skip to main content
10.1145/3355369.3355577acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
research-article

Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach

Published: 21 October 2019 Publication History

Abstract

Internet of Things (IoT) devices are increasingly found in everyday homes, providing useful functionality for devices such as TVs, smart speakers, and video doorbells. Along with their benefits come potential privacy risks, since these devices can communicate information about their users to other parties over the Internet. However, understanding these risks in depth and at scale is difficult due to heterogeneity in devices' user interfaces, protocols, and functionality.
In this work, we conduct a multidimensional analysis of information exposure from 81 devices located in labs in the US and UK. Through a total of 34,586 rigorous automated and manual controlled experiments, we characterize information exposure in terms of destinations of Internet traffic, whether the contents of communication are protected by encryption, what are the IoT-device interactions that can be inferred from such content, and whether there are unexpected exposures of private and/or sensitive information (e.g., video surreptitiously transmitted by a recording device). We highlight regional differences between these results, potentially due to different privacy regulations in the US and UK. Last, we compare our controlled experiments with data gathered from an in situ user study comprising 36 participants.

References

[1]
IoT Inspector. https://iot-inspector.princeton.edu/, 2019. (Accessed on 05/08/2019).
[2]
Acar A., Fereidooni, H., Abera, T., Sikder, A. K., Miettinen, M., Aksu, H., Conti, M., Sadeghi, A.-R., and Uluagac, A. S. Peek-a-Boo: I see your smart home activities, even encrypted! arXiv preprint arXiv:1808.02741 (2018).
[3]
Alrawi, O., Lever, C., Antonakakis, M., and Monrose, F. Sok: Security Evaluation of Home-based IoT Deployments. In Proceedings of the IEEE Symposium on Security and Privacy (S&P) (2019).
[4]
Amar, Y., Haddadi, H., Mortier, R., Brown, A., Colley, J. A., and Crabtree, A. An analysis of home iot network traffic and behaviour. CoRR abs/1803.05368 (2018).
[5]
Apthorpe, N., Reisman, D., Sundaresan, S., Narayanan, A., and Feamster, N. Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic. arXiv preprint arXiv:1708.05044 (2017).
[6]
Avast. Avast Smart Life. Accessed May 8, 2019. https://www.avast.com/en-us/iot.
[7]
Bitdefender. Bitdefender Box. Accessed May 8, 2019. https://www.bitdefender.com/box.
[8]
Bullguard. Dojo by Bullguard. Accessed May 8, 2019. https://dojo.bullguard.com/dojo-by-bullguard/.
[9]
Burke, S. Google admits its new smart speaker was eavesdropping on users. Accessed May 8, 2019. http://money.cnn.com/2017/10/11/technology/google-home-mini-security-flaw.
[10]
Chu, G., Apthorpe, N., and Feamster, N. Security and Privacy Analyses of Internet of Things Children?s Toys. IEEE Internet of Things Journal 6, 1 (2019), 978--985.
[11]
Cujo. Cujo Smart Firewall. Accessed May 8, 2019. https://www.getcujo.com/smart-firewall-cujo/.
[12]
F-Secure. F-Secure Sense. Accessed May 8, 2019. https://www.f-secure.com/en_US/web/home_us/sense.
[13]
Gartner Inc. Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016. Accessed May 8, 2019. https://www.gartner.com/newsroom/id/3598917.
[14]
Hamza A., Gharakheili, H. H., Benson, T. A., and Sivaraman, V. Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity. In Proceedings of the 2019 ACM Symposium on SDN Research (New York, NY, USA, 2019), SOSR '19, ACM, pp. 36--48.
[15]
Hamza, A., Ranathunga, D., Gharakheili, H. H., Benson, T. A., Roughan, M., and Sivaraman, V. Verifying and Monitoring IoTs Network Behavior using MUD Profiles. arXiv preprint arXiv:1902.02484 (2019).
[16]
Hamza, A., Ranathunga, D., Gharakheili, H. H., Roughan, M., and Sivaraman, V. Clear As MUD: Generating, Validating and Applying IoT Behavioral Profiles. In Proceedings of the 2018 Workshop on IoT Security and Privacy (New York, NY, USA, 2018), IoT S&P '18, ACM, pp. 8--14.
[17]
HighIoT. Akita. Accessed May 8, 2019. https://akita.cloud/.
[18]
IoT Defense. RATtrap. Accessed May 8, 2019. https://www.myrattrap.com/.
[19]
Jia, Y., Xiao, Y., Yu, J., Cheng, X., Liang, Z., and Wan, Z. A Novel Graph-based Mechanism for Identifying Traffic Vulnerabilities in Smart Home IoT. In IEEE INFOCOM 2018 (April 2018), pp. 1493--1501.
[20]
Jose, A. C., Malekian, R., and Ye, N. Improving home automation security; integrating device fingerprinting into smart home. IEEE Access 4 (2016), 5776--5787.
[21]
Keezel. Keezel. Accessed May 8, 2019. https://keezel.co/.
[22]
Kurtz, A., Gascon, H., Becker, T., Rieck, K., and Freiling, F. Fingerprinting Mobile Devices Using Personalized Configurations. In Proceedings on Privacy Enhancing Technologies (PETS '16) (2016), pp. 4--19.
[23]
