Yet Another Study Shows The Internet Of Things Is A Privacy Shitshow
from the dysfunction-junction dept
Day in and day out, it’s becoming increasingly clear that the smart home revolution simply isn’t all that smart.
Security analysts like Bruce Schneier have been sounding the alarm bells for years now about the lax to nonexistent security and privacy standards inherent in the internet of broken things space. From refrigerators that leak your Gmail credentials to Barbie dolls that can be easily hacked to spy on kids, it’s increasingly clear that dumber technology is often the smarter solution. Not only do many of these devices actually make us less secure, their lack of real security has resulted in their use in historically large DDoS attacks.
As if the point hadn’t been made clear enough, a new joint study between Northeastern University and Imperial College London took a closer look at 81 popular smart door bells, dongles, TVs, and other gear, and came away notably unimpressed. The study, the biggest ever of its kind, found that the lion’s share of such devices routinely share an ocean of data (your IP address, MAC address, location info, viewing preferences) with a massive array of third parties. Worse, many of these transfers were not properly secured, meaning they could be intercepted by another party:
“In a series of 34,586 experiments, the study found that 72 of the devices made contact with someone other than its manufacturer. In many instances, these transfers ?expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic,? the researchers said.”
One popular camera studied by the researchers pinged 52 different IP addresses every time it phoned home. And while some of the contact points were largely innocuous (cloud service providers, etc.), many of these devices were happily providing usage data to a wide variety of marketers and third parties without making those data transfers clear to the end user. Often many of the devices were routinely providing this data to companies like Netflix even if the end user didn’t have a Netflix account. Much of this data is being used with other data sets to build complex behavioral profiles, again without this always being clear to users (a notable point of contention in the smart electricity meter space).
On the plus side, a number of high-profile wrist slaps on this front (like the $17 million paid by Vizio for spying on its users for 3 years, or the bad press Samsung got when its smart TVs were shown to be transmitting viewer voice data unencrypted to the cloud) have at least resulted in these companies beefing up their use of encryption, though that’s a mixed blessing for those trying to study what data is being sent between your smart fridge and third parties:
“Choffnes told me that while the high profile wrist slaps of recent years have resulted in an increase in the use of encryption by vendors, that poses a double edged sword for researchers ?One of the biggest challenges we face is that the same encryption that protects users’ data from eavesdroppers also prevents us researchers from seeing what is inside,? he said.”
Studies in both the UK and the US continue to highlight how privacy and security are just distant afterthoughts in the rush to sell more kit. Many of these devices aren’t just overly chatty, they’re extremely hackable. As security expert Bruce Schneier has long noted, there’s no market solution to this problem because neither the hardware vendors nor the consumers actually care, given the privacy and security shortcomings (usually) only harm other people:
“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
He’s also long made the point that none of this is going to get fixed until there’s some kind of massive calamity that makes the broader public finally take the problem more seriously. And with businesses and consumers attaching easily-compromised devices to their network at the rate of millions per year, it’s a day that doesn’t seem too far over the horizon.
Comments on “Yet Another Study Shows The Internet Of Things Is A Privacy Shitshow”
The big issue is that companies feel entitled to collect and share as much information about people as they possibly can. Until that changes, probably by laws being enacted, data gathering will take precedence over security.
You mean there may be drawbacks to connecting your sex toys and everything else to strangers on the internet? I’m Shocked!!! Who could have imagined!!!
That’s a real one, they can be hacked to bust into flames.
-shIOT…FTFY
-8K TV = LaserDisc
-i’m still mad AB isn’t a Patriot
On subject though, yeah, we’re all just beta testers getting the tech ready for the antichrist to be able to control all who buy or sell. In the meantime, I just wish we could get paid a dividend for our data that the collectors (Google, Amazon, etc.) sell. It’s Our data that they’re selling to advertisers, so shouldn’t we be paid for Our data?
Re: Re:
The "theory" is that your hardware is cheaper, being subsidized by the forever data vacuum.
