How Abusers Are Exploiting Smart Home Devices

Ross and Catherine Cairns had been married for 16 years. He was an electronics expert, she an accountant, and by their early 30s they were living with their two young daughters in Hale, in Greater Manchester. The village is one of the wealthiest areas in the UK, home to upmarket restaurants and Premier League football players.

The Cairns household was fitted out with an ELAN smart home system. The house’s security alarm, lighting and heating were all controlled centrally by a tablet mounted on the kitchen wall. With the touch of one button, the tablet let you turn off the lights and ensure the doors were locked. Using a smartphone app, you could remotely activate security cameras or change the music playing through the entertainment system. Ross was the administrator; Catherine mainly used it to turn lights on and off.

“Monitoring your home has never been so easy!” declares the ELAN website. Perfect for parents to keep a distant eye on their kids while working late, but when used maliciously, also for jealous partners to spy on their spouses.

Internet-connected devices – wearable trackers, smart TVs, voice-activated assistants, app-controlled locks and lights and thermostats – promise a utopia of convenience, a world in which we don’t need to get out of bed to turn off a ceiling light or fumble for house keys in the bottom of a bag. But as these devices – the internet of things, as it’s known – become ever more pervasive, so too does their use by domestic abusers as tools for surveillance and harassment.

“Perpetrators of domestic abuse like to keep tabs on their partners. They like to know what you’ve been up to and where you’ve been,” says Sara Kirkpatrick, Research and Services Development Manager at Respect. “Being tracked is so much easier than it ever was.”

As of January 2019, domestic violence charity Refuge has documented more than 2,500 people seeking their support services who have reported experiences of technology-facilitated abuse.

Ross and Catherine separated in 2016. They remained friendly and the children spent time with both parents. Ross moved in with his mother in the neighbouring town of Altrincham, a five-minute drive from Hale.

On August 12, 2017, Ross visited the family home to fix a fish tank. While he was there, she handed him her mobile, as she also wanted him to check the security system. “When he was on it, he read messages I had sent to a man I had been on a date with,” Catherine would later testify in Manchester Magistrates’ Court. Ross became agitated. He left the house, then came back inside, crying. “He ran upstairs and got the wedding rings and said that I wouldn’t need them.”

Catherine told her parents about the incident. Standing in the kitchen with her mother, she said that she no longer loved Ross. “The next thing I knew, he was downstairs telling the kids he was moving back in,” testified Catherine. “He repeated the conversation that I had with my mum. He said, ‘Oh, you don’t love me anymore.’”

Ross later admitted to accessing the ELAN system remotely through an app on his iPhone to eavesdrop on conversations. He also hacked into her Bumble accounts, posting an intimate picture and sending explicit messages. Catherine switched off the control tablet’s camera function and asked an IT engineer to change the system password. But even after this, the system logged more remote connections on October 14 and 15.

“It looks like he was using the system as normal, but hadn't informed her exactly how it works,” says Bill Hensley, a spokesperson for ELAN. The password was likely changed for only the security system, he says, but not for the overriding administrator account. “It doesn't look like there was a breach.”

“Prosecuting cases involving the use of technology in order to commit offences present real difficulties,” says Neil White, who was the prosecutor in the Cairns case. “With offences like harassment, this can be especially difficult, as there can be issues like shared IP addresses, or of one party having the technological knowledge, and being able to abuse it, when the other doesn't.”

In May 2018, Ross was convicted of stalking and harassment. In court, he claimed that he had accessed ELAN remotely only to switch lights on or off, or adjust television volume. The stalking conviction was later quashed on appeal, but the harassment offence was upheld and he was banned from contacting Catherine for three years.

The Cairns court case marked one of the first convictions involving IoT technology, says Leonie Tanczer, a gender and IoT researcher at University College London. The rise of smart devices, she believes, creates a new arsenal of tools that can be used against people already at risk of domestic abuse. Tanczer leads a research project on the topic in collaboration with the London Violence Against Women and Girls Consortium, comprising 29 organisations.

Discussions with support groups have identified examples such as spying via smart TVs and security cameras at entrances, tracking location via GPS-enabled smartwatches, and physical gaslighting – remotely changing the temperature in a room by meddling with the heating system. Refuge, which is part of the consortium, has found a rise in women whose kids’ video game consoles have been hacked by perpetrators to trace information including a child’s location.

“We don't really collate much data on tech abuse [in the UK] currently, so we have no full scale of the issue,” says Tanczer. Each domestic abuse victim who seeks support services has their risk individually assessed using a DASH checklist of questions. “There's one question that hints at technology because it goes into coercion and control. But if the caseworker, for example, is not prompting you on that it could be ignored.”

“Frontline staff need to know what they’re looking for,” agrees Kirkpatrick. Experienced service providers will often broach the topic of technology even though it isn’t included in official risk assessments, she says. “Part of their safety planning routine with any new client is that they check their phone.”

Because the internet is inextricable from our daily and social lives, this kind of tech-facilitated abuse is difficult to tackle. Individuals could take steps like changing network settings or replacing the smart devices in question. But measures need to take risk into account: if a perpetrator using stalkerware or with access to an internet router realises a password has been changed, it can lead to an escalation of harm, warns Tanczer.

Survivors are currently told to disconnect if necessary. “Telling someone, for example, for the period of three months, when you are in a refuge, to not go online…that really interrupts your life,” says Tanczer. “In the long run, I don't think that this is sustainable.”

There are no easy solutions, but policy change will be necessary, she says. Kirkpatrick is an advocate for policies that mandate the legal cooperation of tech organisations, particularly if data from a smart device may be used to support a survivor’s case.

The Online Harms White Paper, released in April, includes emphasis on the harmful potential of social media, as does the Domestic Abuse Draft Bill. Both overlook the use of smart devices as tools to perpetuate abuse, missing a vital legislative opportunity, says Tanczer. “That's too short sighted for what we're going to see over the coming years.”

“We have to identify means to hopefully intervene and help victims and survivors better.”

@donnadlu