As the Internet of Things (IoT) begins to enter the mainstream, concerns about the impact such “smart” devices will have on users’ privacy are growing. Many of the problems are obvious, but so far largely anecdotal. That makes a new paper from four researchers at Princeton University particularly valuable, because they analyze in detail how IoT devices leak private information to anyone with access to Internet traffic flows, and what might be done about it. Now that basic privacy protections for Internet users have been removed in the US, allowing ISPs to monitor traffic and sell data about their customers’s online habits to third parties, it’s an issue with heightened importance.
The Princeton team looked at seven popular IoT devices: Sense Sleep Monitor, Nest Cam Indoor security camera, Amcrest WiFi Security IP Camera, Belkin WeMo switch, TP-Link WiFi Smart Plug, Orvibo Smart WiFi Socket, and the Amazon Echo. The data streams were assumed to be encrypted, and therefore not susceptible to direct inspection. However, merely looking at the traffic rates of the encrypted data flows turned out to be highly revealing:
Traffic rates from a Sense sleep monitor revealed consumer sleep patterns, traffic rates from a Belkin WeMo switch revealed when a physical appliance in a smart home is turned on or off, and traffic rates from a Nest Cam Indoor security camera revealed when a user is actively monitoring the camera feed or when the camera detects motion in a user’s home.
Similarly, the researchers found that looking at the traffic flow and some of its unencrypted metadata was generally enough to allow the devices to be identified. They point out that somebody carrying out surveillance of the external data stream to the Internet could use the first three bytes of device MAC addresses (the organizational unique