IOT Devices Provide Comcast A Wonderful New Opportunity To Spy On You
from the monitor-and-monetize-ALL-the-things! dept
For some time now we've noted how poorly secured IOT devices provide a myriad of opportunities for hackers looking for new attack vectors into homes and businesses. That's of course when these devices aren't just coughing up your personal data voluntarily. Whether it's your smart fridge leaking your Gmail credentials or your internet-connected TV transmitting your personal conversations over the internet unencrypted, we've noted time and time again how IOT manufacturers consistently make privacy and security an afterthought -- one that's going to ultimately cost us more than some minor inconvenience.
But in addition to the internet of broken things being a privacy and security dumpster fire, these devices are providing a wonderful new opportunity for larger ISPs looking to monetize the data you feed into their networks on a daily basis. A new study out of Princeton recently constructed a fake home, filled it with real IOT devices, and then monitored just how much additional data an ISP could collect on you based in these devices' network traffic. Their findings? It's relatively trivial for ISPs to build even deeper behavior profiles on you based on everything from your internet-connected baby monitor to your not so smart vibrator.
We've long noted that while encryption and VPNs are wonderful tools for privacy, they're not some kind of panacea -- and the researchers found the same thing here:
"...encryption doesn’t stop ISPs from knowing which internet-of-things devices their users have, nor does it stop them seeing when we use those devices. In the Princeton study, ISPs could track a user’s sleep patterns by detecting when a sleep tracker was connecting to the internet. It also revealed that ISPs could identify when a home security camera detected movement and when someone was watching a live stream from their security camera."
Similar concerns have been raised (and promptly ignored in most areas) regarding information collected from smart energy meters by your power utility, since power usage can similarly provide all manner of monetizeable insight into your daily behavior. The researchers do note that more sophisticated users could use a VPN to confuse their ISP, but the full study indicates there will be some impact on network performance that could be a problem on slower connections:
"The authors say there might be ways to cut down the snooping abilities of ISPs. One possible defence involves deliberately filling a network with small amounts of traffic. This could be done by running all your internet traffic through a VPN and then programming the VPN to record and play back that traffic even when the IOT device is not in use, making it tricky for ISPs to work out when a particular device is actually being used. However, this would probably slow down the network, making it a somewhat impractical defence against network observations."
Aren't you glad Congress recently voted to kill consumer broadband privacy protections solely for the financial benefit of Comcast, AT&T, Verizon and Charter (Spectrum)? Those fairly basic rules required that ISPs be entirely transparent about what data they're collecting and who they're selling it to. The rules, proposed after Verizon was caught modifying user data packets to track online behavior (without telling anyone), also would have required customers opt in to more sensitive financial data collection. Without them, oversight of ISP data collection is sketchy at best, no matter what large ISPs and their friends claim.
While the lack of ISP transparency as to what's being collected and sold is one problem, so too is the fact that most of these devices offer little to no insight or control over what kind of data and information they're transmitting. That leaves the onus entirely on the consumer to try and cobble together an imperfect array of technical solutions to minimize ISP snooping and protect themselves (often impossible for your average grandparent or Luddite), or to take the smarter path in the smart home era and resort to older, dumber technologies whenever and wherever possible.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, iot, privacy, security, smart devices, spying, surveillance
Companies: comcast
Reader Comments
Subscribe: RSS
View by: Time | Thread
Data caps be damned.
Don't these people think "would I like to be surveilled like that for extra pennies in my service?"???? I mean, it's past the point of being creepy to being downright obnoxious. I wonder how far online companies (including ISPs) will push this and how useful this sea of data really is. I mean, I got to the point I actively avoid any advertisement on my connected devices either steering away or fully blocking it.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
They're also not realizing that "data is a toxic asset and saving it is dangerous ... Some simply don't realize just how damaging a data breach would be."
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
It's rare to see a technology publication take this stance. The divide is not between old and new technology, but between technologies that grant agency and those that take it away.
[ link to this | view in chronology ]
Re:
So here I am, seriously about to buy the bits and pieces to build my own damn TV because no company will respect my privacy.
It is really frustrating. I love technology I see all the good it could do in the world. Yet I look at what it is being used for and I want to go live as a hermit in the woods off the grid and far far away from all this.
