The so-called Internet of Things (IoT) is no longer the stuff of science fiction. Household appliances report to their manufacturers, smart televisions take note of what viewers watch, and homeowners use voice command devices to control their thermostats.
Noah Apthorpe, assistant professor of computer science at Colgate, is interested in the ways IoT devices can compromise our data security and privacy. In collaboration with several colleagues from universities across the country, Apthorpe recently published a paper, “IoT Inspector: Crowdsourcing Labeled Network Traffic from Smart Home Devices at Scale,” in Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies. The research centers around IoT Inspector, a software tool that he and his collaborators coded to collect data about smart home devices.
Intrigued by rapid growth in the smart home device market, Apthorpe and his co-authors realized there was a lack of security data about these products. “Much of the prior work was in a lab with researchers who picked a small number of devices and did vulnerability analyses,” he says. “We wanted to find out what was happening in people’s homes, and the only way you can see some of that traffic is by collecting data at the source and seeing what the devices are talking about.”
IoT Inspector automatically identifies the internet-connected products users have in their house and guesses what they are based on their local addresses. “It’s a free program that you can install on your laptop or home computer,” Apthorpe explains. “The first thing it asks is whether you’re willing to take part in our research, and users can opt in or out.” Even if they don’t want to share data for research, users can still utilize the software to evaluate the security of their smart home devices.
Users then choose devices about which they want the software to collect information. For example, if they’re really curious about the security of their smart thermostat, they can select that. The software then intercepts all the traffic sent or received by the chosen devices.
“To do this, it uses a process called ARP spoofing,” Apthorpe says. “The software says to your home router, ‘I’m actually the device,’ and to the device, ‘I’m the router.’” Once IoT Inspector is able to see all the traffic, it collects several different statistics, packages them together, and sends off a report to the researchers’ secure servers for analysis.
Once the IoT Inspector software was developed, the researchers spread the word and asked for volunteers to download and implement it. After its release in 2019, more than 5,500 users installed IoT Inspector and chose to release their information for the research project. From those participants, Apthorpe and his colleagues collected network traffic information from about 55,000 devices — by far the largest data set of this type to date.
“Our idea was to do some preliminary analysis of the sorts of vulnerabilities you could find, and then leave a lot to dig through in that data for us and others in the future,” Apthorpe says. The three main areas of focus in their initial analysis were encryption, advertising trackers, and the geolocations where devices are sending traffic.
The researchers discovered that despite well-known best practices, many smart home devices still are not using good encryption for their network traffic. “Roughly 51 percent of the devices we identified had some communications that weren’t encrypted,” says Apthorpe. “That was disheartening.” Many of the others were using encryption but basing it on older protocols with known vulnerabilities. “A lot of the big name companies had these issues, including Roku, Amazon, Google, and Panasonic.”
When looking at end hosts — the domains devices were communicating with — the researchers divided them into two categories: tracking and non-tracking. “Tracking domains are there to track activity for primarily advertising purposes,” Apthorpe explains. Devices made by 55 of the 81 identified vendors weren’t communicating with any tracking domains.
But some devices, especially in the smart television category, were talking to trackers and getting information from many sources. The researchers took a deeper look at this issue because it was eye-opening. “Many consumers have been primed to think about issues of privacy and tracking when they’re browsing the internet — but not while they’re watching TV,” says Apthorpe. “These smart devices are taking note of their watch habits and tailoring advertisements accordingly.”
Another detail the research considered was where in the world the smart home devices send traffic. Most IoT Inspector users were in North America, but about 28 percent were located between the London and Moscow time zones. Many devices sent traffic beyond the borders of their home country — and no matter where users were located, more than 85 percent of devices sent traffic to the United States.
“A lot of vendors are based in the United States, so that’s not surprising,” says Apthorpe. But they also found devices sending traffic to China, Germany, the Netherlands, and elsewhere. “That’s a concern if it’s paired with poor encryption, because it means an intermediate network could be observing the contents.”
Apthorpe, who teaches a course at Colgate called Security, Privacy, and Society, says his research illuminates the need for consumers to safeguard the privacy and security of their in-home technology. There are several ways to do that, from vetting vendors’ cybersecurity track records to adjusting privacy options. “Many devices have the least private options selected by default,” he says. “Going through them manually and changing them can make a difference.” If smart home device owners are even more curious, they can download IoT Inspector or log in to their router’s administration settings to see what devices are there and how often they’re communicating.
While IoT technology is still struggling with security vulnerabilities, Apthorpe is optimistic about the future. “Since I started working on the IoT in 2016, there’s a definite increase in consumer interest and developer best practices,” he says. Still, he wishes vendors did a better job of making privacy settings accessible and visible. “They’re often permissive by default and it’s still on consumers to do some of the work. Ideally, these devices would value privacy more.”
Apthorpe and his colleagues hope to get IoT Inspector out to new users, creating more research data that they can compare and contrast with the original set. “There are a lot of different device types in this data set, so there’s potential for focused research on specific classes of devices such as light bulbs, smart security systems, thermostats, and televisions,” he says. “Or future researchers could focus on individual vendors or products.”
For more on the IoT Inspector project or to download the software, visit inspector.engineering.nyu.edu.