ABSTRACT
Internet of Things (IoT) devices are increasingly found in everyday homes, providing useful functionality for devices such as TVs, smart speakers, and video doorbells. Along with their benefits come potential privacy risks, since these devices can communicate information about their users to other parties over the Internet. However, understanding these risks in depth and at scale is difficult due to heterogeneity in devices' user interfaces, protocols, and functionality.
In this work, we conduct a multidimensional analysis of information exposure from 81 devices located in labs in the US and UK. Through a total of 34,586 rigorous automated and manual controlled experiments, we characterize information exposure in terms of destinations of Internet traffic, whether the contents of communication are protected by encryption, what are the IoT-device interactions that can be inferred from such content, and whether there are unexpected exposures of private and/or sensitive information (e.g., video surreptitiously transmitted by a recording device). We highlight regional differences between these results, potentially due to different privacy regulations in the US and UK. Last, we compare our controlled experiments with data gathered from an in situ user study comprising 36 participants.
- IoT Inspector. https://iot-inspector.princeton.edu/, 2019. (Accessed on 05/08/2019).Google Scholar
- Acar A., Fereidooni, H., Abera, T., Sikder, A. K., Miettinen, M., Aksu, H., Conti, M., Sadeghi, A.-R., and Uluagac, A. S. Peek-a-Boo: I see your smart home activities, even encrypted! arXiv preprint arXiv:1808.02741 (2018).Google Scholar
- Alrawi, O., Lever, C., Antonakakis, M., and Monrose, F. Sok: Security Evaluation of Home-based IoT Deployments. In Proceedings of the IEEE Symposium on Security and Privacy (S&P) (2019).Google ScholarCross Ref
- Amar, Y., Haddadi, H., Mortier, R., Brown, A., Colley, J. A., and Crabtree, A. An analysis of home iot network traffic and behaviour. CoRR abs/1803.05368 (2018).Google Scholar
- Apthorpe, N., Reisman, D., Sundaresan, S., Narayanan, A., and Feamster, N. Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic. arXiv preprint arXiv:1708.05044 (2017).Google Scholar
- Avast. Avast Smart Life. Accessed May 8, 2019. https://www.avast.com/en-us/iot.Google Scholar
- Bitdefender. Bitdefender Box. Accessed May 8, 2019. https://www.bitdefender.com/box.Google Scholar
- Bullguard. Dojo by Bullguard. Accessed May 8, 2019. https://dojo.bullguard.com/dojo-by-bullguard/.Google Scholar
- Burke, S. Google admits its new smart speaker was eavesdropping on users. Accessed May 8, 2019. http://money.cnn.com/2017/10/11/technology/google-home-mini-security-flaw.Google Scholar
- Chu, G., Apthorpe, N., and Feamster, N. Security and Privacy Analyses of Internet of Things Children?s Toys. IEEE Internet of Things Journal 6, 1 (2019), 978--985.Google ScholarCross Ref
- Cujo. Cujo Smart Firewall. Accessed May 8, 2019. https://www.getcujo.com/smart-firewall-cujo/.Google Scholar
- F-Secure. F-Secure Sense. Accessed May 8, 2019. https://www.f-secure.com/en_US/web/home_us/sense.Google Scholar
- Gartner Inc. Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016. Accessed May 8, 2019. https://www.gartner.com/newsroom/id/3598917.Google Scholar
- Hamza A., Gharakheili, H. H., Benson, T. A., and Sivaraman, V. Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity. In Proceedings of the 2019 ACM Symposium on SDN Research (New York, NY, USA, 2019), SOSR '19, ACM, pp. 36--48.Google Scholar
- Hamza, A., Ranathunga, D., Gharakheili, H. H., Benson, T. A., Roughan, M., and Sivaraman, V. Verifying and Monitoring IoTs Network Behavior using MUD Profiles. arXiv preprint arXiv:1902.02484 (2019).Google Scholar
