Yet Another Study Shows The Internet Of Things Is A Privacy Shitshow
from the dysfunction-junction dept
Day in and day out, it’s becoming increasingly clear that the smart home revolution simply isn’t all that smart.
Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it’s increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.
As if the point hadn’t been made clear enough, a new joint study between Northeastern University and Imperial College London took a closer look at 81 popular smart door bells, dongles, TVs, and other gear, and came away notably unimpressed. The study, the biggest ever of its kind, found that the lion’s share of such devices routinely share an ocean of data (your IP address, MAC address, location info, viewing preferences) with a massive array of third parties. Worse, many of these transfers were not properly secured, meaning they could be intercepted by another party:
“In a series of 34,586 experiments, the study found that 72 of the devices made contact with someone other than its manufacturer. In many instances, these transfers ?expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic,? the researchers said.”
One popular camera studied by the researchers pinged 52 different IP addresses every time it phoned home. And while some of the contact points were largely innocuous (cloud service providers, etc.), many of these devices were happily providing usage data to a wide variety of marketers and third parties without making those data transfers clear to the end user. Often many of the devices were routinely providing this data to companies like Netflix even if the end user didn’t have a Netflix account. Much of this data is being used with other data sets to build complex behavioral profiles, again without this always being clear to users (a notable point of contention in the smart electricity meter space).
On the plus side, a number of high-profile wrist slaps on this front (like the $17 million paid by Vizio for spying on its users for 3 years, or the bad press Samsung got when its smart TVs were shown to be transmitting viewer voice data unencrypted to the cloud) have at least resulted in these companies beefing up their use of encryption, though that’s a mixed blessing for those trying to study what data is being sent between your smart fridge and third parties:
“Choffnes told me that while the high profile wrist slaps of recent years have resulted in an increase in the use of encryption by vendors, that poses a double edged sword for researchers ?One of the biggest challenges we face is that the same encryption that protects users’ data from eavesdroppers also prevents us researchers from seeing what is inside,? he said.”
Studies in both the UK and the US continue to highlight how privacy and security are just distant afterthoughts in the rush to sell more kit. Many of these devices aren’t just overly chatty, they’re extremely hackable. As security expert Bruce Schneier has long noted, there’s no market solution to this problem because neither the hardware vendors nor the consumers actually care, given the privacy and security shortcomings (usually) only harm other people:
“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
He’s also long made the point that none of this is going to get fixed until there’s some kind of massive calamity that makes the broader public finally take the problem more seriously. And with businesses and consumers attaching easily-compromised devices to their network at the rate of millions per year, it’s a day that doesn’t seem too far over the horizon.