Have you stopped to think what kind of data may be collected by an innocuously-looking smart device, where the information is sent, and whether it is encrypted? Researchers at Northeastern University and Imperial College London have looked into this very issue and conducted a range of experiments in controlled environments in both the United States and the United Kingdom.
Their paper shows that the researchers took an interesting approach by configuring their US lab to look like a studio apartment with all the IoT devices integrated. The “studio lab” was used by 36 participants over six months, who interacted with the devices in a way that would be common in day-to-day use. These experiments were uncontrolled and consisted of capturing all the unlabeled traffic generated by the devices. The full results of the experiments are outlined in the full paper, called Information Exposure From Consumer IoT Devices.
For example, two of the tested smart doorbells were shown to perform rather unexpected tasks. The integrated camera on one of the doorbells uploaded a snapshot after its first activation and every time someone moved in front of it – a feature that was not disclosed anywhere. Curiously, there was no way to access these snapshots, which begs the question: where were these snapshots being uploaded and why wasn’t there a way to access them?
The other doorbell, meanwhile, recorded a video every time a user moved in front of it, and the companion app that is used to set up the device failed to disclose that a real-time recording was being captured, although this information could be found in the privacy policy. That said, when the researchers tried to log into the account associated with the doorbell, they found out that the recordings are accessible only after a monthly fee is paid. Upon further investigation, they couldn’t find a way to disable this feature.
The study also analyzed where the IoT devices send some of their network traffic. The companies that were contacted by most devices (31 from the US and 24 from the UK) send the data to at least one server run on Amazon Web Services (AWS), the cloud platform of choice of most companies in the study. The other frequently contacted addresses were those of cloud platforms that belong to Microsoft or Google.
When it comes to tested smart TVs, almost all of them contacted Netflix. Which is curious since none of the TVs were ever configured with a Netflix account. A contrast between the US and the European Union can be seen in that the devices in the US lab contacted more non-first parties, which may be attributed to the less strict privacy regulations in comparison to those of the EU. One of our recent articles looked at how streaming devices track people’s viewing habits.
On one hand, the conclusion does not seem all that bleak, with the researchers praising the fact that a number of devices used encryption to protect their users’ personal data, with minimal exposure in plain text. On the other hand, devices that do lack encryption may expose people's data to prying eyes and allow them to work out how the devices are being used.
These kinds of studies offer valuable insight into what some IoT devices are up to and what kind of data they collect – especially if we consider that many of us may not have healthy cybersecurity habits, as evidenced by a recent survey conducted by ESET.