Smart devices such as virtual assistants or smart cameras can be used to expose sensitive location such as home location and spending habits, with integrators providing a solution to this modern problem.
An international team of researchers, led by IMDEA Networks and Northeastern University in collaboration with NYU Tandon School of Engineering, Universidad Carlos III de Madrid, IMDEA Software, University of Calgary, and the International Computer Science Institute, has unveiled findings on the security and privacy challenges posed by the prevalence of IoT devices in smart homes. The research team’s study, titled “In the Room Where it Happneas: Characterising Local Communication Threats in Smart Homes," looks into the intricacies of local network interactions between 93 IoT devices and mobile apps, revealing a range of undisclosed security and privacy concerns.
Smart homes are becoming increasingly interconnected, comprising a range of consumer oriented IoT devices ranging from smartphones and smart TVs to virtual assistants and CCTV cameras. These devices have cameras, microphones, and other ways of sensing what is happening in homes. Although users may view local networks as a trusted and safe environment, the study’s findings highlight new threats associated with the exposure of sensitive data by IoT devices within local networks using standard protocols such as UPnP or mDNS. These threats include the exposure of unique device names, UUIDs, and household geolocation data, all of which can be harvested by companies involved in surveillance capitalism without awareness from the user.
Vijay Prakash, PhD student from NYU Tandon who co-authored the paper, said: “analysing the data collected by IoT inspector, we found evidence of IoT devices inadvertently exposing at least one PII (Personally Identifiable Information), like unique hardware address (MAC), UUID, or unique device names, in thousands of real world smart homes. Any single PII is useful for identifying a household, but combining all three of them together makes a house very unique and easily identifiable.”
These local network protocols can be employed as side-channels to access data that is supposedly protected by several mobile app permissions such as household locations.
Narseo Vallina-Rodriguez, Associate Research Professor of IMDEA Networks and co-founder of AppCensus, added: “A side channel is a sneaky way of indirectly accessing sensitive data. For example, Android app developers are supposed to request and obtain users’ consent to access data like geolocation. However, we have shown that certain spyware apps and advertising companies do abuse local network protocols to silently access such sensitive information without any user awareness. All they have to do is kindly asking for it to other IoT devices deployed in the local network using standard protocols like UPnP.”
Juan Tapiador, professor at UC3M, explained: “Our study shows that the local network protocols used by IoT devices are not sufficiently protected and expose sensitive information about the home and the use we make of the devices. This information is being collected in an opaque way and makes it easier to create profiles of our habits or socioeconomic level.”
The work of integrators can be a solution to this issue. Integrators and engineers have greater knowledge of the products that are being installed, and how to better protect homeowners’ privacy. Homeowners may be tempted to install IoT products themselves, but this can lead to the quick acceptance of privacy terms and permissions upon installation and the inability to reverse these terms, leading to security issues previously mentioned. Integrators can better protect sensitive information in people’s homes that can be vulnerable with IoT products and make it more difficult for these side-channels to be accessed.
The findings underscore the importance for manufacturers, software developers, IoT and mobile platform operators, and policymakers to take action and enhance the privacy and security guarantees of smart home devices and households. The research team responsibly disclosed these issues to IoT device vendors and to Google’s Android Security Team.