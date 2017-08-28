CCTV + Lip-Reading Software = Even Less... >>
by Karl Bode

Mon, Aug 28th 2017 1:29pm


encryption, iot, privacy, security, smart devices, spying, surveillance

comcast



IOT Devices Provide Comcast A Wonderful New Opportunity To Spy On You

from the monitor-and-monetize-ALL-the-things! dept

For some time now we've noted how poorly secured IOT devices provide a myriad of opportunities for hackers looking for new attack vectors into homes and businesses. That's of course when these devices aren't just coughing up your personal data voluntarily. Whether it's your smart fridge leaking your Gmail credentials or your internet-connected TV transmitting your personal conversations over the internet unencrypted, we've noted time and time again how IOT manufacturers consistently make privacy and security an afterthought -- one that's going to ultimately cost us more than some minor inconvenience.

But in addition to the internet of broken things being a privacy and security dumpster fire, these devices are providing a wonderful new opportunity for larger ISPs looking to monetize the data you feed into their networks on a daily basis. A new study out of Princeton recently constructed a fake home, filled it with real IOT devices, and then monitored just how much additional data an ISP could collect on you based in these devices' network traffic. Their findings? It's relatively trivial for ISPs to build even deeper behavior profiles on you based on everything from your internet-connected baby monitor to your not so smart vibrator.

We've long noted that while encryption and VPNs are wonderful tools for privacy, they're not some kind of panacea -- and the researchers found the same thing here:

"...encryption doesn’t stop ISPs from knowing which internet-of-things devices their users have, nor does it stop them seeing when we use those devices. In the Princeton study, ISPs could track a user’s sleep patterns by detecting when a sleep tracker was connecting to the internet. It also revealed that ISPs could identify when a home security camera detected movement and when someone was watching a live stream from their security camera."

Similar concerns have been raised (and promptly ignored in most areas) regarding information collected from smart energy meters by your power utility, since power usage can similarly provide all manner of monetizeable insight into your daily behavior. The researchers do note that more sophisticated users could use a VPN to confuse their ISP, but the full study indicates there will be some impact on network performance that could be a problem on slower connections:

"The authors say there might be ways to cut down the snooping abilities of ISPs. One possible defence involves deliberately filling a network with small amounts of traffic. This could be done by running all your internet traffic through a VPN and then programming the VPN to record and play back that traffic even when the IOT device is not in use, making it tricky for ISPs to work out when a particular device is actually being used. However, this would probably slow down the network, making it a somewhat impractical defence against network observations."

Aren't you glad Congress recently voted to kill consumer broadband privacy protections solely for the financial benefit of Comcast, AT&T, Verizon and Charter (Spectrum)? Those fairly basic rules required that ISPs be entirely transparent about what data they're collecting and who they're selling it to. The rules, proposed after Verizon was caught modifying user data packets to track online behavior (without telling anyone), also would have required customers opt in to more sensitive financial data collection. Without them, oversight of ISP data collection is sketchy at best, no matter what large ISPs and their friends claim.

While the lack of ISP transparency as to what's being collected and sold is one problem, so too is the fact that most of these devices offer little to no insight or control over what kind of data and information they're transmitting. That leaves the onus entirely on the consumer to try and cobble together an imperfect array of technical solutions to minimize ISP snooping and protect themselves (often impossible for your average grandparent or Luddite), or to take the smarter path in the smart home era and resort to older, dumber technologies whenever and wherever possible.

Reader Comments

  • icon
    Ninja (profile), 28 Aug 2017 @ 12:52pm

    "One possible defence involves deliberately filling a network with small amounts of traffic."

    Data caps be damned.

    Don't these people think "would I like to be surveilled like that for extra pennies in my service?"???? I mean, it's past the point of being creepy to being downright obnoxious. I wonder how far online companies (including ISPs) will push this and how useful this sea of data really is. I mean, I got to the point I actively avoid any advertisement on my connected devices either steering away or fully blocking it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Aug 2017 @ 1:37pm

      Re:

      I think the problem is that upper management has bought into the idea that big data gives them all sorts of insights, but they have no clue what insights would be useful. Therefore they want the organization to collect as much data as possible, just in case that they think of a use for it.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 2:07pm

        Re: Re:

        I think the problem is that upper management has bought into the idea that big data gives them all sorts of insights... Therefore they want the organization to collect as much data as possible,

        They're also not realizing that "data is a toxic asset and saving it is dangerous ... Some simply don't realize just how damaging a data breach would be."

        reply to this | link to this | view in chronology ]

        • icon
          TKnarr (profile), 28 Aug 2017 @ 2:53pm

          Re: Re: Re:

          Right now such a data breach wouldn't be damaging at all... for the company collecting the data, anyway, since it's all but impossible for the consumers who do suffer the damage to hold the companies liable.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2017 @ 1:47pm

    >take the smarter path in the smart home era and resort to older, dumber technologies whenever and wherever possible.

    It's rare to see a technology publication take this stance. The divide is not between old and new technology, but between technologies that grant agency and those that take it away.

    reply to this | link to this | view in chronology ]

    • identicon
      Machin Shin, 28 Aug 2017 @ 2:00pm

      Re:

      Something is seriously wrong when I have reached the point of actually researching how to build my own TV. I don't want a "smart" TV but to get a modern TV without the "smarts" is pretty much impossible.

      So here I am, seriously about to buy the bits and pieces to build my own damn TV because no company will respect my privacy.