- Hamza, A., Ranathunga, D., Gharakheili, H. H., Roughan, M., and Sivaraman, V. Clear As MUD: Generating, Validating and Applying IoT Behavioral Profiles. In Proceedings of the 2018 Workshop on IoT Security and Privacy (New York, NY, USA, 2018), IoT S&P '18, ACM, pp. 8--14.Google ScholarDigital Library
- HighIoT. Akita. Accessed May 8, 2019. https://akita.cloud/.Google Scholar
- IoT Defense. RATtrap. Accessed May 8, 2019. https://www.myrattrap.com/.Google Scholar
- Jia, Y., Xiao, Y., Yu, J., Cheng, X., Liang, Z., and Wan, Z. A Novel Graph-based Mechanism for Identifying Traffic Vulnerabilities in Smart Home IoT. In IEEE INFOCOM 2018 (April 2018), pp. 1493--1501.Google Scholar
- Jose, A. C., Malekian, R., and Ye, N. Improving home automation security; integrating device fingerprinting into smart home. IEEE Access 4 (2016), 5776--5787.Google ScholarCross Ref
- Keezel. Keezel. Accessed May 8, 2019. https://keezel.co/.Google Scholar
- Kurtz, A., Gascon, H., Becker, T., Rieck, K., and Freiling, F. Fingerprinting Mobile Devices Using Personalized Configurations. In Proceedings on Privacy Enhancing Technologies (PETS '16) (2016), pp. 4--19.Google ScholarCross Ref
- Le, A., Varmarken, J., Langhoff, S., Shuba, A., Gjoka, M., and Markopoulou, A. AntMonitor: A System for Monitoring from Mobile Devices. In Proc. of Workshop on Crowdsourcing and Crowdsharing of Big (Internet) Data (2015).Google ScholarDigital Library
- Lear, E., Droms, R., and Romascanu, D. Manufacturer Usage Description Specification. IETF RFC8520 (2019).Google Scholar
- Leung, C., Ren, J., Choffnes, D., and Wilson, C. Should you use the app for that?: Comparing the privacy implications of app-and web-based online services. In Proc. of IMC (2016).Google ScholarDigital Library
- Liu, H., Li, C., Jin, X., Li, J., Zhang, Y., and Gu, D. Smart solution, poor protection: An empirical study of security and privacy issues in developing and deploying smart home devices. In Proc. of the 2017 Workshop on Internet of Things Security and Privacy (New York, NY, USA, 2017), IoT S&P '17, ACM, pp. 13--18.Google ScholarDigital Library
- Loit, F., Sivanathant, A., Gharakheilit, H. H., Radford, A., and Sivaramant, V. Systematically evaluating security and privacy for consumer iot devices. In Proc. of the 2017 Workshop on Internet of Things Security and Privacy (New York, NY, USA, 2017), IoT S&P '17, ACM, pp.1--6.Google Scholar
- Luma Home. Luma Home WiFi System. Accessed May 8, 2019. https://lumahome.com/.Google Scholar
- Marchal, S., Miettinen, M., Nguyen, T. D., Sadeghi, A.-R., and Asokan, N. AuDI: Towards autonomous IoT device-type identification using periodic communications. IEEE Journal on Selected Areas in Communications (2019).Google ScholarCross Ref
- McAfee. McAfee Secure Home Platform. Accessed May 8, 2019. https://securehomeplatform.mcafee.com.Google Scholar
- Mi, X., Qian, F., Zhang, Y., and Wang, X. An empirical characterization of ifttt: Ecosystem, usage, and performance. In Proc. of IMC (New York, NY, USA, 2017), IMC '17, ACM, pp. 398--404.Google ScholarDigital Library
- Michéle, B., and Karpow, A. Watch and be watched: Compromising all smart tv generations. In 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC '14) (2014), IEEE, pp. 351--356.Google ScholarCross Ref
- Msadek, M. N., Soua, R., and Engel, T. IoT Device Fingerprinting: Machine Learning based Encrypted Traffic Analysis. In The IEEE Wireless Communications and Networking Conference (WCNC) (2019).Google ScholarDigital Library
- Norton. Norton Core. Accessed May 8, 2019. https://us.norton.com/core.Google Scholar
- Razaghpanah, A., Vallina-Rodriguez, N., Sundaresan, S., Kreibich, C., Gill, P., Allman, M., and Paxson, V. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv 1510.01419 (2015).Google Scholar
- Rehman, M. A., Choffnes, D., and Goldberg, S. Passport. https://passport.ccs.neu.edu/, 2017. (Accessed on 05/08/2019).Google Scholar
