Yet Another Study Shows The Internet Of Things Is A Privacy Shitshow
from the dysfunction-junction dept
Day in and day out, it's becoming increasingly clear that the smart home revolution simply isn't all that smart.
Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it's increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.
As if the point hadn't been made clear enough, a new joint study between Northeastern University and Imperial College London took a closer look at 81 popular smart door bells, dongles, TVs, and other gear, and came away notably unimpressed. The study, the biggest ever of its kind, found that the lion's share of such devices routinely share an ocean of data (your IP address, MAC address, location info, viewing preferences) with a massive array of third parties. Worse, many of these transfers were not properly secured, meaning they could be intercepted by another party:
"In a series of 34,586 experiments, the study found that 72 of the devices made contact with someone other than its manufacturer. In many instances, these transfers “expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic,” the researchers said."
One popular camera studied by the researchers pinged 52 different IP addresses every time it phoned home. And while some of the contact points were largely innocuous (cloud service providers, etc.), many of these devices were happily providing usage data to a wide variety of marketers and third parties without making those data transfers clear to the end user. Often many of the devices were routinely providing this data to companies like Netflix even if the end user didn't have a Netflix account. Much of this data is being used with other data sets to build complex behavioral profiles, again without this always being clear to users (a notable point of contention in the smart electricity meter space).
On the plus side, a number of high-profile wrist slaps on this front (like the $17 million paid by Vizio for spying on its users for 3 years, or the bad press Samsung got when its smart TVs were shown to be transmitting viewer voice data unencrypted to the cloud) have at least resulted in these companies beefing up their use of encryption, though that's a mixed blessing for those trying to study what data is being sent between your smart fridge and third parties:
"Choffnes told me that while the high profile wrist slaps of recent years have resulted in an increase in the use of encryption by vendors, that poses a double edged sword for researchers “One of the biggest challenges we face is that the same encryption that protects users' data from eavesdroppers also prevents us researchers from seeing what is inside,” he said."
Studies in both the UK and the US continue to highlight how privacy and security are just distant afterthoughts in the rush to sell more kit. Many of these devices aren't just overly chatty, they're extremely hackable. As security expert Bruce Schneier has long noted, there's no market solution to this problem because neither the hardware vendors nor the consumers actually care, given the privacy and security shortcomings (usually) only harm other people:
"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
He's also long made the point that none of this is going to get fixed until there's some kind of massive calamity that makes the broader public finally take the problem more seriously. And with businesses and consumers attaching easily-compromised devices to their network at the rate of millions per year, it's a day that doesn't seem too far over the horizon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
The big issue is that companies feel entitled to collect and share as much information about people as they possibly can. Until that changes, probably by laws being enacted, data gathering will take precedence over security.
[ link to this | view in chronology ]
You mean there may be drawbacks to connecting your sex toys and everything else to strangers on the internet? I'm Shocked!!! Who could have imagined!!!
That's a real one, they can be hacked to bust into flames.
[ link to this | view in chronology ]
-shIOT...FTFY
-8K TV = LaserDisc
-i'm still mad AB isn't a Patriot
On subject though, yeah, we're all just beta testers getting the tech ready for the antichrist to be able to control all who buy or sell. In the meantime, I just wish we could get paid a dividend for our data that the collectors (Google, Amazon, etc.) sell. It's Our data that they're selling to advertisers, so shouldn't we be paid for Our data?
[ link to this | view in chronology ]
Re:
The "theory" is that your hardware is cheaper, being subsidized by the forever data vacuum.
[ link to this | view in chronology ]
Thankfully one can still find household appliances that do not have an internet connection. Not sure for how much longer but I think there is a market.
[ link to this | view in chronology ]
Re:
For those devices that do support an internet connection there's nothing at all to prevent the owner from failing to setup that connection. Why people willingly put every internet-not-required device on the net anyway, just because it can, remains a mystery.
For devices that do require a full-time internet connection in order to work the mystery lies in "why would you buy that one when this other does the same job without exposing you to security problems?". Thermostats, for example. Why in the hell do you need your thermostat online? I can only chalk it up to modern yuppies with more money than brains.
