IoT Inspector is a new tool from Princeton's computer science department; it snoops on the traffic from home IoT devices and performs analysis to determine who they phone home to, whether they use encryption, and what kinds of data they may be leaking.
The researchers have analyzed 50 popular IoT devices, which sounds like it was pretty labor intensive. They're taking suggestions for devices to study next, and also tweaking the tool to run with less human intervention to allow them to scale up to do lots of devices.
The first 50 devices are basically a security/privacy dumpster fire. They're using unencrypted connections (even sensitive devices like blood-pressure monitors!); their traffic, even when encrypted, can be used to infer sensitive information about the users; they're incredible promiscuous about the number of companies and services they send data to -- but on the plus-side, the traffic from these devices is routine enough that it's not hard to use software to figure out if something on your network has been hijacked into a botnet.
Finding #3: Many IoT Devices Contact a Large and Diverse Set of Third Parties
In many cases, consumers expect that their devices contact manufacturers’ servers, but communication with other third-party destinations may not be a behavior that consumers expect.
We have found that many IoT devices communicate with third-party services, of which consumers are typically unaware. We have found many instances of third-party communications in our analyses of IoT device network traffic. Some examples include:
* Samsung Smart TV. During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create accounts with any of them.
* Amcrest WiFi Security Camera. The camera actively communicates with cellphonepush.quickddns.com using HTTPS. QuickDDNS is a Dynamic DNS service provider operated by Dahua. Dahua is also a security camera manufacturer, although Amcrest’s website makes no references to Dahua. Amcrest customer service informed us that Dahua was the original equipment manufacturer.
* Halo Smoke Detector. The smart smoke detector communicates with broker.xively.com. Xively offers an MQTT service, which allows manufacturers to communicate with their devices.
* Geeni Light Bulb. The Geeni smart bulb communicates with gw.tuyaus.com, which is operated by TuYa, a China-based company that also offers an MQTT service.
We also looked at a number of other devices, such as Samsung Smart Camera and TP-Link Smart Plug, and found communications with third parties ranging from NTP pools (time servers) to video storage services.
These third-party services are potentially single points of failure or vulnerability. Specifically, the same third-party services are often used by a broad array of IoT devices. A security vulnerability in one service might affect devices across a range of manufacturers. Third-party services also allow data aggregation across devices. A third party could aggregate user data from a wide range of devices, creating the possibility for tracking a user’s behavior across many devices. These devices are also not transparent about the Internet services with which they communicate or share data. Most IoT devices do not mention the specific third parties they communicate with in their privacy policies, which makes it difficult for consumers to make purchasing decisions based on security and privacy considerations.
IoT Inspector [Princeton]
Announcing IoT Inspector, A Tool to Study Smart Home IoT Device Behavior [Noah Apthorpe, Danny Y. Huang, Gunes Acar, Frank Li, Arvind Narayanan and Nick Feamster/Freedom to Tinker]