If You Have a Smart TV or IoT Devices, Your Home is Leaking Data
It’s been obvious for years that consumer devices cannot be trusted to secure user data, but there have been relatively few studies into exactly how poorly the modern ecosystem actually is. Researchers at Northeastern University and the Imperial College London have recently conducted a thorough analysis of 81 different IoT products to characterize what services they attempt to connect with, what communications can be inferred from these connections, and the degree of encryption used to protect customers.
The highlights of our research findings include the following. Using 34,586 controlled experiments, we find that 72/81 devices have at least one destination that is not a first party (i.e., belonging to the device manufacturer), 56% of the US devices and 83.8% of the UK devices contact destinations outside their region, all devices expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic (encrypted or otherwise) of 30/81 devices.
What they found varied. Virtually every TV contacted Netflix to report information about itself, even when none of the devices were outfitted with a Netflix account. Non-first party destinations (Akamai, Google, and Amazon) are often contacted by IoT devices, allowing them to log data profiles on customers. US devices tend to contact more third-party services than UK devices, possibly because of more stringent privacy requirements on the UK side of the pond. Using a VPN had a minimal impact on the type and number of attempted connections.
The encryption analysis performed by the team had issues; Wireshark wasn’t able to recognize many of the proprietary protocols used by these devices. The stronger takeaway seems to be that many products continue to share at least some data in the clear, and this may well represent security issues related to specific products, but the team did not conduct an in-depth analysis into exactly which information was being leaked or only partly encrypted at the per-device level. It wasn’t possible to do so with the tools they had.
As for what was being leaked over unencrypted channels, the team found instances of PII and other sensitive information being leaked in plaintext, though there’s evidence of improvement in this area compared with past evaluations.
Nonetheless, we found notable cases of PII exposure. This included various forms of unique identifiers (MAC address, UUID, device ID), geolocation at the state/city level, and user specified/related device name (e.g., John Doe’s Roku TV). A notable case that we found in our US lab is the Samsung Fridge sending MAC addresses unencrypted to an EC2 domain, which is a support party in the best case. The implication is that it is now possible for an ISP to track this device.
In both our labs we found that Magichome Strip is sending its MAC address in plaintext to a domain hosted on Alibaba. Interestingly, the Insteon hub was sending its MAC address in plaintext to an EC2 domain, but only from the UK lab. We did not find similar behavior in the US lab. Interestingly, each time the Xiaomi camera detected a motion, its MAC address, the hour and the date of the motion (in plaintext) was sent to an EC2 domain. We also noted that a video was included on the payload.
Finally, the team investigated unexpected behaviors — and found some. Ring doorbells record every time someone moves in front of them. This is only disclosed in the privacy policy and you have to pay a monthly fee to access the recordings. ZMondo takes a photo any time someone moves in front of the doorbell. Alexa cameras activate on the wrong words far more often than any other type of voice assistant.
The team writes that it identified “notable cases” of devices unexpectedly sending audio and video. The authors feel their highlights show that “concerns about information exposed by IoT devices is warranted, as is further investigation into more accurate device-activity classifiers and the root causes for the inferred behavior.”
There is no single smoking gun incident here, no specific and particular damning behavior. But there’s an awful lot of dubious connectivity, third-party services, and devices that can be monitored and tracked based on how they authenticate and what they transmit in the process. The devices we bring into our home can serve this sort of function, too, and companies are endlessly hungry for the data it represents.
The only solution to these issues, at present, is not to bring these devices into your home. If you own a smart TV, don’t connect it independently to the internet.
Continue reading
The PlayStation 5 Will Only Be Available Online for Launch Day
The PlayStation 5 isn't going to be available in stores on launch day, and if you want to pick up an M.2 SSD to expand its storage, you'll have some time to figure out that purchase.
Jupiter’s Moon Europa Might Glow in the Dark
The intense radiation bombarding Europa might make it glow in the dark, and that could help scientists learn more about the moon's ice sheets and the ocean below.
Which Is Faster, the Xbox Series X or PlayStation 5? Early Data Says It’s Complicated
Competitive head-to-head data on the Xbox Series X versus the PlayStation 5 is beginning to trickle out.
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.