Thankfully one can still find household appliances that do not have an internet connection. Not sure for how much longer but I think there is a market.
Re: Re:
For those devices that do support an internet connection there’s nothing at all to prevent the owner from failing to setup that connection. Why people willingly put every internet-not-required device on the net anyway, just because it can, remains a mystery.
For devices that do require a full-time internet connection in order to work the mystery lies in "why would you buy that one when this other does the same job without exposing you to security problems?". Thermostats, for example. Why in the hell do you need your thermostat online? I can only chalk it up to modern yuppies with more money than brains.
Re: Re: Re:
If enough people fail to connect their devices to the internet, manufacturers will just make a deal with an ISP like Comcast and have them automatically connect to nearby hotspots, or possibly even share data with Verizon/AT&T/etc in return for 4G access.
Sellers will market this as "free internet access included!", and hundreds of millions of morons will jump for joy and continue buying these devices.
Re: Re: Re:
Yes, at this time there is no requirement to connect the silly things however I do not want to pay for things I have no intention of using.
I imagine the added cost to the consumer is probably about a hundred bucks or more depending upon the implementation.
Re: Re: Re:
"Thermostats, for example. Why in the hell do you need your thermostat online? I can only chalk it up to modern yuppies with more money than brains."
But if you don’t have it online it won’t download the updates to remain secure while it’s online?
Also, you won’t be able to adjust your at-home temperature from your smartphone while you’re not at home. This is a real issue.
/s
Yeah, the "internet of things" is for the most part a con game which by rights only the village idiot should fall for. That sane people with the mental capacity to professionally hold down their jobs are eating this shit up is killing me…
The whole of IoT market is a dark comedy of greed for manufacturers. They are so focused on lock in and monetization that they forget to give any actually remotely useful features compared to offline appliances and fail to even cover low hanging fruit business use cases. You may have no use for checking your fridge remotely but commercial operations certainly do.
They have to subsidize their crap to move it. They kill off bought up competitors and wonder why people don’t want unreliable products. They spend more money on producing worse products thinking it will make them rich.
I was in a pizza parlor yesterday for dinner and signed into their WiFi. Then my Google Home app alerted me that someone was streaming Netflix on "my" network and gave me controls for pausing and changing the volume. The entry was labeled FrontRoomDisplay. I walked to the front of the building and found a TV streaming Avengers Infinity War in the area where carryout orders are picked up. It was paused because I’d been playing with the controls.
Re: Re:
Did you have fun with it?
this again
So who’s minding the store?
Companies? Nah, that might eat into their profits.
Government? Since when does government regulate anything.
Customers? They still have passwords like password1234.
Stay far far away from all this IoT crap. This is a replay of what I thought about Facebook about 5 years ago, this is going to end badly, get out now…
Great article Karl
Beautifully put, and well sourced.
Internet of things
For those of us who are aware of the problem but not technically knowledgeable about the ways to secure the devices where (if anywhere) are instructions?
Re: Internet of things
Instructions for IOT devices:
1) Do not waste your time & money
2) If you did not follow #1, then do not connect it to internet
3) If you did not follow #2 or #3, quickly smash the little bugger with a hammer and put it the trash where it belongs.
Re: Re: Internet of things
What do you do when "dumb" devices in a market sector (ex: TVs) are no longer available on the consumer market?
Re: Re: Re: Internet of things
Set up a Pi Hole and keep an eye on the logs for a while whenever you add a new device to your home network.
Heck, set up a Pi Hole anyway; it’s pretty much point-and-click even for a non-techie.
Even with a tuned hosts file and a decent ad blocker running, it’s not unusual for a Pi Hole to block a quarter of all DNS requests.
Re: Re: Re: Internet of things
"What do you do when "dumb" devices in a market sector (ex: TVs) are no longer available on the consumer market?"
Yeah, that will happen. So here’s what you do.
1) Read the manual for the casual details on how to disable the device’s internet access. Normally that should just be a case of not entering the wifi password when asked.
2) If the user access of the device does not allow a disconnect, have your router simply block access requests from the device in question.