If You Have a Smart TV or IoT Devices, Your Home is Leaking Data
It’s been obvious for years that consumer devices cannot be trusted to secure user data, but there have been relatively few studies into exactly how poorly the modern ecosystem actually is. Researchers at Northeastern University and the Imperial College London have recently conducted a thorough analysis of 81 different IoT products to characterize what services they attempt to connect with, what communications can be inferred from these connections, and the degree of encryption used to protect customers.
The highlights of our research findings include the following. Using 34,586 controlled experiments, we find that 72/81 devices have at least one destination that is not a first party (i.e., belonging to the device manufacturer), 56% of the US devices and 83.8% of the UK devices contact destinations outside their region, all devices expose information to eavesdroppers via at least one plaintext ﬂow, and a passive eavesdropper can reliably infer user and device behavior from the traffic (encrypted or otherwise) of 30/81 devices.
The set of products used for this survey were drawn from the US (46 devices) and UK (35 devices) with 26 devices commonly overlapping between the two data sets. Devices are classified as cameras, smart hubs, home automation, TVs, audio (smart speakers), and appliances (connected appliances and the like).
What they found varied. Virtually every TV contacted Netflix to report information about itself, even when none of the devices were outfitted with a Netflix account. Non-first party destinations (Akamai, Google, and Amazon) are often contacted by IoT devices, allowing them to log data profiles on customers. US devices tend to contact more third-party services than UK devices, possibly because of more stringent privacy requirements on the UK side of the pond. Using a VPN had a minimal impact on the type and number of attempted connections.
The encryption analysis performed by the team had issues; Wireshark wasn’t able to recognize many of the proprietary protocols used by these devices. The stronger takeaway seems to be that many products continue to share at least some data in the clear, and this may well represent security issues related to specific products, but the team did not conduct an in-depth analysis into exactly which information was being leaked or only partly encrypted at the per-device level. It wasn’t possible to do so with the tools they had.
As for what was being leaked over unencrypted channels, the team found instances of PII and other sensitive information being leaked in plaintext, though there’s evidence of improvement in this area compared with past evaluations.
Nonetheless, we found notable cases of PII exposure. This included various forms of unique identifiers (MAC address, UUID, device ID), geolocation at the state/city level, and user specified/related device name (e.g., John Doe’s Roku TV). A notable case that we found in our US lab is the Samsung Fridge sending MAC addresses unencrypted to an EC2 domain, which is a support party in the best case. The implication is that it is now possible for an ISP to track this device.
In both our labs we found that Magichome Strip is sending its MAC address in plaintext to a domain hosted on Alibaba. Interestingly, the Insteon hub was sending its MAC address in plaintext to an EC2 domain, but only from the UK lab. We did not find similar behavior in the US lab. Interestingly, each time the Xiaomi camera detected a motion, its MAC address, the hour and the date of the motion (in plaintext) was sent to an EC2 domain. We also noted that a video was included on the payload.
The team writes that it identified “notable cases” of devices unexpectedly sending audio and video. The authors feel their highlights show that “concerns about information exposed by IoT devices is warranted, as is further investigation into more accurate device-activity classifiers and the root causes for the inferred behavior.”
There is no single smoking gun incident here, no specific and particular damning behavior. But there’s an awful lot of dubious connectivity, third-party services, and devices that can be monitored and tracked based on how they authenticate and what they transmit in the process. The devices we bring into our home can serve this sort of function, too, and companies are endlessly hungry for the data it represents.
The only solution to these issues, at present, is not to bring these devices into your home. If you own a smart TV, don’t connect it independently to the internet.