IOT Devices Provide Comcast A Wonderful New Opportunity To Spy On You

from the monitor-and-monetize-ALL-the-things! dept

For some time now we've noted how poorly secured IOT devices provide a myriad of opportunities for hackers looking for new attack vectors into homes and businesses. That's of course when these devices aren't just coughing up your personal data voluntarily. Whether it's your smart fridge leaking your Gmail credentials or your internet-connected TV transmitting your personal conversations over the internet unencrypted, we've noted time and time again how IOT manufacturers consistently make privacy and security an afterthought -- one that's going to ultimately cost us more than some minor inconvenience.

But in addition to the internet of broken things being a privacy and security dumpster fire, these devices are providing a wonderful new opportunity for larger ISPs looking to monetize the data you feed into their networks on a daily basis. A new study out of Princeton recently constructed a fake home, filled it with real IOT devices, and then monitored just how much additional data an ISP could collect on you based in these devices' network traffic. Their findings? It's relatively trivial for ISPs to build even deeper behavior profiles on you based on everything from your internet-connected baby monitor to your not so smart vibrator.

We've long noted that while encryption and VPNs are wonderful tools for privacy, they're not some kind of panacea -- and the researchers found the same thing here:

"...encryption doesn’t stop ISPs from knowing which internet-of-things devices their users have, nor does it stop them seeing when we use those devices. In the Princeton study, ISPs could track a user’s sleep patterns by detecting when a sleep tracker was connecting to the internet. It also revealed that ISPs could identify when a home security camera detected movement and when someone was watching a live stream from their security camera."

Similar concerns have been raised (and promptly ignored in most areas) regarding information collected from smart energy meters by your power utility, since power usage can similarly provide all manner of monetizeable insight into your daily behavior. The researchers do note that more sophisticated users could use a VPN to confuse their ISP, but the full study indicates there will be some impact on network performance that could be a problem on slower connections:

"The authors say there might be ways to cut down the snooping abilities of ISPs. One possible defence involves deliberately filling a network with small amounts of traffic. This could be done by running all your internet traffic through a VPN and then programming the VPN to record and play back that traffic even when the IOT device is not in use, making it tricky for ISPs to work out when a particular device is actually being used. However, this would probably slow down the network, making it a somewhat impractical defence against network observations."

Aren't you glad Congress recently voted to kill consumer broadband privacy protections solely for the financial benefit of Comcast, AT&T, Verizon and Charter (Spectrum)? Those fairly basic rules required that ISPs be entirely transparent about what data they're collecting and who they're selling it to. The rules, proposed after Verizon was caught modifying user data packets to track online behavior (without telling anyone), also would have required customers opt in to more sensitive financial data collection. Without them, oversight of ISP data collection is sketchy at best, no matter what large ISPs and their friends claim.

While the lack of ISP transparency as to what's being collected and sold is one problem, so too is the fact that most of these devices offer little to no insight or control over what kind of data and information they're transmitting. That leaves the onus entirely on the consumer to try and cobble together an imperfect array of technical solutions to minimize ISP snooping and protect themselves (often impossible for your average grandparent or Luddite), or to take the smarter path in the smart home era and resort to older, dumber technologies whenever and wherever possible.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 28 Aug 2017 @ 12:52pm

    "One possible defence involves deliberately filling a network with small amounts of traffic."

    Data caps be damned.

    Don't these people think "would I like to be surveilled like that for extra pennies in my service?"???? I mean, it's past the point of being creepy to being downright obnoxious. I wonder how far online companies (including ISPs) will push this and how useful this sea of data really is. I mean, I got to the point I actively avoid any advertisement on my connected devices either steering away or fully blocking it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Aug 2017 @ 1:37pm

      Re:

      I think the problem is that upper management has bought into the idea that big data gives them all sorts of insights, but they have no clue what insights would be useful. Therefore they want the organization to collect as much data as possible, just in case that they think of a use for it.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 2:07pm

        Re: Re:

        I think the problem is that upper management has bought into the idea that big data gives them all sorts of insights... Therefore they want the organization to collect as much data as possible,

        They're also not realizing that "data is a toxic asset and saving it is dangerous ... Some simply don't realize just how damaging a data breach would be."

        reply to this | link to this | view in chronology ]

        • icon
          TKnarr (profile), 28 Aug 2017 @ 2:53pm

          Re: Re: Re:

          Right now such a data breach wouldn't be damaging at all... for the company collecting the data, anyway, since it's all but impossible for the consumers who do suffer the damage to hold the companies liable.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2017 @ 1:47pm

    >take the smarter path in the smart home era and resort to older, dumber technologies whenever and wherever possible.