[ link to this | view in chronology ]
Re: Re:
What pieces are those? A computer monitor and something to drive it, or something more interesting?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Back early on in the HD days when 1080P didn't exist, and it was 720P or 1080i, pretty costly back then, they had HD Ready. These were TV's being sold without any HD Tuner. Which basically makes them a monitor.
Well it looks like they're doing it again. Leave out the tuner. How much have you used it in the TV you're replacing? For me that would be NEVER. I have it hooked up to my Antenna as a backup, but never needed that backup. I'm currently suing a Tivo Roamio and Tivo Mini's, so that's my TV Tuner, or should I say 4 tuners.
At this point, is it really that much of a price savings? Is it more then a couple dollars in parts?It's not like they have a 4K OTA tuner in them. That doesn't exist at this time. So it would still be the same old 1080P tuner.
Ya, Costco is known for doing this on the TV's they sell these days. No tuners. So really, they should be called HD Ready or 4K Ready I guess.
[ link to this | view in chronology ]
Re: Re: Re:
For some reason you remove the stupid "smart" part of the tv and label it a "computer monitor" and the company will charge you 2 or 3 times as much for the same size display.....
[ link to this | view in chronology ]
Re: Re:
You could make a religion out of this.
[ link to this | view in chronology ]
Re: Re:
If you need the "smarts", just setup a machine that connects to the TV running an OS you trust.
[ link to this | view in chronology ]
Re: Re: Re:
Look at the "smart" TV vulnerability that involved commands embedded in the TV signal.
Could use a broadcast antenna in the neighborhood and make them do all kinds of odd things without user input. Like maybe bricking itself.
[ link to this | view in chronology ]
Re: Re: Re: Re:
And "don't connect it to your wifi" doesn't mean it's not connected to some wifi, or listening for something over wifi.
To be safe, you'd have to disconnect the internal wifi and TV antennas (better yet, the chips—internal wires and traces can still receive sufficiently strong signals with the antennas unplugged) and avoid using any unfiltered digital input (i.e., avoid sending it possibly-corrupt MPEG data; component input is probably safe, and HDMI from a computer might be).
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I can't be the only person out there who wants a TV that is dumb as a brick, with more HDMI ports than you know what to do with, and also doesn't look like a shitty pile black plastic.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Be sure to call it "artisanal" and charge double the reasonable price, and you might have something.
Those 40s/50s TVs sat right on the ground which unfortunately is bad for ergonomics.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
There would obviously be some changes made, those old TVs were also in the 20 inch range for a big one.
[ link to this | view in chronology ]
Give me liberty or give me something of equal or lesser value from your glossy 32 page catalog.
[ link to this | view in chronology ]
Depends on the setup, doesn't it?
No I don't have any IoT devices, and likely won't, but if I did, they would be connected to the Tomato router, and all traffic would be encrypted before it hits the ISP router. Other than the sized or timing of packets, how would and ISP track me?
Or is there something I am missing?
[ link to this | view in chronology ]
Re: Depends on the setup, doesn't it?
Is there anything to stop an IoT device - or OS - from running its own VPN to send your personal data to be monetized?
[ link to this | view in chronology ]
Re: Re: Depends on the setup, doesn't it?
Besides, the article is about ISP's listening in, not the manufacturers. But what you suggest is one of the many reasons I won't have IoT devices.
[ link to this | view in chronology ]
Re: Depends on the setup, doesn't it?
I find a lot of attempted traffic in my default block everything rule on my firewall logs.
[ link to this | view in chronology ]
Re: Depends on the setup, doesn't it?
[ link to this | view in chronology ]
it's worse than you think
talk about having the fox inside the henhouse.
[ link to this | view in chronology ]
Re: Depends on the setup, doesn't it?
[ link to this | view in chronology ]
Re: Re: Depends on the setup, doesn't it?
[ link to this | view in chronology ]
The fact that this hasn't happened yet seems to indicate that:
- neither ISPs nor manufacturers actually know how to mine the data in a profitable manner.
- manufacturers recognize the data isn't really theirs and do not want to litigate and risk losing.
