In a concerning revelation, international researchers are sounding the alarm about hidden security and privacy threats lurking within smart homes. Led by IMDEA Networks and Northeastern University, these scientists have unveiled a series of security and privacy concerns stemming from the local network interactions of Internet of Things (IoT) devices and mobile apps.
The ever-expanding world of smart homes incorporates a multitude of consumer-focused IoT devices, including smartphones, smart TVs, virtual assistants, and CCTV cameras. These devices come equipped with cameras, microphones, and various sensors, giving them the ability to observe activities within our most personal spaces—our homes. But the crucial question remains: Can we entrust these devices to handle and safeguard the sensitive data they collect?
David Choffnes, Associate Professor of Computer Science and Executive Director of the Cybersecurity and Privacy Institute at Northeastern University, voices his concerns: “When we think of what happens between the walls of our homes, we think of it as a trusted, private place. In reality, we find that smart devices in our homes are piercing that veil of trust and privacy—in ways that allow nearly any company to learn what devices are in your home, to know when you are home, and learn where your home is. These behaviors are generally not disclosed to consumers, and there is a need for better protections in the home.”
Table of Contents
Alarming Findings from the ‘Smart Home’ Study
The research delved into the complex web of local network interactions among 93 IoT devices and mobile apps, revealing numerous undisclosed security and privacy concerns with real-world consequences.
Contrary to the widely held belief that local networks are secure environments, the study highlights fresh threats linked to the inadvertent exposure of sensitive data by IoT devices within local networks using standard protocols such as UPnP or mDNS. These threats encompass the exposure of unique device names, Universally Unique Identifiers (UUIDs), and even the geographic location of households. Alarmingly, these can be exploited by companies involved in surveillance capitalism without the users’ awareness.
Vijay Prakash, PhD student from the New York University Tandon School of Engineering and co-author of the study, explains: “Analyzing the data collected by IoT Inspector, we found evidence of IoT devices inadvertently exposing at least one Personally Identifiable Information (PII), like unique hardware address (MAC), UUID, or unique device names, in thousands of real-world smart homes. Any single PII is useful for identifying a household, but combining all three of them together makes a house very unique and easily identifiable. For comparison, if a person is fingerprinted using the simplest browser fingerprinting technique, they are as unique as one in 1,500 people. If a smart home with all three types of identifiers is fingerprinted, it is as unique as one in 1.12 million smart homes.”
The Potent Weapon of Local Network Protocols
The study emphasizes how local network protocols can serve as side channels to access data theoretically protected by mobile app permissions, such as household locations.
Narseo Vallina-Rodriguez, Associate Research Professor of IMDEA Networks and co-founder of AppCensus, clarifies: “A side channel is a sneaky way of indirectly accessing sensitive data. For example, Android app developers are supposed to request and obtain users’ consent to access data like geolocation. However, we have shown that certain spyware apps and advertising companies do abuse local network protocols to silently access such sensitive information without any user awareness. All they have to do is kindly ask for it from other IoT devices deployed in the local network using standard protocols like UPnP.”
Juan Tapiador, Professor at the Universidad Carlos III de Madrid, adds, “Our study shows that the local network protocols used by IoT devices are not sufficiently protected and expose sensitive information about the home and the use we make of the devices. This information is being collected in an opaque way and makes it easier to create profiles of our habits or socioeconomic level.”
Wider Implications and Calls for Action
The implications of this research extend beyond academia, emphasizing the urgent need for manufacturers, software developers, IoT and mobile platform operators, and policymakers to take decisive action to enhance the privacy and security of smart home devices and households. Researchers have responsibly disclosed these issues to vulnerable IoT device vendors and Google’s Android Security Team, prompting security improvements in some of these products.
The Lowdown on Stress Rashes: What You Need to Understand
-
-
-
-
