Internet of Things devices are meant to make our life easier by automating daily tasks or filling gaps with information that helps us make better decisions. The flip side of the coin is the flow of our personal data, most of the time anonymously, to service providers and their partners.
A recent study by researchers at Northeastern University and the Imperial College London highlights this security risk of many IoT devices. The observations stem from analyzing 81 devices from various categories: nanny monitors, doorbell cameras, and smart TVs and appliances. All were run through a total of 34,000+ tests.
Most of the devices in the study leaked, passed on, or contacted third parties. Some of them were easily accessible from the outside, displayed abnormal behavior, or unexpectedly sent video or audio footage to another party.
The researchers highlight that, in some cases, the type of information delivered to a third party could not be determined because the traffic was encrypted. This happened with products from the TV category; some of these devices also kept sending data even when no streaming service or app was running.
46 of the tested products were from the US and 35 from the UK, with 26 devices overlapping. Researchers determined that devices from the US were more prone to contacting third parties than those in the UK.
“Using 34,586 controlled experiments, we find that 72/81 devices have at least one destination that is not a first party (i.e., belonging to the device manufacturer), 56% of the US devices and 83.8% of the UK devices contact destinations outside their region, all devices expose information to eavesdroppers via at least one plaintext ﬂow, and a passive eavesdropper can reliably infer user and device behavior from the traffic (encrypted or otherwise) of 30/81 devices,” the researchers write.
The findings varied, but raise concerns. Many TVs tested contacted a third-party without permission – Netflix, for instance, even when the owner had no Netflix account or, if they did have one, they were not logged in to the platform. Other non-first party destinations, like Akamai, Google and Amazon, were also contacted by IoT devices without permission, sending data that could be used to establish a customer profile. This happened regardless of whether a VPN connection was used.
Other highlights of the study include instances of PII and other sensitive information being leaked in plaintext, and unexpected behavior from surveillance cameras. Other findings refer to Ring cameras, which activate on motion and owners can’t see the recordings unless they pay a subscription fee. Furthermore, Alexa cameras frequently activate on the wrong words.
The study did not identify a single or specific type of damning behavior, as the purpose was to reveal whether these devices can offer access to personal data. The researchers weren’t seeking to determine whether they do it in a common way or what exactly was being revealed. It is enough, though, to warrant further research, the team believes.
“[The] concerns about information exposed by IoT devices is warranted, as is further investigation into more accurate device-activity classifiers and the root causes for the inferred behavior,” they say. The researchers make publicly available all software and anonymized datasets in a repository here.
It is important to note that IoT products with a service behind them often work with partners that, most of the time, make it possible to deliver a particular feature. For instance, speech-to-text recognition for voice commands is typically outsourced to a specialized company.
Reputable vendors specify these details in the license agreement and have to ensure that data is anonymous and limited to what is necessary for improving the function.
Image credit: geralt