Many smart devices contact third-party servers and their owners don’t know it

A group of Princeton researchers who analyze IoT devices for security and privacy problems have discovered that many such products actually contact third-party servers without their owners’ knowledge.

In a blog post, the team says consumers are usually unaware that their smart homes often communicate with third-party services, sometimes even before they could even get a chance to log in to them. They provide some examples:

A smart TV supplied by Samsung connects to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook during the first minute after being powered on. Interestingly, the TV did it without testers logging into or creating accounts for these services.

A WiFi security camera sold by Amcrest actively communicates with cellphonepush.quickddns.com, a Dynamic DNS service provider operated by Dahua, a third party that Amcrest does not mention. Upon inquiry, Amcrest said Dahua was actually the maker of the surveillance cameras.

A smart smoke detector was found to be chatting with broker.xively.com, a MQTT service that facilitated communication between the smart device and the manufacturer. The same was found with a Geeni smart bulb.

“In many cases, consumers expect that their devices contact manufacturers’ servers, but communication with other third-party destinations may not be a behavior that consumers expect,” the team concluded.

This is perhaps why the EU and the UK are beginning to legally compel companies to secure their products and services “by design,” and to make extremely clear what data they collect and for what purpose.

The researchers plan to release an open-source tool that lets users inspect IoT devices on their own.