Our Stealthy Housemates: Consumer IoT Devices, Privacy Risks, and Potential Mitigations

Anna Maria Mandalari, Hamed Haddadi, Daniel J. Dubois, and David Choffnes
May 18, 2021

 

Consumer Internet of Things (IoT) devices are gaining an increasing presence in our homes, with the promise to deliver unprecedented benefits and personalized services. The increasing range of sensors embedded in these devices, alongside the availability of sophisticated AI models and interactions mechanisms (e.g., voice-based smarthome assistants), present a complex range of functionality, analytics, and capabilities. However, this complexity results in our inability to fully assess and establish the reliability and trustworthiness of these devices, in addition to their security threats and privacy risks, despite our increasing dependence on these devices and their underlying services.

Today, we have an urgent need to develop appropriate security standards and practices, alongside methods to contain the privacy risks from IoT platforms. This requires a dialogue between the key industry players, privacy/security researchers, regulators, and user groups. The purpose of this article is to raise more questions than answers to initiate further discussions, and to highlight areas where further research might be pertinent.

Current Concerns

Typically, IoT devices have access to private information, be it personal consumer data or proprietary enterprise data. Consequently, various contractual agreements and trust boundaries need to be established between the users and the data operators, in addition to both parties’ reliance on the correct operation of each device. There are several concerns with IoT devices which serve to highlight the difficulties and complexities with the notion of trustworthiness in this setting, and also provide a good example of why more thought is required for future technologies.

IoT Devices Destinations: our study on 81 IoT devices in US and UK [1] demonstrates that 56% of the devices in US and 84% in UK contact at least one destination abroad. The below Sankey diagram (Figure 1) shows that most of the traffic is produced by cameras and televisions which contact countries outside of these devices’ privacy jurisdictions.

Figure 1: Volume of network traffic between devices in US (left) and UK (right) to the top 7 destination regions (center), grouped by category (middle left and right).

Figure 1: Volume of network traffic between devices in US (left) and UK (right) to the top 7 destination regions (center), grouped by category (middle left and right).

Third Party Destinations: more than 50% of destinations contacted by the IoT devices are not first parties, i.e., not the manufacturer, or a related company responsible for fulfilling the device functionality. Third party destinations could be trackers and advertisers. Moreover, many devices (89%) are vulnerable to at least one activity of inference that can be used to identify unexpected activities (Figure 2) [2].

Figure 2: Examples of unexpected behavior from consumer IoT devices.

Figure 2: Examples of unexpected behavior from consumer IoT devices.

 

Existing Third Party Blocker Systems: existing approaches block destinations for advertising and tracking services using blocklists [3], but destinations on those blocklists are mostly assessed for various web trackers, thus missing non-required destinations for consumer IoT devices [4].

Regulations: in theory, the GDPR in the EU and CCPA in California are designed to provide a regulatory framework for data protection and privacy. This in turn should encourage the manufacturers to demonstrate to consumers that they adhere to the regulations and hence engender trust. From a geopolitical perspective, however, considering the ubiquitous nature of the interconnected devices, current regulations’ enforcement and coverage might not be enough. Particularly:

  • there is a lack of understanding regional differences in regulations [5], e.g., GDPR is mostly adopted in the EU;
  • there are issues around legacy devices, where a manufacturer is out of business, leaving devices unable to receive software patches and security updates.

Challenges and Mitigations

Considering all the reasons listed above, there is a need for an automated framework for detecting and isolating all non-essential communications from IoT devices, ideally on the user’s premises. Such a framework can rely on a number of data points for allowing and blocking certain destinations:

Characterizing Network Traffic: IoT devices are often easily recognizable from their network traffic profile [6]. However, devices’ network profile changes over time due to firmware upgrade, the setup of a new device on the same network, or usage patterns variation.

MUD Profile: the Manufacturer Usage Description (MUD) [7] profile specifies which destinations the device is allowed to contact. Despite various standardization efforts, however, MUD profiles still remain largely unused by device manufacturers.

Figure 3: Characterize functional vs non-functional destinations.

Figure 3: Characterize functional vs non-functional destinations.

Blocking Non-essential Traffic: since the vast majority of IoT traffic is encrypted, it is often hard to quantify the data leakages. One approach for mitigating the exposure of information is to automatically block any connections that are not essential for the proper functioning of a device (Figure 3). If a device still works after blocking a destination, that destination is unlikely to be essential to the functionality of the device, and blocking it might limit excessive data sharing. The complexity of the current Internet network infrastructure poses hard challenges for separating critical and non-essential traffic for the overall operation of IoT devices. Using extensive testbeds, automated experiments, crowdsourcing approaches, and in-situ user studies, we can shed more light on the peculiar interactions between the IoT devices, their manufacturers, and the users [4]. This is a first step towards limiting the privacy and security risks posed by these devices.

References

  1. J. Ren, D.J. Dubois, D. Choffnes, A.M. Mandalari, R. Kolcun, and H. Haddadi, “Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach". Proc. of the Internet Measurement Conference (IMC) 2019.
  2. D. J. Dubois, R. Kolcun, A.M. Mandalari, M.T. Paracha, D. Choffnes, and H. Haddadi, “When Speakers Are All Ears: Characterizing Misactivations of IoT Smart Speakers". Proc. on Privacy Enhancing Technologies Symposium 2020.
  3. “Pi-Hole: a Black Hole for Internet Advertisements". https://pi-hole.net/.
  4. A.M. Mandalari, D.J. Dubois, R. Kolcun, M.T. Paracha, H. Haddadi, and D. Choffnes, “Blocking without Breaking: Identification and Mitigation of Non-Essential IoT Traffic". Proc. on Privacy Enhancing Technologies Symposium 2021.
  5. S. Sirur, J. R. Nurse, and H. Webb, “Are We There Yet?: Understanding the Challenges Faced in Complying with the General Data Protection Regulation (GDPR)". Proc. of the 2nd International Workshop on Multimedia Privacy and Security 2018.
  6. S. J. Saidi, A.M. Mandalari, R. Kolcun, H. Haddadi, D.J. Dubois, D. Choffnes, G. Smaragdakis, and A. Feldmann, “A Haystack Full of Needles: Scalable Detection of IoT Devices in theWild". Proc. of the Internet Measurement Conference (IMC) 2020.
  7. E. Lear, R. Droms, D. Romascanu, “RFC 8520-Manufacturer Usage Description Specification". https://tools.ietf.org/html/rfc8520.

 

Anna Maria MandalariAnna Maria Mandalari is a Research Associate in the Dyson School of Design Engineering at the Faculty of Engineering at Imperial College London. Her research interests are related to IoT, privacy, and Internet protocols.

 

Hamed Haddadi2Hamed Haddadi is an Associate Professor at Imperial College. He is a Security Science Fellow of the Institute for Security Science and Technology and of the Data Science Institute. He is also a Visiting Professor at Brave Software where he works on developing privacy-preserving protocols.

 

Daniel J DuboisDaniel J. Dubois is an Associate Research Scientist at Northeastern University, his research is rooted in software engineering, with a current focus on IoT privacy. He maintains the Mon(IoT)r Lab testbed, which provides an IoT monitoring infrastructure to four research institutions.

 

David ChoffnesDavid Choffnes is an Associate Professor at Northeastern University, member of the Cybersecurity and Privacy Institute, and affiliate faculty at the Center for Law, Innovation and Creativity (CLIC).