Yet Another Study Shows The Internet Of Things Is A Privacy Shitshow

from the dysfunction-junction dept

Day in and day out, it’s becoming increasingly clear that the smart home revolution simply isn’t all that smart.

Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it’s increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.

As if the point hadn’t been made clear enough, a new joint study between Northeastern University and Imperial College London took a closer look at 81 popular smart door bells, dongles, TVs, and other gear, and came away notably unimpressed. The study, the biggest ever of its kind, found that the lion’s share of such devices routinely share an ocean of data (your IP address, MAC address, location info, viewing preferences) with a massive array of third parties. Worse, many of these transfers were not properly secured, meaning they could be intercepted by another party:

“In a series of 34,586 experiments, the study found that 72 of the devices made contact with someone other than its manufacturer. In many instances, these transfers ?expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic,? the researchers said.”

One popular camera studied by the researchers pinged 52 different IP addresses every time it phoned home. And while some of the contact points were largely innocuous (cloud service providers, etc.), many of these devices were happily providing usage data to a wide variety of marketers and third parties without making those data transfers clear to the end user. Often many of the devices were routinely providing this data to companies like Netflix even if the end user didn’t have a Netflix account. Much of this data is being used with other data sets to build complex behavioral profiles, again without this always being clear to users (a notable point of contention in the smart electricity meter space).

On the plus side, a number of high-profile wrist slaps on this front (like the $17 million paid by Vizio for spying on its users for 3 years, or the bad press Samsung got when its smart TVs were shown to be transmitting viewer voice data unencrypted to the cloud) have at least resulted in these companies beefing up their use of encryption, though that’s a mixed blessing for those trying to study what data is being sent between your smart fridge and third parties:

“Choffnes told me that while the high profile wrist slaps of recent years have resulted in an increase in the use of encryption by vendors, that poses a double edged sword for researchers ?One of the biggest challenges we face is that the same encryption that protects users’ data from eavesdroppers also prevents us researchers from seeing what is inside,? he said.”

Studies in both the UK and the US continue to highlight how privacy and security are just distant afterthoughts in the rush to sell more kit. Many of these devices aren’t just overly chatty, they’re extremely hackable. As security expert Bruce Schneier has long noted, there’s no market solution to this problem because neither the hardware vendors nor the consumers actually care, given the privacy and security shortcomings (usually) only harm other people:

“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

He’s also long made the point that none of this is going to get fixed until there’s some kind of massive calamity that makes the broader public finally take the problem more seriously. And with businesses and consumers attaching easily-compromised devices to their network at the rate of millions per year, it’s a day that doesn’t seem too far over the horizon.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yet Another Study Shows The Internet Of Things Is A Privacy Shitshow”

Subscribe: RSS Leave a comment
19 Comments
Anonymous Coward says:

-shIOT…FTFY
-8K TV = LaserDisc
-i’m still mad AB isn’t a Patriot

On subject though, yeah, we’re all just beta testers getting the tech ready for the antichrist to be able to control all who buy or sell. In the meantime, I just wish we could get paid a dividend for our data that the collectors (Google, Amazon, etc.) sell. It’s Our data that they’re selling to advertisers, so shouldn’t we be paid for Our data?

Anonymous Coward says:

Re: Re:

For those devices that do support an internet connection there’s nothing at all to prevent the owner from failing to setup that connection. Why people willingly put every internet-not-required device on the net anyway, just because it can, remains a mystery.

For devices that do require a full-time internet connection in order to work the mystery lies in "why would you buy that one when this other does the same job without exposing you to security problems?". Thermostats, for example. Why in the hell do you need your thermostat online? I can only chalk it up to modern yuppies with more money than brains.

Anonymous Coward says:

Re: Re: Re:

If enough people fail to connect their devices to the internet, manufacturers will just make a deal with an ISP like Comcast and have them automatically connect to nearby hotspots, or possibly even share data with Verizon/AT&T/etc in return for 4G access.

Sellers will market this as "free internet access included!", and hundreds of millions of morons will jump for joy and continue buying these devices.

Scary Devil Monastery (profile) says:

Re: Re: Re:

"Thermostats, for example. Why in the hell do you need your thermostat online? I can only chalk it up to modern yuppies with more money than brains."

But if you don’t have it online it won’t download the updates to remain secure while it’s online?

Also, you won’t be able to adjust your at-home temperature from your smartphone while you’re not at home. This is a real issue.

/s

Yeah, the "internet of things" is for the most part a con game which by rights only the village idiot should fall for. That sane people with the mental capacity to professionally hold down their jobs are eating this shit up is killing me…

Anonymous Coward says:

The whole of IoT market is a dark comedy of greed for manufacturers. They are so focused on lock in and monetization that they forget to give any actually remotely useful features compared to offline appliances and fail to even cover low hanging fruit business use cases. You may have no use for checking your fridge remotely but commercial operations certainly do.

They have to subsidize their crap to move it. They kill off bought up competitors and wonder why people don’t want unreliable products. They spend more money on producing worse products thinking it will make them rich.

Anonymous Coward says:

I was in a pizza parlor yesterday for dinner and signed into their WiFi. Then my Google Home app alerted me that someone was streaming Netflix on "my" network and gave me controls for pausing and changing the volume. The entry was labeled FrontRoomDisplay. I walked to the front of the building and found a TV streaming Avengers Infinity War in the area where carryout orders are picked up. It was paused because I’d been playing with the controls.

nerdrage (profile) says:

this again

So who’s minding the store?

Companies? Nah, that might eat into their profits.

Government? Since when does government regulate anything.

Customers? They still have passwords like password1234.

Stay far far away from all this IoT crap. This is a replay of what I thought about Facebook about 5 years ago, this is going to end badly, get out now…

TRX (profile) says:

Re: Re: Re: Internet of things

Set up a Pi Hole and keep an eye on the logs for a while whenever you add a new device to your home network.

Heck, set up a Pi Hole anyway; it’s pretty much point-and-click even for a non-techie.

Even with a tuned hosts file and a decent ad blocker running, it’s not unusual for a Pi Hole to block a quarter of all DNS requests.

Scary Devil Monastery (profile) says:

Re: Re: Re: Internet of things

"What do you do when "dumb" devices in a market sector (ex: TVs) are no longer available on the consumer market?"

Yeah, that will happen. So here’s what you do.

1) Read the manual for the casual details on how to disable the device’s internet access. Normally that should just be a case of not entering the wifi password when asked.

2) If the user access of the device does not allow a disconnect, have your router simply block access requests from the device in question.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...