If You Have a Smart TV or IoT Devices, Your Home is Leaking Data
It’s been obvious for years that consumer devices cannot be trusted to secure user data, but there have been relatively few studies into exactly how poorly the modern ecosystem actually is. Researchers at Northeastern University and the Imperial College London have recently conducted a thorough analysis of 81 different IoT products to characterize what services they attempt to connect with, what communications can be inferred from these connections, and the degree of encryption used to protect customers.
The highlights of our research findings include the following. Using 34,586 controlled experiments, we find that 72/81 devices have at least one destination that is not a first party (i.e., belonging to the device manufacturer), 56% of the US devices and 83.8% of the UK devices contact destinations outside their region, all devices expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic (encrypted or otherwise) of 30/81 devices.
What they found varied. Virtually every TV contacted Netflix to report information about itself, even when none of the devices were outfitted with a Netflix account. Non-first party destinations (Akamai, Google, and Amazon) are often contacted by IoT devices, allowing them to log data profiles on customers. US devices tend to contact more third-party services than UK devices, possibly because of more stringent privacy requirements on the UK side of the pond. Using a VPN had a minimal impact on the type and number of attempted connections.
The encryption analysis performed by the team had issues; Wireshark wasn’t able to recognize many of the proprietary protocols used by these devices. The stronger takeaway seems to be that many products continue to share at least some data in the clear, and this may well represent security issues related to specific products, but the team did not conduct an in-depth analysis into exactly which information was being leaked or only partly encrypted at the per-device level. It wasn’t possible to do so with the tools they had.
As for what was being leaked over unencrypted channels, the team found instances of PII and other sensitive information being leaked in plaintext, though there’s evidence of improvement in this area compared with past evaluations.
Nonetheless, we found notable cases of PII exposure. This included various forms of unique identifiers (MAC address, UUID, device ID), geolocation at the state/city level, and user specified/related device name (e.g., John Doe’s Roku TV). A notable case that we found in our US lab is the Samsung Fridge sending MAC addresses unencrypted to an EC2 domain, which is a support party in the best case. The implication is that it is now possible for an ISP to track this device.
In both our labs we found that Magichome Strip is sending its MAC address in plaintext to a domain hosted on Alibaba. Interestingly, the Insteon hub was sending its MAC address in plaintext to an EC2 domain, but only from the UK lab. We did not find similar behavior in the US lab. Interestingly, each time the Xiaomi camera detected a motion, its MAC address, the hour and the date of the motion (in plaintext) was sent to an EC2 domain. We also noted that a video was included on the payload.
Finally, the team investigated unexpected behaviors — and found some. Ring doorbells record every time someone moves in front of them. This is only disclosed in the privacy policy and you have to pay a monthly fee to access the recordings. ZMondo takes a photo any time someone moves in front of the doorbell. Alexa cameras activate on the wrong words far more often than any other type of voice assistant.
The team writes that it identified “notable cases” of devices unexpectedly sending audio and video. The authors feel their highlights show that “concerns about information exposed by IoT devices is warranted, as is further investigation into more accurate device-activity classifiers and the root causes for the inferred behavior.”
There is no single smoking gun incident here, no specific and particular damning behavior. But there’s an awful lot of dubious connectivity, third-party services, and devices that can be monitored and tracked based on how they authenticate and what they transmit in the process. The devices we bring into our home can serve this sort of function, too, and companies are endlessly hungry for the data it represents.
The only solution to these issues, at present, is not to bring these devices into your home. If you own a smart TV, don’t connect it independently to the internet.
Continue reading
AMD Smashes Revenue Records as Zen 3, Xbox Series X, PS5 Ramp Up
AMD's Q3 2020 results are in, and the results are excellent for the company, in every particular.
The Best Smart Home Security Systems
Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.
Nvidia Will Mimic AMD’s Smart Access Memory on Ampere: Report
AMD's Smart Access Memory hasn't even shipped yet, but Nvidia claims it can duplicate the feature.
AMD Will Bring Smart Access Memory Support to Intel, Nvidia Hardware
AMD is reportedly working with Nvidia and Intel to bring hardware support for Smart Access Memory to other GPU and CPU platforms.