Yet Another Study Shows The Internet Of Things Is A Privacy Shitshow

from the dysfunction-junction dept

Day in and day out, it's becoming increasingly clear that the smart home revolution simply isn't all that smart.

Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it's increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.

As if the point hadn't been made clear enough, a new joint study between Northeastern University and Imperial College London took a closer look at 81 popular smart door bells, dongles, TVs, and other gear, and came away notably unimpressed. The study, the biggest ever of its kind, found that the lion's share of such devices routinely share an ocean of data (your IP address, MAC address, location info, viewing preferences) with a massive array of third parties. Worse, many of these transfers were not properly secured, meaning they could be intercepted by another party:

"In a series of 34,586 experiments, the study found that 72 of the devices made contact with someone other than its manufacturer. In many instances, these transfers “expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic,” the researchers said."

One popular camera studied by the researchers pinged 52 different IP addresses every time it phoned home. And while some of the contact points were largely innocuous (cloud service providers, etc.), many of these devices were happily providing usage data to a wide variety of marketers and third parties without making those data transfers clear to the end user. Often many of the devices were routinely providing this data to companies like Netflix even if the end user didn't have a Netflix account. Much of this data is being used with other data sets to build complex behavioral profiles, again without this always being clear to users (a notable point of contention in the smart electricity meter space).

On the plus side, a number of high-profile wrist slaps on this front (like the $17 million paid by Vizio for spying on its users for 3 years, or the bad press Samsung got when its smart TVs were shown to be transmitting viewer voice data unencrypted to the cloud) have at least resulted in these companies beefing up their use of encryption, though that's a mixed blessing for those trying to study what data is being sent between your smart fridge and third parties:

"Choffnes told me that while the high profile wrist slaps of recent years have resulted in an increase in the use of encryption by vendors, that poses a double edged sword for researchers “One of the biggest challenges we face is that the same encryption that protects users' data from eavesdroppers also prevents us researchers from seeing what is inside,” he said."

Studies in both the UK and the US continue to highlight how privacy and security are just distant afterthoughts in the rush to sell more kit. Many of these devices aren't just overly chatty, they're extremely hackable. As security expert Bruce Schneier has long noted, there's no market solution to this problem because neither the hardware vendors nor the consumers actually care, given the privacy and security shortcomings (usually) only harm other people:

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

He's also long made the point that none of this is going to get fixed until there's some kind of massive calamity that makes the broader public finally take the problem more seriously. And with businesses and consumers attaching easily-compromised devices to their network at the rate of millions per year, it's a day that doesn't seem too far over the horizon.

Filed Under: iot, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 3 Oct 2019 @ 6:46am

    The big issue is that companies feel entitled to collect and share as much information about people as they possibly can. Until that changes, probably by laws being enacted, data gathering will take precedence over security.

    reply to this | link to this | view in chronology ]

  • identicon
    A Guy, 3 Oct 2019 @ 6:50am

    You mean there may be drawbacks to connecting your sex toys and everything else to strangers on the internet? I'm Shocked!!! Who could have imagined!!!

    That's a real one, they can be hacked to bust into flames.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Oct 2019 @ 7:36am

    -shIOT...FTFY
    -8K TV = LaserDisc
    -i'm still mad AB isn't a Patriot

    On subject though, yeah, we're all just beta testers getting the tech ready for the antichrist to be able to control all who buy or sell. In the meantime, I just wish we could get paid a dividend for our data that the collectors (Google, Amazon, etc.) sell. It's Our data that they're selling to advertisers, so shouldn't we be paid for Our data?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Oct 2019 @ 7:49am

    Thankfully one can still find household appliances that do not have an internet connection. Not sure for how much longer but I think there is a market.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Oct 2019 @ 8:39am

      Re:

      For those devices that do support an internet connection there's nothing at all to prevent the owner from failing to setup that connection. Why people willingly put every internet-not-required device on the net anyway, just because it can, remains a mystery.

      For devices that do require a full-time internet connection in order to work the mystery lies in "why would you buy that one when this other does the same job without exposing you to security problems?". Thermostats, for example. Why in the hell do you need your thermostat online? I can only chalk it up to modern yuppies with more money than brains.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Oct 2019 @ 8:53am

        Re: Re:

        If enough people fail to connect their devices to the internet, manufacturers will just make a deal with an ISP like Comcast and have them automatically connect to nearby hotspots, or possibly even share data with Verizon/AT&T/etc in return for 4G access.