    It's rare to see a technology publication take this stance. The divide is not between old and new technology, but between technologies that grant agency and those that take it away.

    reply to this | link to this | view in chronology ]

    • identicon
      Machin Shin, 28 Aug 2017 @ 2:00pm

      Re:

      Something is seriously wrong when I have reached the point of actually researching how to build my own TV. I don't want a "smart" TV but to get a modern TV without the "smarts" is pretty much impossible.

      So here I am, seriously about to buy the bits and pieces to build my own damn TV because no company will respect my privacy.

      It is really frustrating. I love technology I see all the good it could do in the world. Yet I look at what it is being used for and I want to go live as a hermit in the woods off the grid and far far away from all this.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 2:08pm

        Re: Re:

        So here I am, seriously about to buy the bits and pieces to build my own damn TV

        What pieces are those? A computer monitor and something to drive it, or something more interesting?

        reply to this | link to this | view in chronology ]

        • icon
          streetlight (profile), 28 Aug 2017 @ 3:45pm

          Re: Re: Re:

          I was recently in Costco and walking through the TV section I noticed a large (55" ?) "TV" but the price sign said it was a monitor. It had all the usual inputs and outputs but I saw no coax input. I assume it had no over the air receiver, so you would need some other source - cable box, Chromecast, Roku, etc. IIRC, it was an LG but may be wrong.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 29 Aug 2017 @ 8:28am

            Re: Re: Re: Re:

            This is one of the new things these days to cut costs. leave out the HD Tuner.

            Back early on in the HD days when 1080P didn't exist, and it was 720P or 1080i, pretty costly back then, they had HD Ready. These were TV's being sold without any HD Tuner. Which basically makes them a monitor.

            Well it looks like they're doing it again. Leave out the tuner. How much have you used it in the TV you're replacing? For me that would be NEVER. I have it hooked up to my Antenna as a backup, but never needed that backup. I'm currently suing a Tivo Roamio and Tivo Mini's, so that's my TV Tuner, or should I say 4 tuners.

            At this point, is it really that much of a price savings? Is it more then a couple dollars in parts?It's not like they have a 4K OTA tuner in them. That doesn't exist at this time. So it would still be the same old 1080P tuner.

            Ya, Costco is known for doing this on the TV's they sell these days. No tuners. So really, they should be called HD Ready or 4K Ready I guess.

            reply to this | link to this | view in chronology ]

        • identicon
          Machin Shin, 28 Aug 2017 @ 8:53pm

          Re: Re: Re:

          Takes a bit of work but I was actually looking at sources of the display panel, and dumb controller boards to drive it. This way I can get a large TV without the "smarts" and also without spending crazy amounts on a computer monitor.

          For some reason you remove the stupid "smart" part of the tv and label it a "computer monitor" and the company will charge you 2 or 3 times as much for the same size display.....

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 2:12pm

        Re: Re:

        >Yet I look at what it is being used for and I want to go live as a hermit in the woods off the grid and far far away from all this.

        You could make a religion out of this.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 2:29pm

        Re: Re:

        Uh... isn't it as simple as never connecting your TV to a network? I mean - if you just want a "dumb TV", you just set it up, connect HDMI cables to it, and never allow it to talk to the internet (hint: don't plug in the ethernet cable or connect it to your wifi).

        If you need the "smarts", just setup a machine that connects to the TV running an OS you trust.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Aug 2017 @ 6:50pm

          Re: Re: Re:

          Unfortunately that doesnt always work.

          Look at the "smart" TV vulnerability that involved commands embedded in the TV signal.

          Could use a broadcast antenna in the neighborhood and make them do all kinds of odd things without user input. Like maybe bricking itself.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 29 Aug 2017 @ 9:00am

            Re: Re: Re: Re:

            And "don't connect it to your wifi" doesn't mean it's not connected to some wifi, or listening for something over wifi.

            To be safe, you'd have to disconnect the internal wifi and TV antennas (better yet, the chips—internal wires and traces can still receive sufficiently strong signals with the antennas unplugged) and avoid using any unfiltered digital input (i.e., avoid sending it possibly-corrupt MPEG data; component input is probably safe, and HDMI from a computer might be).

            reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 3:45pm

        Re: Re:

        I think you found a niche market. Start selling Dumb TVs. These things are so dumb, you couldn't pull data from them even if you tried.

        reply to this | link to this | view in chronology ]

        • identicon
          Machin Shin, 28 Aug 2017 @ 9:00pm

          Re: Re: Re:

          I actually was seriously thinking about building myself one as a trial. Then if it works out well I would love to build modern HDTVs in cabinets kind of like they made in the 40s and 50s.