Le, A., Varmarken, J., Langhoff, S., Shuba, A., Gjoka, M., and Markopoulou, A. AntMonitor: A System for Monitoring from Mobile Devices. In Proc. of Workshop on Crowdsourcing and Crowdsharing of Big (Internet) Data (2015).
[24]
Lear, E., Droms, R., and Romascanu, D. Manufacturer Usage Description Specification. IETF RFC8520 (2019).
[25]
Leung, C., Ren, J., Choffnes, D., and Wilson, C. Should you use the app for that?: Comparing the privacy implications of app-and web-based online services. In Proc. of IMC (2016).
[26]
Liu, H., Li, C., Jin, X., Li, J., Zhang, Y., and Gu, D. Smart solution, poor protection: An empirical study of security and privacy issues in developing and deploying smart home devices. In Proc. of the 2017 Workshop on Internet of Things Security and Privacy (New York, NY, USA, 2017), IoT S&P '17, ACM, pp. 13--18.
[27]
Loit, F., Sivanathant, A., Gharakheilit, H. H., Radford, A., and Sivaramant, V. Systematically evaluating security and privacy for consumer iot devices. In Proc. of the 2017 Workshop on Internet of Things Security and Privacy (New York, NY, USA, 2017), IoT S&P '17, ACM, pp.1--6.
[28]
Luma Home. Luma Home WiFi System. Accessed May 8, 2019. https://lumahome.com/.
[29]
Marchal, S., Miettinen, M., Nguyen, T. D., Sadeghi, A.-R., and Asokan, N. AuDI: Towards autonomous IoT device-type identification using periodic communications. IEEE Journal on Selected Areas in Communications (2019).
[30]
McAfee. McAfee Secure Home Platform. Accessed May 8, 2019. https://securehomeplatform.mcafee.com.
[31]
Mi, X., Qian, F., Zhang, Y., and Wang, X. An empirical characterization of ifttt: Ecosystem, usage, and performance. In Proc. of IMC (New York, NY, USA, 2017), IMC '17, ACM, pp. 398--404.
[32]
Michéle, B., and Karpow, A. Watch and be watched: Compromising all smart tv generations. In 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC '14) (2014), IEEE, pp. 351--356.
[33]
Msadek, M. N., Soua, R., and Engel, T. IoT Device Fingerprinting: Machine Learning based Encrypted Traffic Analysis. In The IEEE Wireless Communications and Networking Conference (WCNC) (2019).
[34]
Norton. Norton Core. Accessed May 8, 2019. https://us.norton.com/core.
[35]
Razaghpanah, A., Vallina-Rodriguez, N., Sundaresan, S., Kreibich, C., Gill, P., Allman, M., and Paxson, V. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv 1510.01419 (2015).
[36]
Rehman, M. A., Choffnes, D., and Goldberg, S. Passport. https://passport.ccs.neu.edu/, 2017. (Accessed on 05/08/2019).
[37]
Ren, J., Rao, A., Lindorfer, M., Legout, A., and Choffnes, D. R. ReCon: Revealing and Controlling Privacy Leaks in Mobile Network Traffic. In Proc. of MobiSys (2016).
[38]
Ring. Privacy notice. https://shop.ring.com/pages/privacy, March 2018.
[39]
Shasha, S., Mahmoud, M., Mannan, M., and Youssef, A. Playing with danger: A taxonomy and evaluation of threats to smart toys. IEEE Internet of Things Journal (2019), 1--1.
[40]
Shodan. The search engine for internet-connected devices. Accessed May 8, 2019. https://www.shodan.io/.
[41]
Singh, A., Murali, S., Rieger, L., Li, R., Hommes, S., State, R., Ormazabal, G., and Schulzrinne, H. HANZO: Collaborative Network Defense for Connected Things. In 2018 Principles, Systems and Applications of IP Telecommunications (IPTComm) (Oct 2018), pp. 1--8.
[42]
Sivanathan, A., Habibi Gharakheili, H., Loi, F., Radford, A., Wijenayake, C., Vishwanath, A., and Sivaraman, V. Classifying IoT Devices in Smart Environments Using Network Traffic Characteristics. IEEE Transactions on Mobile Computing (2018), 1--1.
[43]
Sivaraman, V., Gharakheili, H. H., Fernandes, C., Clark, N., and Karliychuk, T. Smart IoT Devices in the Home: Security and Privacy Implications. IEEE Technology and Society Magazine 37, 2 (June 2018), 71--79.
[44]
Takbiri, N., Houmansadr, A., Goeckel, D. L., and Pishro-Nik, H. Matching Anonymized and Obfuscated Time Series to Users? Profiles. IEEE Transactions on Information Theory 65, 2 (2019), 724--741.
[45]
Thangavelu, V., Divakaran, D. M., Sairam, R., Bhunia, S. S., and Gurusamy, M. DEFT: A Distributed IoT Fingerprinting Technique. IEEE Internet of Things Journal 6, 1 (2019), 940--952.
[46]
US-CERT. CVE: The Standard for Information Security Vulnerability Names. Accessed May 8, 2019. http://cve.mitre.org/.
[47]
Valente, J., and Cardenas, A. Security and privacy of smart toys. In Proc. of the 2017 Workshop on Internet of Things Security and Privacy (New York, NY, USA, 2017), IoT S&P '17, ACM, pp. 19--24.
[48]
Warren, Tom. Amazon explains how Alexa recorded a private conversation and sent it to another user. Accessed on 05/25/2018. https://www.theverge.com/2018/5/24/17391898/amazon-alexa-private-conversation-recording-explanation.
[49]
Wood, D., Apthorpe, N., and Feamster, N. Cleartext data transmissions in consumer iot medical devices. In Proc. of the 2017 Workshop on Internet of Things Security and Privacy (New York, NY, USA, 2017), IoT S&P '17, ACM, pp. 7--12.

