A new study has once again found that most “internet of things” (IOT) devices routinely deliver an ocean of sensitive data to partners around the world, frequently without making these data transfers secure or transparent to the end user.
The full study, a joint collaboration between Northeastern University and Imperial College London took a closer look at 81 popular smart TVs, streaming dongles, smart speakers, and video doorbells made by vendors including Google, Roku, and Amazon. The results aren’t comforting: the majority of the devices collected and shared information including your IP address, device specs (like MAC address), usage habits, and location data. That data is then shared with a laundry list of third parties, regardless of whether the user actually has a relationship with those companies. “Nearly all TV devices in our testbeds contacts Netflix even though we never configured any TV with a Netflix account,” the researchers said. They noted that devices reach out to Netflix to relay information such as the TV set being used and the location it’s being used in. In a series of 34,586 experiments, the study found that 72 of the devices made contact with someone other than its manufacturer. In many instances, these transfers “expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic,” the researchers said.
The IoT sector has long been ridiculed for rushing to connect everything to the internet without embracing basic security and privacy standards. As a result, everything from your smart tea kettle to your kids’ Barbie dolls now poses a potential privacy and security threat. With millions of such devices coming online every year, it’s a monumental problem. “A wide variety of internet-connected devices in peoples' homes are potentially exposing information about consumers to other parties over the internet,” study author David Choffnes told Motherboard. “Our paper represents the start of what we expect to be a long line of research for giving consumers better insight into, and control over, the information exposed by their internet-connected devices.”
The problem has been well exemplified by smart television vendors that have—like the broader IoT sector—routinely made security, privacy, and transparency a distant afterthought. Vizio, for example, settled a $17 million lawsuit last year for secretly tracking and selling the usage habits of sixteen million Vizio owners for around three years. In 2015, Samsung was widely criticized after researchers found the company’s smart television were collecting user voice data then transmitting it unencrypted to the cloud. Studies by Consumer Reports have found these devices are routinely vulnerable to being hacked and integrated into botnets. Some of these vulnerabilities require local intervention (like installing a malware-infected USB drive into a TV port), but others don’t. This flimsy security has unsurprisingly been of great interest to intelligence organizations like the CIA.
Choffnes told me that auditing these devices is challenging for independent researchers, and our understanding of the associated privacy risks is “still in early stages.” In part because manufacturers make determining what data is being sent difficult (Princeton researchers have developed an IoT Inspector they hope will make this process easier to the end user).
The study found one IoT camera made contact with 52 unique global IP address destinations when transmitting data, while one Samsung television made contact with 30 different IP addresses. These contact points not only included most cloud computing providers (Akamai, Google, Amazon), but frequently a wide variety of marketing partners.
This usage data can then be used to build complex behavioral profiles of consumers who may not understand that daily habits gleaned from everything from their TV set to
smart electricity meter are being collected, cataloged, and monetized. Add recording capabilities to the mix, and the problem is only amplified, Choffnes said. “Recording devices are going to record,” he said. “If you install anything with a microphone or camera, it may be recording when you don't expect it. We found video doorbells silently recording upon motion detection with no way to turn off the feature, and Amazon devices waking up and recording when the wake word wasn't spoken.”
Choffnes told me that while the high profile wrist slaps of recent years have resulted in an increase in the use of encryption by vendors, that poses a double edged sword for researchers. “One of the biggest challenges we face is that the same encryption that protects users' data from eavesdroppers also prevents us researchers from seeing what is inside,” he said.
Despite a decade’s worth of warnings from security researchers, efforts to rein in the threat remain disjointed and inadequate. In the hopes of bringing more transparency to the problem, organizations like Consumer Reports have been working on an open source platform that integrates security and privacy into user product reviews. Choffnes said users can help protect themselves by doing adequate research before buying products, choosing “dumber” offline technology where applicable, and being particularly cautious when buying products with embedded cameras and microphones.
“You may want to be the one doing the surveilling, but in the end you might be the one surveilled,” he said.