          I can't be the only person out there who wants a TV that is dumb as a brick, with more HDMI ports than you know what to do with, and also doesn't look like a shitty pile black plastic.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 29 Aug 2017 @ 9:02am

            Re: Re: Re: Re:

            if it works out well I would love to build modern HDTVs in cabinets kind of like they made in the 40s and 50s.

            Be sure to call it "artisanal" and charge double the reasonable price, and you might have something.

            Those 40s/50s TVs sat right on the ground which unfortunately is bad for ergonomics.

            reply to this | link to this | view in chronology ]

            • identicon
              Machin Shin, 29 Aug 2017 @ 1:33pm

              Re: Re: Re: Re: Re:

              "Those 40s/50s TVs sat right on the ground which unfortunately is bad for ergonomics."


              There would obviously be some changes made, those old TVs were also in the 20 inch range for a big one.

              reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 28 Aug 2017 @ 1:55pm

    Give me liberty or give me something of equal or lesser value from your glossy 32 page catalog.

    • Old joke, from before the catalog filled with IOT devices.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 28 Aug 2017 @ 2:53pm

    Depends on the setup, doesn't it?

    I have two routers. One, supplied by the ISP that connects to the Internet. The second is one I bought and run Tomato and VPN software on, that then connects to the ISP router. Everything else is connected to the Tomato router. Everything is encrypted at the Tomato router.

    No I don't have any IoT devices, and likely won't, but if I did, they would be connected to the Tomato router, and all traffic would be encrypted before it hits the ISP router. Other than the sized or timing of packets, how would and ISP track me?

    Or is there something I am missing?

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 28 Aug 2017 @ 2:59pm

      Re: Depends on the setup, doesn't it?

      Or is there something I am missing?

      Is there anything to stop an IoT device - or OS - from running its own VPN to send your personal data to be monetized?

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 28 Aug 2017 @ 3:05pm

        Re: Re: Depends on the setup, doesn't it?

        Not that I am aware of, though if IoT makers don't do anything to protect their data streams, putting a VPN in the device would seem to contradict that.

        Besides, the article is about ISP's listening in, not the manufacturers. But what you suggest is one of the many reasons I won't have IoT devices.

        reply to this | link to this | view in chronology ]

    • icon
      tom (profile), 28 Aug 2017 @ 6:26pm

      Re: Depends on the setup, doesn't it?

      If you have a default rule in your Tomato router that blocks all traffic from the internal LAN to the external Internet, then you should be good. This way, the only traffic that escapes your network is traffic you have specifically allowed.

      I find a lot of attempted traffic in my default block everything rule on my firewall logs.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2017 @ 1:58am

      Re: Depends on the setup, doesn't it?

      Gps

      reply to this | link to this | view in chronology ]

  • identicon
    nate Hoffelder, 28 Aug 2017 @ 3:14pm

    it's worse than you think

    If you think this is bad, you should check out Comcast Business. They offer a service wher Comcast installs and runs all your ioT devices from smart speakers to IP security cameras.

    talk about having the fox inside the henhouse.

    reply to this | link to this | view in chronology ]

  • icon
    Richard M (profile), 28 Aug 2017 @ 3:22pm

    Re: Depends on the setup, doesn't it?

    The problem is not that IOT and smart devices can not be secured but that the majority of the population either does realize there is a problem or if they do have no ide how to fix it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Aug 2017 @ 3:56pm

      Re: Re: Depends on the setup, doesn't it?

      Is that on accident or on purpose? What they don't like to tell you is the IOT is actually short for IDIOT. Insecure Device Internet of Thing. Marketing didn't think this standard was going to work out in the end.

      reply to this | link to this | view in chronology ]

  • identicon
    Darren H, 28 Aug 2017 @ 6:09pm

    This will change only if Manufacturer A realizes an ISP is selling their products 'signature' to Manufacturer B.

    The fact that this hasn't happened yet seems to indicate that:
    - neither ISPs nor manufacturers actually know how to mine the data in a profitable manner.
    - manufacturers recognize the data isn't really theirs and do not want to litigate and risk losing.

    reply to this | link to this | view in chronology ]

  • icon
    MyNameHere (profile), 29 Aug 2017 @ 1:49am

    facepalm

    Actually, this needed the STTNG double face palm, because one face palm isn't enough.

    IoT devices are by definition spying on you. Many of the devices are essentially non-functional without an internet connection, and seem to depend on a central host to do some or most of the work of configuring and maintain them. You are already sharing plenty of data with the maker of the product. Each of those companies in turn is anonymizing your data (slightly) and selling it to others, who collect data from many other sources.

    Your ISP is the least of your concern. In fact while you may have a single ISP at home, you are very likely using a different company for wireless, a different company at your workplace / office, and you may connect to another ISP yet through wi-fi at the coffee shop. Your ISP actually has the least amount of data about you.