Cited By

View all
  • (2025)Citation manipulation through citation mills and pre-print serversScientific Reports10.1038/s41598-025-88709-715:1Online publication date: 14-Feb-2025
  • (2024)IoT Device and State Identification based on Usage Patterns2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814343(1-7)Online publication date: 28-Oct-2024
  • (2024)Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused ProtocolsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678899(561-578)Online publication date: 30-Sep-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
IMC '19: Proceedings of the Internet Measurement Conference
October 2019
497 pages
ISBN:9781450369480
DOI:10.1145/3355369
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

IMC '19
IMC '19: ACM Internet Measurement Conference
October 21 - 23, 2019
Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;
Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)350
  • Downloads (Last 6 weeks)34
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Citation manipulation through citation mills and pre-print serversScientific Reports10.1038/s41598-025-88709-715:1Online publication date: 14-Feb-2025
  • (2024)IoT Device and State Identification based on Usage Patterns2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814343(1-7)Online publication date: 28-Oct-2024
  • (2024)Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused ProtocolsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678899(561-578)Online publication date: 30-Sep-2024
  • (2024)ScaNeF-IoT: Scalable Network Fingerprinting for IoT DeviceProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670892(1-9)Online publication date: 30-Jul-2024
  • (2024)Watching TV with the Second-Party: A First Look at Automatic Content Recognition Tracking in Smart TVsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689013(622-634)Online publication date: 4-Nov-2024
  • (2024)IoT Bricks Over v6: Understanding IPv6 Usage in Smart HomesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688457(595-611)Online publication date: 4-Nov-2024
  • (2024)Mitigating IoT Botnet DDoS Attacks through MUD and eBPF based Traffic FilteringProceedings of the 25th International Conference on Distributed Computing and Networking10.1145/3631461.3631549(164-173)Online publication date: 4-Jan-2024
  • (2024)Exploring Data Exhaust Under Different IoT Traffic Scenarios2024 IEEE 10th World Forum on Internet of Things (WF-IoT)10.1109/WF-IoT62078.2024.10811246(798-803)Online publication date: 10-Nov-2024
  • (2024)Untangling IoT Global Connectivity: The Importance of Mobile Signaling TrafficIEEE Transactions on Network and Service Management10.1109/TNSM.2024.341497521:4(4435-4449)Online publication date: Aug-2024
  • (2024)DeviceRadar: Online IoT Device Fingerprinting in ISPs Using Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2024.339877832:5(3854-3869)Online publication date: Oct-2024
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media