There’s really no escaping the internet of broken things.
On any given day, Americans connect thousands of internet-enabled devices to the internet, despite repeated warnings from cybersecurity experts that such devices often lack even the most rudimentary privacy and security protections. The results haven’t been pretty. From “smart” televisions that hoover up your living room conversations to webcams that can be hacked and used in DDoS attacks in a matter of seconds, the problem is monumental. And it’s enabled by companies that routinely prioritize profits over consumer privacy, security, or the well being of the internet. Researchers at Carnegie Mellon University have released a beta of an app they hope can address some of these problems. Dubbed the The Internet of Things (IoT) Assistant, (iOS, Android) the app will scan any unidentified IOT nearby, tell you what they do, and guide you toward the ability to opt out of data collection (assuming such an option exists). IOT devices are often designed with little to no end user transparency into what devices do once they’re connected to the internet. Studies have shown IOT devices routinely collect far more data than consumers realize, then sell and share that data with a laundry list of companies.
One recent study showed a popular IOT camera made contact with 52 unique global IP address destinations when transmitting data, while one Samsung television made contact with 30 different IP addresses. Some of these points of contact are innocuous, and some aren’t. Few are revealed to consumers, and often the data isn’t secure in transit.
“Many people do a pretty poor job disclosing what data they collect and what they do with it,” Professor Norman Sadeh, a CyLab faculty member in Carnegie Mellon’s Institute for Software Research told Motherboard. “Sometimes this is intentional, sometimes it's due to a lack of expertise, and sometimes it's a combination—privacy engineering is challenging.” Some efforts, like Princeton’s open source IOT Inspector, have tried to help consumers take a closer look at IOT device traffic itself in a bid to see what’s collected and where it’s sent.
Sadeh says his group’s new app takes a different approach.
“We don't rely on scanning in this release,” Sadeh said. “In general, it's not sufficient—especially when the traffic is encrypted, which ideally would always be the case. Even if traffic is unencrypted—which is a red flag—this will not tell you how long the data is retained.” Instead, the new app relies on a database compiled by volunteers, cybersecurity experts, and companies trying to simplify compliance with new privacy legislation like the California Consumer Privacy Act (CCPA) or Europe’s General Data Protection Regulation (GDPR). “People need to be informed about what data is collected about them and they need to be given some choices over these processes,” Sadeh said. “We have built an infrastructure that enables owners of IoT technologies to comply with these laws, and an app that takes advantage of this infrastructure to empower people to find out about and control data collected by these technologies.” Sadeh said such solutions are particularly important in bringing some transparency to the ever expanding use of IOT surveillance in public areas, where signs will sometimes inform the public they’re being watched, but little else.
“These signs tell you nothing about what is being done with your footage, how long it’s going to be retained, whether or not it uses facial recognition, or with whom this is going to be shared,” Sadeh said. He’s hopeful his app, once the database is fleshed out, can help fix that. Sadeh’s team at Carnegie Mellon aren’t the only ones trying to address the IOT problem. Consumer Reports has also been building an set of open source standards to include privacy and security issues in product reviews, letting consumers avoid dubious products before they even have a chance to make it into your home.