|
The Internet of Things: New Project Inspects IoT Devices for Data Misbehavior
Last week, researchers at Princeton University announced their project to inspect smart devices for vulnerabilities to privacy risk, data mismanagement, and malicious hacking. Titling it the IoT Inspector, the project sheds light on the way our most popular devices may not be secure, or are sharing data with third parties we haven’t been informed of.
We’ve already been aware of these vulnerabilities, at least ever since the Mirai botnet attack, which used smart devices such as lightbulbs and security cameras to launch a distributed denial of service (DDoS) attack against the internet’s switchboards, slowing down the world’s most popular websites and mobile apps, including Twitter, Amazon, and Netflix. However, beyond this sneaky yet predictable risk, our devices put us in positions of vulnerability in much sneakier ways, which the IoT Inspector reveals in four broad findings.
Finding #1: Many IoT devices lack basic encryption and authentication
And by “basic,” we’re talking about the easiest to implement, universally accepted first levels of of security, such as HTTPS and SSL, two protocols we use every day if we do any shopping, banking, or bill-paying on line. This failure to implement such safety measures violates every best-practices list published in this still-new standardization space. A smart blood-pressure monitor was found to communicate, unencrypted, the brand of monitor and the words “blood pressure,” in a manner that even a snoop with the most basic tools could see. Just by observing your internet use, this snoop would know not only that you’re monitoring your blood pressure, but how often and when you’re doing it.
That’s none of anyone’s business but largely harmless, perhaps, but combined with other information about you, detected through your use of other smart devices, someone with malicious intent could leverage this knowledge against you or someone in your home. As another example, “None of the toys we studied used HTTPS or SSL when communicating with manufacturer-owned servers,” say the authors. “One toy lacked authentication for user profile pictures. An eavesdropper could record or replay device communications to obtain profile photos.”
Finding #2: User behavior can be inferred from encrypted IoT device traffic
Even when the data is encrypted or safely authenticated, someone observing your home network can make inferences simply based the unread data as it passes among your devices. A snoop can identify the type of devices devices on your network by their MAC addresses or DNS requests (that is, simply by seeing what servers your devices are contacting). Combine that with the spikes in data traffic, and someone can use the traffic in your network to determine your sleep patterns, if you use a sleep monitor, or when you go to bed and wake up, if you use security cameras.
It should be emphasized that this kind of vulnerability doesn’t even have to do with the security of the devices or the due diligence by manufacturers. If someone can spy on your network, simply looking at the way the data is moving can reveal something about your habits.
Finding #3: Many IoT devices contact a large and diverse set of third parties
This is perhaps the most alarming finding. Along with other examples, the researchers share that a Samsung Smart TV, during its first minute after power-on, communicates with Google Play, Double Click (an ad service), Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though the researchers did not sign in or create accounts with any of them. Of course, a lot of this makes sense. In order to be easy to use, we expect this functionality to be at the ready: nobody wants to install Spotify on a television. We all just want it to be standing by. But does the manufacturer warn us of each of these services, and what they does with it?
In many cases, contacting these third-party servers simply enables the devices to function as required, allowing the actual communications that make them run, or permitting them to operate on time as programmed. Still, this is data being shared with an entity without our being aware of it.
Add to this startling opacity the uncertainty we have with how these third parties use our data and how secure it is, and we’re now multiplying our vulnerabilities by a concerning number of factors. At the very least, whether we’re comfortable with this amount of sharing or not, perhaps we’re entitled to knowing what’s being shared and with whom.
Finding #4: Smart home device traffic is predictable, facilitating anomaly detection
It’s not all bad news. The report finds that traffic in a smart home is predictable. This makes pretty good sense. A smart garage-door opener, for example, in rare instances might be activated a few times within a few minutes, but if it’s sending data constantly for an hour or more, chances are it isn’t functioning the way you intend, making it a likely victim of malware and possible participant in (worst-case scenario) a DDoS attack.
Because network behavior is predictable, an in-network device or service “should be able to automatically detect misbehaving devices and notify their users that their devices have been compromised.” The research team is experimenting with application of this idea, suggesting that a router itself or some other device placed between the router and the devices could do the job.
“Help our research”
The IoT Inspector project is asking for consumers’ input in which devices to inspect. The link below will take you to the project’s home, which explains the project and links to a form, asking users to suggest a device they own or are thinking of adding to their home.
Additionally, the project plans to release an open-source tool that lets users inspect IoT devices on their own. Sign-ups for the waitlist ask for an email address.
Reference links:
Announcing the IoT Inspector: https://freedom-to-tinker.com/2018/04/23/announcing-iot-inspector-a-tool-to-study-smart-home-iot-device-behavior
IoT Inspector Project Home: https://iot-inspector.princeton.edu
 |
| |
RMA® Executive Search Recruiting Firm Locations: |
| |
| United States & Canada: |
|
Europe, Asia & Pacific: |
| |
- Atlanta, Georgia
- Austin, Texas
- Baltimore, Maryland
- Boston, Massachusetts
- Charleston, South Carolina
- Charlotte, North Carolina
- Chicago, Illinois
- Cleveland, Ohio
- Columbus, Ohio
- Dallas, Texas
- Denver, Colorado
- Detroit, Michigan
- Honolulu, Hawaii
- Houston, Texas
- Indianapolis, Indiana
- Jacksonville, Florida
- Kansas City, Missouri
- Las Vegas, Nevada
- Los Angeles, California
- Memphis, Tennessee
|
- Miami, Florida
- Milwaukee, Wisconsin
- Minneapolis, Minnesota
- Montreal, Canada
- Nashville, Tennessee
- New York, New York
- Oklahoma City, Oklahoma
- Philadelphia, Pennsylvania
- Phoenix, Arizona
- Portland, Oregon
- Raleigh, North Carolina
- Saint Louis, Missouri
- San Antonio, Texas
- San Diego, California
- San Francisco, California
- San Jose, California
- Seattle, Washington
- Tampa, Florida
- Toronto, Canada
- Washington, DC
|
- Bangkok, Thailand
- Beijing, China
- Berlin, Germany
- Hong Kong, China
- Kuala Lumpur, Malaysia
- London, England
- Madrid, Spain
- Melbourne, Australia
- Moscow, Russia
- Mumbai, India
- New Delhi, India
- Paris, France
- Prague, Czech Republic
- Rome, Italy
- Stockholm, Sweden
- Sydney, Australia
- Tokyo, Japan
- Vienna, Austria
- Wellington, New Zealand
- Zurich, Switzerland
|
| |
| Visit Our Executive Search Recruiting Firm Locations Area For More Details. |
| |
 |
|
|