[ link to this | view in chronology ]
facepalm
IoT devices are by definition spying on you. Many of the devices are essentially non-functional without an internet connection, and seem to depend on a central host to do some or most of the work of configuring and maintain them. You are already sharing plenty of data with the maker of the product. Each of those companies in turn is anonymizing your data (slightly) and selling it to others, who collect data from many other sources.
Your ISP is the least of your concern. In fact while you may have a single ISP at home, you are very likely using a different company for wireless, a different company at your workplace / office, and you may connect to another ISP yet through wi-fi at the coffee shop. Your ISP actually has the least amount of data about you.
Now Google, Google has lots. If you are using an android device, you are being tracked quite solidly. If you leave yourself logged into gmail (which is a default, it seems) and don't specifically deny them the right, Google also collect all of your location data. They know exactly where you have been. They know your searches, they know which apps you have downloaded to run your IoT things, and they likely know when you actually use those apps. Google tracks you regardless of the ISP you use, the country you are in... no matter where you go, you connect the internet and your phone is blabbing way more about you than some IoT device.
IoT devices and ISPs is perhaps the least of your concerns, more so because we spend all of our lives now absolutely screaming our actions out online to a whole host of companies and services. Google, Facebook, Twitter... they know who you are. Did you take an Uber or rent an AirBnB? There ya go.
Worry about the big stuff. IoT tracking isn't the big end of the stick.
[ link to this | view in chronology ]
Re: facepalm
[ link to this | view in chronology ]
Re: facepalm
Also, "Your ISP actually has the least amount of data about you."? You obviously have not really thought about that very clearly. Your ISP knows what sites you visit and how long you spend there. With minimal effort they can find out a ton of information on you. Like your likely medical conditions and how much of what kind of porn you enjoy. The ISP can see 100% of anything your doing that isn't encrypted. When it is encrypted they still can see who your connected to, and for how long and how much data you used.
[ link to this | view in chronology ]
Re: Re: facepalm
Medical Conditions, Highly unlikely. At Best they could see you wet to some Medical site. But past that, it would be all encripted. Porn, same thing, anything on the site would be encripted, unless it's part of the web address it's self like www.ilovebigtits.com Then I assume your ISB would know you love bit tits. Anything deeper then that, No, as the site would be encrypted more then likely like everything else.
If you use a VPN, your ISP doesn't know much of anything other then how much Data you're using, and even that seems not perfect. using a VPN, everything is encrypted. You're going though a number of sites. You're ISP would have no idea where you're going or what you're doing.
Most IOT devices I wouldn't use. Security is weak or completely lacking. There are some that take security serious and they do get patched if a hole is found. Like Ring Doorbell. Myself, I use Homekit devices. They're all Encrypted. Apple doesn't sell personal Data. It's not how they make their money. I feel safe using them.
[ link to this | view in chronology ]
Re: facepalm
What is being discussed is about the average or normal American, that would be the person ringing up you "Smart Device" purchase, the person waiting your table in the restaurant...
These people have a tendency to do most of their personal stuff online from home (Excluding google on their phones in this of course.)
[ link to this | view in chronology ]
Re: facepalm
Paragraph 2: Important phrase: "You are already sharing plenty of data with the maker of the product". Indeed. But, most people are happy with that part of the equation and have authorised that openly. It's the sharing with 3rd parties / ISP also gathering info part that's problematic. Your words do not invalidate the argument actually being made.
Paragraph 3: Makes a lot of assertions and assumptions about everybody complaining about this that may be partially true, or completely false depending on the individual.
Paragraph 4: Pure whataboutism. What Google do has sod all to do with what specific IoT manufacturers do, plus you make the same silly amount of assumptions and assertions that are often completely false for many use cases.
Paragraph 5: More whataboutism, brushing away valid concerns because you can think of random assertions about people that probably don't apply to the people complaining.
So, as per usual, lots of words but not really saying anything other than you're not interested in a real discussion, when you can whine about some invented situations and random strawmen instead.
[ link to this | view in chronology ]
Re: facepalm
That's where they really lose me, a device that should and could be fully functional without being networked being intentionally crippled in order to force you to network it.
I wont buy it, although it getting harder to find alternatives.
[ link to this | view in chronology ]