“Smart” devices might be handy and offer higher quality services, but users should be aware that everything comes with a price. And we’re not talking here about the price of the actual device, but of the fact that these devices collect device, user and user behavior information and send it to a variety of third-parties.
This information might currently be worthless to users, but it’s worth a lot to companies: it is used to improve and customize services, compile a profile of users’ location and interests, deliver ads that fit those interests, share (or sell) that information with additional third-parties, and so on.
Until privacy legislation and regulation catches up, most of us are left to our own devices and are depending on security and privacy researchers to discover the various potential pitfalls of using specific IoT devices.
Recent research and discoveries
Two groups of researchers – one from Northeastern University and Imperial College London and the other from Princeton University and University of Chicago – have recently published two separate papers pointing out a number of issues tied to IoT devices.
The former analyzed information exposure from 81 IoT devices with IP connectivity, including security cameras and video doorbells, smart hubs, smart lights, outlets, thermostats, smart TVs, smart speakers with voice assistant and various other appliances.
46 of these were purchased from US stores and deployed in a US lab, and the rest from UK stores and deployed in their UK testbed. They’ve also compared the results of their experiments with data gathered from user study that included 36 participants using or triggering some of these devices during a six months period.
Among other things, they found that:
- The ten companies contacted by the largest number of devices are Amazon, Google, Akamai, Microsoft, Netflix, Kingsoft, 21Vianet, Alibaba, Beijing Huaxiay, and AT&T
- Several third parties (in particular Amazon, Google, and Akamai) receive information from many of the tested IoT devices, allowing them to potentially profile consumers
- US devices tend to contact more non-first parties, likely because the US have less strict privacy regulations than the EU
- TVs (i.e., Samsung TV, LG TV, Roku, Fire TV) contact the largest number of third parties among all device categories
- Nearly all TV devices in the testbeds contact Netflix even though they never configured any TV with a Netflix account
- Most of the traffic is encrypted, and there are regional differences in the use of encryption
- Sensitive or personal information exposed in plaintext is very limited, but user’s interactions with the devices can be reliably inferred, as encryption doesn’t hide the interactions that cause a device to generate network traffic
- There are instances of unexpected behavior like devices unexpectedly sending audio or video. E.g., smart doorbells start recording video or taking snapshots when someone moves in front of them. There is no way to turn off this feature, and gaining access the snapshots and videos is pricy or impossible.
Researchers from Princeton and Chicago University were more interested by figuring out the tracking ecosystem tied to Over-the-Top (OTT) TV streaming devices such as Roku and Amazon Fire TV.
“Although tracking of users on the web and on mobile is well studied, tracking on smart TVs and OTT devices has remained unexplored. To address this gap, we conducted the first study of tracking on OTT platforms,” shared Hooman Mohajeri Moghaddam.
They discovered that:
- Major online trackers (Google, Facebook) are highly prominent in the OTT ecosystem, along with other niche ones
- User and device identifiers, some of which can be reset by users and others not, are shared with third-party trackers
- Some channels share video titles with third-party trackers
- Most channels use at least one unencrypted connection
- Privacy options that supposedly limit tracking don’t actually do a good job
- A vulnerability in Roku’s remote control API could have allowed an attacker to extract info from the device and geolocate users.
“Our research shows that users, who are already being pervasively tracked on the web and mobile, face another set of privacy-intrusive tracking practices when using their OTT streaming platforms,” Moghaddam concluded.
A combination of technical and policy solutions can be considered when addressing these privacy and security issues. OTT platforms should offer better privacy controls, similar to Incognito/Private Browsing Mode of modern web browsers. Insecure connections should be disincentivized by platform policies. (…) Regulators and policy makers should ensure the privacy protections available for brick and mortar video rental services, such as Video Privacy Protection Act (VPPA), are updated to cover emerging OTT platforms.”
For those interested to see and analyze the data their own IoT devices are sending across the internet, Princeton researchers have recently released IoT Inspector, a multi-platform, open source tool that “requires minimal technical skills and no special hardware.”