[ link to this | view in chronology ]
Re: Re:
If enough people fail to connect their devices to the internet, manufacturers will just make a deal with an ISP like Comcast and have them automatically connect to nearby hotspots, or possibly even share data with Verizon/AT&T/etc in return for 4G access.
Sellers will market this as "free internet access included!", and hundreds of millions of morons will jump for joy and continue buying these devices.
[ link to this | view in chronology ]
Re: Re:
Yes, at this time there is no requirement to connect the silly things however I do not want to pay for things I have no intention of using.
I imagine the added cost to the consumer is probably about a hundred bucks or more depending upon the implementation.
[ link to this | view in chronology ]
Re: Re:
"Thermostats, for example. Why in the hell do you need your thermostat online? I can only chalk it up to modern yuppies with more money than brains."
But if you don't have it online it won't download the updates to remain secure while it's online?
Also, you won't be able to adjust your at-home temperature from your smartphone while you're not at home. This is a real issue.
/s
Yeah, the "internet of things" is for the most part a con game which by rights only the village idiot should fall for. That sane people with the mental capacity to professionally hold down their jobs are eating this shit up is killing me...
[ link to this | view in chronology ]
The whole of IoT market is a dark comedy of greed for manufacturers. They are so focused on lock in and monetization that they forget to give any actually remotely useful features compared to offline appliances and fail to even cover low hanging fruit business use cases. You may have no use for checking your fridge remotely but commercial operations certainly do.
They have to subsidize their crap to move it. They kill off bought up competitors and wonder why people don't want unreliable products. They spend more money on producing worse products thinking it will make them rich.
[ link to this | view in chronology ]
I was in a pizza parlor yesterday for dinner and signed into their WiFi. Then my Google Home app alerted me that someone was streaming Netflix on "my" network and gave me controls for pausing and changing the volume. The entry was labeled FrontRoomDisplay. I walked to the front of the building and found a TV streaming Avengers Infinity War in the area where carryout orders are picked up. It was paused because I'd been playing with the controls.
[ link to this | view in chronology ]
Re:
Did you have fun with it?
[ link to this | view in chronology ]
this again
So who's minding the store?
Companies? Nah, that might eat into their profits.
Government? Since when does government regulate anything.
Customers? They still have passwords like password1234.
Stay far far away from all this IoT crap. This is a replay of what I thought about Facebook about 5 years ago, this is going to end badly, get out now...
[ link to this | view in chronology ]
Great article Karl
Beautifully put, and well sourced.
[ link to this | view in chronology ]
Internet of things
For those of us who are aware of the problem but not technically knowledgeable about the ways to secure the devices where (if anywhere) are instructions?
[ link to this | view in chronology ]
Re: Internet of things
Instructions for IOT devices:
1) Do not waste your time & money
2) If you did not follow #1, then do not connect it to internet
3) If you did not follow #2 or #3, quickly smash the little bugger with a hammer and put it the trash where it belongs.
[ link to this | view in chronology ]
Re: Re: Internet of things
What do you do when "dumb" devices in a market sector (ex: TVs) are no longer available on the consumer market?
[ link to this | view in chronology ]
Re: Re: Re: Internet of things
Set up a Pi Hole and keep an eye on the logs for a while whenever you add a new device to your home network.
Heck, set up a Pi Hole anyway; it's pretty much point-and-click even for a non-techie.
Even with a tuned hosts file and a decent ad blocker running, it's not unusual for a Pi Hole to block a quarter of all DNS requests.
[ link to this | view in chronology ]
Re: Re: Re: Internet of things
"What do you do when "dumb" devices in a market sector (ex: TVs) are no longer available on the consumer market?"
Yeah, that will happen. So here's what you do.
1) Read the manual for the casual details on how to disable the device's internet access. Normally that should just be a case of not entering the wifi password when asked.
2) If the user access of the device does not allow a disconnect, have your router simply block access requests from the device in question.
[ link to this | view in chronology ]