    Now Google, Google has lots. If you are using an android device, you are being tracked quite solidly. If you leave yourself logged into gmail (which is a default, it seems) and don't specifically deny them the right, Google also collect all of your location data. They know exactly where you have been. They know your searches, they know which apps you have downloaded to run your IoT things, and they likely know when you actually use those apps. Google tracks you regardless of the ISP you use, the country you are in... no matter where you go, you connect the internet and your phone is blabbing way more about you than some IoT device.

    IoT devices and ISPs is perhaps the least of your concerns, more so because we spend all of our lives now absolutely screaming our actions out online to a whole host of companies and services. Google, Facebook, Twitter... they know who you are. Did you take an Uber or rent an AirBnB? There ya go.

    Worry about the big stuff. IoT tracking isn't the big end of the stick.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2017 @ 5:08am

      Re: facepalm

      Was expecting a tirade of "you idiots are all shit with privacy, so you don't get to complain when your ISP or the NSA does it to you" from the resident righteous contrarian, was not surprised. Anything for authority.

      reply to this | link to this | view in chronology ]

    • identicon
      Machin Shin, 29 Aug 2017 @ 6:24am

      Re: facepalm

      So your saying because google tracks a lot of information you shouldn't worry about a different company tracking lots of information?

      Also, "Your ISP actually has the least amount of data about you."? You obviously have not really thought about that very clearly. Your ISP knows what sites you visit and how long you spend there. With minimal effort they can find out a ton of information on you. Like your likely medical conditions and how much of what kind of porn you enjoy. The ISP can see 100% of anything your doing that isn't encrypted. When it is encrypted they still can see who your connected to, and for how long and how much data you used.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Aug 2017 @ 8:44am

        Re: Re: facepalm

        Most sites these days are Encrypted. Even here at TechDirt. Why? But it is. So yes the ISP can see where you go, though you can change your DNS to something else.

        Medical Conditions, Highly unlikely. At Best they could see you wet to some Medical site. But past that, it would be all encripted. Porn, same thing, anything on the site would be encripted, unless it's part of the web address it's self like www.ilovebigtits.com Then I assume your ISB would know you love bit tits. Anything deeper then that, No, as the site would be encrypted more then likely like everything else.

        If you use a VPN, your ISP doesn't know much of anything other then how much Data you're using, and even that seems not perfect. using a VPN, everything is encrypted. You're going though a number of sites. You're ISP would have no idea where you're going or what you're doing.

        Most IOT devices I wouldn't use. Security is weak or completely lacking. There are some that take security serious and they do get patched if a hole is found. Like Ring Doorbell. Myself, I use Homekit devices. They're all Encrypted. Apple doesn't sell personal Data. It's not how they make their money. I feel safe using them.

        reply to this | link to this | view in chronology ]

    • icon
      Wolfie0827 (profile), 29 Aug 2017 @ 8:30am

      Re: facepalm

      Ok, problem, You are going by your life. But remember most of us on here are not the norm. we have at least some technical knowledge.

      What is being discussed is about the average or normal American, that would be the person ringing up you "Smart Device" purchase, the person waiting your table in the restaurant...

      These people have a tendency to do most of their personal stuff online from home (Excluding google on their phones in this of course.)

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 30 Aug 2017 @ 3:32am

      Re: facepalm

      Oooh, the expected tirade from the guy who doesn't know as much as he thinks he does and bases everything on false pretences. Let's see...

      Paragraph 2: Important phrase: "You are already sharing plenty of data with the maker of the product". Indeed. But, most people are happy with that part of the equation and have authorised that openly. It's the sharing with 3rd parties / ISP also gathering info part that's problematic. Your words do not invalidate the argument actually being made.

      Paragraph 3: Makes a lot of assertions and assumptions about everybody complaining about this that may be partially true, or completely false depending on the individual.

      Paragraph 4: Pure whataboutism. What Google do has sod all to do with what specific IoT manufacturers do, plus you make the same silly amount of assumptions and assertions that are often completely false for many use cases.

      Paragraph 5: More whataboutism, brushing away valid concerns because you can think of random assertions about people that probably don't apply to the people complaining.

      So, as per usual, lots of words but not really saying anything other than you're not interested in a real discussion, when you can whine about some invented situations and random strawmen instead.

      reply to this | link to this | view in chronology ]

    • identicon
      Justme, 9 Sep 2017 @ 6:28pm

      Re: facepalm

      'Many of the devices are essentially non-functional without an internet connection'

      That's where they really lose me, a device that should and could be fully functional without being networked being intentionally crippled in order to force you to network it.

      I wont buy it, although it getting harder to find alternatives.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.