Princeton boffins have looked at the networking behavior of a bunch of Internet of Things kit and found – stop me if you've heard this one – device makers aren't paying attention.
The pair, PhD student Sarthak Grover and Center for Information Technology Policy fellow Roya Ensafi, say the devices they tested obey the rules of bad security, like badly-implemented encryption and privacy leaks.
Their presentation, here, was given to the Federal Trade Commission's PrivacyCon 2016.
As the researchers note, novice programmers abound in the Things market, making novice mistakes, and trying to do things on hardware that can't support security. Because Thing-makers are relentless snoops, even two devices on the same network communicate with each other via the cloud.
"You have hardware which is incapable, and you have information which is always being sent to the cloud," Grover told PrivacyCon.
Grover's PrivacyCon address is on YouTube, below.
The test shopping-cart included a Nest thermostat, a Belkin WeMo switch, an Ubi speaker, a Sharx security camera, a PixStar photoframe and a Smartthings hub.
The Smartthings hub / WeMo switch combo was the only Thing to get a pass mark, since it used encryption by default. Its only information leak was the DNS queries, and it didn't identify individual devices connected to it.
Nest has issued a patch after they found it sending location information in the clear; the Ubi, Sharx, and PixStar didn't bother with encryption at all.
If you thought a photo frame is purely passive, think again: the stupid device synchs with the vendor's servers, sending the user's email address in the clear, and it reports current activity back to the vendor using an unencrypted HTTP GET command.
Ubi gets to sit in the naughty corner because, as well as sending the user's email address in the clear, it reports data that could tell an eavesdropper whether or not you're at home. Sound, temperature, light and humidity are all shipped off using HTTP GET, even though (you'll probably have to sit down before reading this next bit) HTTPS is available in the device. Idiots.
The researchers also point out that on its own, encryption isn't enough to prevent privacy leaks. For example, any Things that need to communicate with an upstream server fire off DNS queries.
All of this traffic also provides a very nice user fingerprint for anybody who can see it.
In every case, the researchers found, the DNS queries are enough to reveal which Things you own. ®