      It is really frustrating. I love technology I see all the good it could do in the world. Yet I look at what it is being used for and I want to go live as a hermit in the woods off the grid and far far away from all this.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 2:08pm

        Re: Re:

        So here I am, seriously about to buy the bits and pieces to build my own damn TV

        What pieces are those? A computer monitor and something to drive it, or something more interesting?

        reply to this | link to this | view in chronology ]

        • icon
          streetlight (profile), 28 Aug 2017 @ 3:45pm

          Re: Re: Re:

          I was recently in Costco and walking through the TV section I noticed a large (55" ?) "TV" but the price sign said it was a monitor. It had all the usual inputs and outputs but I saw no coax input. I assume it had no over the air receiver, so you would need some other source - cable box, Chromecast, Roku, etc. IIRC, it was an LG but may be wrong.

          reply to this | link to this | view in chronology ]

        • identicon
          Machin Shin, 28 Aug 2017 @ 8:53pm

          Re: Re: Re:

          Takes a bit of work but I was actually looking at sources of the display panel, and dumb controller boards to drive it. This way I can get a large TV without the "smarts" and also without spending crazy amounts on a computer monitor.

          For some reason you remove the stupid "smart" part of the tv and label it a "computer monitor" and the company will charge you 2 or 3 times as much for the same size display.....

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 2:12pm

        Re: Re:

        >Yet I look at what it is being used for and I want to go live as a hermit in the woods off the grid and far far away from all this.

        You could make a religion out of this.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 2:29pm

        Re: Re:

        Uh... isn't it as simple as never connecting your TV to a network? I mean - if you just want a "dumb TV", you just set it up, connect HDMI cables to it, and never allow it to talk to the internet (hint: don't plug in the ethernet cable or connect it to your wifi).

        If you need the "smarts", just setup a machine that connects to the TV running an OS you trust.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Aug 2017 @ 6:50pm

          Re: Re: Re:

          Unfortunately that doesnt always work.

          Look at the "smart" TV vulnerability that involved commands embedded in the TV signal.

          Could use a broadcast antenna in the neighborhood and make them do all kinds of odd things without user input. Like maybe bricking itself.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2017 @ 3:45pm

        Re: Re:

        I think you found a niche market. Start selling Dumb TVs. These things are so dumb, you couldn't pull data from them even if you tried.

        reply to this | link to this | view in chronology ]

        • identicon
          Machin Shin, 28 Aug 2017 @ 9:00pm

          Re: Re: Re:

          I actually was seriously thinking about building myself one as a trial. Then if it works out well I would love to build modern HDTVs in cabinets kind of like they made in the 40s and 50s.

          I can't be the only person out there who wants a TV that is dumb as a brick, with more HDMI ports than you know what to do with, and also doesn't look like a shitty pile black plastic.

          reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 28 Aug 2017 @ 1:55pm

    Give me liberty or give me something of equal or lesser value from your glossy 32 page catalog.

    • Old joke, from before the catalog filled with IOT devices.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 28 Aug 2017 @ 2:53pm

    Depends on the setup, doesn't it?

    I have two routers. One, supplied by the ISP that connects to the Internet. The second is one I bought and run Tomato and VPN software on, that then connects to the ISP router. Everything else is connected to the Tomato router. Everything is encrypted at the Tomato router.

    No I don't have any IoT devices, and likely won't, but if I did, they would be connected to the Tomato router, and all traffic would be encrypted before it hits the ISP router. Other than the sized or timing of packets, how would and ISP track me?

    Or is there something I am missing?

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 28 Aug 2017 @ 2:59pm

      Re: Depends on the setup, doesn't it?

      Or is there something I am missing?

      Is there anything to stop an IoT device - or OS - from running its own VPN to send your personal data to be monetized?

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 28 Aug 2017 @ 3:05pm

        Re: Re: Depends on the setup, doesn't it?

        Not that I am aware of, though if IoT makers don't do anything to protect their data streams, putting a VPN in the device would seem to contradict that.

        Besides, the article is about ISP's listening in, not the manufacturers. But what you suggest is one of the many reasons I won't have IoT devices.

        reply to this | link to this | view in chronology ]

    • icon
      tom (profile), 28 Aug 2017 @ 6:26pm

      Re: Depends on the setup, doesn't it?

      If you have a default rule in your Tomato router that blocks all traffic from the internal LAN to the external Internet, then you should be good. This way, the only traffic that escapes your network is traffic you have specifically allowed.

      I find a lot of attempted traffic in my default block everything rule on my firewall logs.

      reply to this | link to this | view in chronology ]

  • identicon
    nate Hoffelder, 28 Aug 2017 @ 3:14pm

    it's worse than you think

    If you think this is bad, you should check out Comcast Business. They offer a service wher Comcast installs and runs all your ioT devices from smart speakers to IP security cameras.

    talk about having the fox inside the henhouse.

    reply to this | link to this | view in chronology ]

  • icon
    Richard M (profile), 28 Aug 2017 @ 3:22pm

    Re: Depends on the setup, doesn't it?

    The problem is not that IOT and smart devices can not be secured but that the majority of the population either does realize there is a problem or if they do have no ide how to fix it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Aug 2017 @ 3:56pm

      Re: Re: Depends on the setup, doesn't it?

      Is that on accident or on purpose? What they don't like to tell you is the IOT is actually short for IDIOT. Insecure Device Internet of Thing. Marketing didn't think this standard was going to work out in the end.

      reply to this | link to this | view in chronology ]

  • identicon
    Darren H, 28 Aug 2017 @ 6:09pm

    This will change only if Manufacturer A realizes an ISP is selling their products 'signature' to Manufacturer B.

    The fact that this hasn't happened yet seems to indicate that:
    - neither ISPs nor manufacturers actually know how to mine the data in a profitable manner.
    - manufacturers recognize the data isn't really theirs and do not want to litigate and risk losing.

    reply to this | link to this | view in chronology ]