        Sellers will market this as "free internet access included!", and hundreds of millions of morons will jump for joy and continue buying these devices.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Oct 2019 @ 12:44pm

        Re: Re:

        Yes, at this time there is no requirement to connect the silly things however I do not want to pay for things I have no intention of using.
        I imagine the added cost to the consumer is probably about a hundred bucks or more depending upon the implementation.

        reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 4 Oct 2019 @ 2:22am

        Re: Re:

        "Thermostats, for example. Why in the hell do you need your thermostat online? I can only chalk it up to modern yuppies with more money than brains."

        But if you don't have it online it won't download the updates to remain secure while it's online?

        Also, you won't be able to adjust your at-home temperature from your smartphone while you're not at home. This is a real issue.

        /s

        Yeah, the "internet of things" is for the most part a con game which by rights only the village idiot should fall for. That sane people with the mental capacity to professionally hold down their jobs are eating this shit up is killing me...

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Oct 2019 @ 10:32am

    The whole of IoT market is a dark comedy of greed for manufacturers. They are so focused on lock in and monetization that they forget to give any actually remotely useful features compared to offline appliances and fail to even cover low hanging fruit business use cases. You may have no use for checking your fridge remotely but commercial operations certainly do.

    They have to subsidize their crap to move it. They kill off bought up competitors and wonder why people don't want unreliable products. They spend more money on producing worse products thinking it will make them rich.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Oct 2019 @ 11:47am

    I was in a pizza parlor yesterday for dinner and signed into their WiFi. Then my Google Home app alerted me that someone was streaming Netflix on "my" network and gave me controls for pausing and changing the volume. The entry was labeled FrontRoomDisplay. I walked to the front of the building and found a TV streaming Avengers Infinity War in the area where carryout orders are picked up. It was paused because I'd been playing with the controls.

    reply to this | link to this | view in chronology ]

  • icon
    nerdrage (profile), 3 Oct 2019 @ 12:40pm

    this again

    So who's minding the store?

    Companies? Nah, that might eat into their profits.

    Government? Since when does government regulate anything.

    Customers? They still have passwords like password1234.

    Stay far far away from all this IoT crap. This is a replay of what I thought about Facebook about 5 years ago, this is going to end badly, get out now...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Oct 2019 @ 1:11am

    Great article Karl

    Beautifully put, and well sourced.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous coward, 4 Oct 2019 @ 5:00am

    Internet of things

    For those of us who are aware of the problem but not technically knowledgeable about the ways to secure the devices where (if anywhere) are instructions?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Oct 2019 @ 5:27am

      Re: Internet of things

      Instructions for IOT devices:

      1) Do not waste your time & money
      2) If you did not follow #1, then do not connect it to internet
      3) If you did not follow #2 or #3, quickly smash the little bugger with a hammer and put it the trash where it belongs.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Oct 2019 @ 6:07am

        Re: Re: Internet of things

        What do you do when "dumb" devices in a market sector (ex: TVs) are no longer available on the consumer market?

        reply to this | link to this | view in chronology ]

        • identicon
          TRX, 4 Oct 2019 @ 9:37am

          Re: Re: Re: Internet of things

          Set up a Pi Hole and keep an eye on the logs for a while whenever you add a new device to your home network.

          Heck, set up a Pi Hole anyway; it's pretty much point-and-click even for a non-techie.

          Even with a tuned hosts file and a decent ad blocker running, it's not unusual for a Pi Hole to block a quarter of all DNS requests.

          reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 7 Oct 2019 @ 4:11am

          Re: Re: Re: Internet of things

          "What do you do when "dumb" devices in a market sector (ex: TVs) are no longer available on the consumer market?"

          Yeah, that will happen. So here's what you do.

          1) Read the manual for the casual details on how to disable the device's internet access. Normally that should just be a case of not entering the wifi password when asked.

          2) If the user access of the device does not allow a disconnect, have your router simply block access requests from the device in question.

          reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.