We’ve mostly moved past the point where our Internet of Things devices leak private information to anyone watching via unsecured connections, but that doesn’t mean you can stop being afraid. Never, ever stop being afraid. To top up your paranoia reserves, a new study finds that internet providers can, if they so choose, monitor all kinds of things from your smart home’s traitorous metadata.
The paper[1], from a team at Princeton’s computer science school led by grad student Noah Apthorpe, gets straight to the point: “we demonstrate that an ISP or other network observer can infer privacy sensitive in-home activities by analyzing internet traffic from smart homes containing commercially available IoT devices even when the devices use encryption.”
It’s a pretty straightforward attack: the IoT devices often identify themselves voluntarily, usually by connecting to specific domains or URLs. Even if they didn’t, there are simple ways of profiling them based on observation and some known data. The researchers demonstrated this by showing that various devices show distinct patterns of data transmission:
Once they’re identified, the ISP (in this case played by the researchers) can simply watch for increases in traffic. What those changes in traffic mean are either self-evident or perfectly able to be inferred with a little analysis.
By watching a sleep tracker, the ISP can see when the user gets in bed and wakes up, perhaps even how well they sleep, whether they get up in the middle of the night and so on.
By watching various smart switches, the ISP can see when certain devices are in use: the TV, the space heater, the light in the basement, the garage door.
By watching the IP security camera traffic, the ISP can see when...