrator who can grant and revoke access to devices and often track usage. Many apps also keep an activity log, a running tab of when the actual product is being used, and its users. Check it often, and erase its history if you’re worried that it’s being tracked by an abuser.

Alternatively, Olsen suggests keeping a written log (PDF) of instances when you think you’re being cyberstalked at home and don’t know which gadgets are compromised. A pen and paper can’t be accessed remotely by an abuser, and you can easily hide the log at home or with a trusted friend. Survivors who are safely out of an abusive relationship may use the log as supportive evidence to request an order of protection or a restraining order. List the date, time, location in your home, and what happened. “When [the survivor] starts documenting the behavior, they often see patterns emerge to help them narrow down what may be happening. Then they can identify safer ways to communicate,” she said.

Safeguard your smart home

We contacted 11 smart-home manufacturers to learn the best way to secure their gadgets from domestic abusers, and most declined to comment for this article. Nonetheless, there are simple ways to protect yourself against abuse through smart-home technology.

Unplug. The easiest thing to do is to unplug or remove the suspicious device, though that’s harder if it’s something that’s permanently installed, like a thermostat, door lock, or in-wall dimmer. It’s also impractical if you like or need the device and want to continue using it.

Change passwords. When it comes to smart-home devices like the Amazon Echo, account information can include addresses, recent purchases, shopping lists, and even entertainment that’s been streamed. New passwords are a must (Wirecutter’s password manager pick, 1Password, can help with that). If you have access to the app and have administrator controls over the device, changing the password can even lock out other users. Also consider creating a new email address specifically designed for smart-home accounts.

Bill McKinley, head of information security at The New York Times, suggests making long passwords that are phrase-based. Once you’ve changed those passwords, don’t share the new information with anyone. You should also change or eliminate security questions (such as your alma mater’s name) connected to those accounts, because partners may know answers to even the most personal questions.

Enable 2FA. Devices like ones from Nest offer two-factor authentication. This adds another security measure when you log in, such as hardware and software tokens, text messages, or fingerprint verification. McKinley recommends avoiding texts as your 2FA backup because that method is susceptible to hackers.

Disable remote access. To keep snooping at bay, our experts say it’s best to avoid applications that track and store your location history. Turn off geofencing on cameras, thermostats, and other devices, which can keep tabs on where you are using your smartphone. You can also disable location services for specific apps on your smartphone or put your phone into airplane mode, which disables GPS services temporarily. Also, don’t use devices that track lost items as well as your location. Some apps can mask your mobile location, but McKinley says most are inconsistent and can’t be trusted.

Reboot and reset. One of the fastest ways to lock someone out of a smart-home device is to reset it. This will return the device to its factory settings and erase all stored information, including remote access from any previous users. Some products can be reset in the app, but often it’s done physically on the device itself. For instance, you can reset Apple HomeKit devices without the app. This removes it from the Home app, and each person must re-add the device to their respective app using a unique code located on the side of the product.

Some smart-home devices require you to access onboard controls. For example, to reset the Wemo Mini smart plug, just hold the power button until the LED on the front blinks. Then pair it with the Wemo app like a brand-new device. You can reset most Echo speakers by holding the microphone-off and volume-down buttons. The Nest thermostat has a reset option in the settings section on the actual device. If you’re unsure how to reset your particular product, you can usually find step-by-step instructions with a quick Internet search.

Other gadgets require a very high-tech tool—a paper clip. Nest cameras and other smart-home products have a pinhole that’s typically located on the back or bottom. Insert the point of a paper clip into the hole, push gently, and wait for the device to flash lights or give some other indication that a reset is taking place.

Contact the manufacturer. It never hurts to go straight to the manufacturer if an abuser is controlling smart gadgets in the home. (Tip: Alexis Moore, a Sacramento-based attorney and domestic violence survivor, said that her clients have better success at getting manufacturers to assist them in regaining control of hacked devices if they identify themselves as domestic violence survivors, as opposed to having a lawyer get involved on their behalf.) Manufacturers can walk you through device resets, offer replacements, and suggest workarounds to help you feel safer.

For instance, SimpliSafe will help you change passwords, phone numbers, and user access to the system. “We can immediately log out every user that’s logged into your account,” said Melina Engel, SimpliSafe’s chief marketing officer. “Even if the abuser has the SimpliSafe app on their phone and they’ve been using it to access your system, they would immediately lose access.”

How tech can protect you

Smart-home products can provide an extra layer of protection, as long as you’re in control of the device. Wi-Fi security cameras monitor your property indoors and outside, and motion-activated lights can also be triggered by cameras and timers. Smart lights like the Lutron Caséta and the Philips Hue can randomly activate to make it look like you’re at home when you’re actually away. A security system, such as Wirecutter’s top pick, Simplisafe, instantly alerts you when doors and windows are open or broken into. (Tip: Engel suggests telling your monitoring company if you have an active restraining order, so that information can be shared with police when needed.)

If you can’t afford a security system, you can also wear a personal panic button. Athena is a wearable Bluetooth device that’s roughly the size of a $1 American Silver Eagle coin, and it pairs with one smartphone, so owners can press it to alert passersby to danger (it sounds an audible alarm) and check in with friends and family to let them know they’re okay.

And no matter your budget, taking proactive steps to secure your devices is the best approach, according to our experts. “There is so much technology that improves our lives, but without knowing the security and privacy implications it can really be detrimental,” cautioned Yasmine Mustafa, co-founder and CEO of Roar for Good, which created Athena.

“Everything comes down to security,” Olsen affirmed. “If we secure our accounts from the start then nobody’s going to be able to abuse them in the first place.”

If you are in an abusive relationship, call the National Domestic Violence Hotline at 1-800-799-7233.

For additional resources in the United States and abroad, review the University College London’s Gender and IoT (G-IoT) Resource List (PDF).

See Wirecutter’s guide The Online Therapy Services We’d Use if you can’t leave the house, or want to connect with a therapist beyond your immediate geographic area.

Sources

1. Nellie Bowles, Thermostats, Locks and Lights: Digital Tools of Domestic Abuse, The New York Times, June 23, 2018

2. Melina Engel, chief marketing officer, SimpliSafe, phone interview, September 12, 2018

3. Andrew Gebhart, Keep calm and give your glitchy smart home a factory reset CNET, July 13, 2018

4. Bill McKinley, head of information security, The New York Times, email interview, September 17 and 26, 2018

5. Alexis Moore, president and founder, Survivors in Action, phone interview, September 14, 2018

6. Yasmine Mustafa, CEO and founder, Roar for Good, phone interview, September 19, 2018

7. Erica Olsen, director, Safety Net Project, National Network to End Domestic Violence, phone interview, September 11, 2018

8. The National Intimate Partner and Sexual Violence Survey (NISVS): 2010-2012 State Report (PDF), National Center for Injury Prevention and Control, Centers for Disease Control and Prevention, April 2017

9. There’s No Place Like [ A CONNECTED ] Home, McKinsey & Company

10. Total Consumer Tech Revenue to Reach Record $377 Billion in 2018, Says CTA Mid-Year Report, Consumer Technology Association, July 31, 3018