- Ren, J., Rao, A., Lindorfer, M., Legout, A., and Choffnes, D. R. ReCon: Revealing and Controlling Privacy Leaks in Mobile Network Traffic. In Proc. of MobiSys (2016).Google ScholarDigital Library
- Ring. Privacy notice. https://shop.ring.com/pages/privacy, March 2018.Google Scholar
- Shasha, S., Mahmoud, M., Mannan, M., and Youssef, A. Playing with danger: A taxonomy and evaluation of threats to smart toys. IEEE Internet of Things Journal (2019), 1--1.Google Scholar
- Shodan. The search engine for internet-connected devices. Accessed May 8, 2019. https://www.shodan.io/.Google Scholar
- Singh, A., Murali, S., Rieger, L., Li, R., Hommes, S., State, R., Ormazabal, G., and Schulzrinne, H. HANZO: Collaborative Network Defense for Connected Things. In 2018 Principles, Systems and Applications of IP Telecommunications (IPTComm) (Oct 2018), pp. 1--8.Google Scholar
- Sivanathan, A., Habibi Gharakheili, H., Loi, F., Radford, A., Wijenayake, C., Vishwanath, A., and Sivaraman, V. Classifying IoT Devices in Smart Environments Using Network Traffic Characteristics. IEEE Transactions on Mobile Computing (2018), 1--1.Google Scholar
- Sivaraman, V., Gharakheili, H. H., Fernandes, C., Clark, N., and Karliychuk, T. Smart IoT Devices in the Home: Security and Privacy Implications. IEEE Technology and Society Magazine 37, 2 (June 2018), 71--79.Google ScholarCross Ref
- Takbiri, N., Houmansadr, A., Goeckel, D. L., and Pishro-Nik, H. Matching Anonymized and Obfuscated Time Series to Users? Profiles. IEEE Transactions on Information Theory 65, 2 (2019), 724--741.Google Scholar
- Thangavelu, V., Divakaran, D. M., Sairam, R., Bhunia, S. S., and Gurusamy, M. DEFT: A Distributed IoT Fingerprinting Technique. IEEE Internet of Things Journal 6, 1 (2019), 940--952.Google Scholar
- US-CERT. CVE: The Standard for Information Security Vulnerability Names. Accessed May 8, 2019. http://cve.mitre.org/.Google Scholar
- Valente, J., and Cardenas, A. Security and privacy of smart toys. In Proc. of the 2017 Workshop on Internet of Things Security and Privacy (New York, NY, USA, 2017), IoT S&P '17, ACM, pp. 19--24.Google ScholarDigital Library
- Warren, Tom. Amazon explains how Alexa recorded a private conversation and sent it to another user. Accessed on 05/25/2018. https://www.theverge.com/2018/5/24/17391898/amazon-alexa-private-conversation-recording-explanation.Google Scholar
- Wood, D., Apthorpe, N., and Feamster, N. Cleartext data transmissions in consumer iot medical devices. In Proc. of the 2017 Workshop on Internet of Things Security and Privacy (New York, NY, USA, 2017), IoT S&P '17, ACM, pp. 7--12.Google ScholarDigital Library
Recommendations
Detecting consumer IoT devices through the lens of an ISP
ANRW '21: Proceedings of the Applied Networking Research WorkshopInternet of Things (IoT) devices are becoming increasingly popular and offer a wide range of services and functionality to their users. However, there are significant privacy and security risks associated with these devices. IoT devices can infringe ...
Systematically Evaluating Security and Privacy for Consumer IoT Devices
IoTS&P '17: Proceedings of the 2017 Workshop on Internet of Things Security and PrivacyInternet-of-Things (IoT) devices such as smart bulbs, cameras, and health monitors are being enthusiastically adopted by consumers, with numbers projected to rise to the billions. However, such devices are also easily attacked, or used for launching ...
Security analysis on consumer and industrial IoT devices
2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC)The fast development of Internet of Things (IoT) and cyber-physical systems (CPS) has triggered a large demand of smart devices which are loaded with sensors collecting information from their surroundings, processing it and relaying it to remote locations ...
Comments