How the CIA, Comcast can snoop on your sleep patterns, sex toy usage

The smart home may need to get a whole lot smarter, researchers warn


Smart home devices supply much more personal information than you might imagine – even when the data is encrypted – it appears.

In a study [PDF] of seven popular products, the team from Princeton University in the US decided to dig into how much they could figure out about a person's daily habits just by analyzing the internet traffic their gizmos produce.

It turns out to be quite a lot and, the team noted this month, the recent decision by the FCC, America's comms watchdog, to scrap broadband privacy rules days before they were due to come into effect means that your ISP is able to gather that information with its existing data collection.

Their paper – Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic – reveals that even when data from devices is encrypted, the metadata can help identify both the device and what it is signaling.

Some devices such as the Nest indoor camera directly communicate with identifiable domain names – in this case 'dropcam.com.' That immediately identifies what the product is, and it is then possible to infer from that and the resulting signal what is happening: whether it has detected motion or whether it is live streaming.

Likewise the Sense sleep monitor, TP‑Link smart plug, and Amazon Echo. Even when the devices communicate with a generic DNS server – like Amazon's AWS service – they typically have a specific IP address that can be used to identify the sensor (the Belkin WeMo switch for example communicated with the very-specific prod1-fs-xbcs-net-1101221371.us-east-1.elb.amazonaws.com address).

By digging into each device's signal, the team was able to figure out with some certainty exactly what was happening: someone was waking up, someone was turning on a light switch, someone had walked into the kitchen, and so on.

Given the fact that the same patterns are repeated, it would be very easy for an ISP to build a model that instantly analyzed and stored such patterns. And if an ISP can do it, anyone who can grab your internet traffic would be able to do the same.

Eavesdropping

"Smart home network traffic is susceptible to eavesdropping by other parties," they warn. "Such parties include ISPs, Wi‑Fi eavesdroppers, or state-level surveillance entities."

And while the team did not use an internet-connected sex toy in its test, it did note that the exact same analysis would reveal use of such items.

Which begs the question: how can you stop the CIA – or Comcast – keeping tabs on your dildo use?

The team dug into various methods, including:

  • Cutting the devices off from the outside internet
  • Using a VPN to shield traffic
  • Adding noise to the system to disguise usage

Only the last method proved satisfactory, with the researchers noting with some surprise that several devices simply stopped working altogether if they didn't have an internet connection. Others lost enough functionality that they were basically equivalent to non-smart home (and much cheaper) products.

The VPN method was pretty good at disguising traffic, since it effectively strips the DNS interactions out from grabbable traffic. But the team was still able to discern a lot of information based on the time, type and amount of traffic.

"A smart door lock and smart sleep monitor are less likely to be recording user activity simultaneously," it notes. "Traffic observations from particular times of day are likely to contain non-background traffic from only one of these devices."

What did work, however, was adding noise to the system through independent link padding (ILP). The team wrote some code (under 100 lines, they say) that ran on the router and padded or fragmented all data packets to a constant size, and then buffered traffic or sent cover traffic to hide actual device data.

Next page: Noise

Other stories you might like

  • Brave roasts DuckDuckGo over Bing privacy exception
    Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

    Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

    Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

    "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022