Paper accepted at IMC ’19. Community contribution award.
Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach.
Jingjing Ren, Daniel J. Dubois, David Choffnes (Northeastern University); Anna Maria Mandalari, Roman Kolcun, Hamed Haddadi (Imperial College London)
Internet of Things (IoT) devices are increasingly found in everyday homes, providing useful functionality for devices such as TVs, smart speakers, and video doorbells. Along with their benefits come potential privacy risks, since these devices can communicate information about their users to other parties over the Internet. However, understanding these risks in depth and at scale is difficult due to heterogeneity in devices’ user interfaces, protocols, and functionality.
In this work, we conduct a multidimensional analysis of information exposure from 81 devices located in labs in the US and UK. Through a total of 34,586 rigorous automated and manual controlled experiments, we characterize information exposure in terms of destinations of Internet traffic, whether the contents of communication are protected by encryption, what are the IoT-device interactions that can be inferred from such content, and whether there are unexpected exposures of private and/or sensitive information (e.g., video surreptitiously transmitted by a recording device). We highlight regional differences between these results, potentially due to different privacy regulations in the US and UK. Last, we compare our controlled experiments with data gathered from an in situ user study comprising 36 participants.
About this publication
- Title: Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach
- Authors: Jingjing Ren, Daniel J. Dubois, David Choffnes (Northeastern University); Anna Maria Mandalari, Roman Kolcun, Hamed Haddadi (Imperial College London)
- Venue: Internet Measurement Conference (IMC) 2019
- Download Full Text (PDF)
- Download Presentation (PDF)
- Citation:
@inproceedings{ren-imc19, title={{Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach}}, author={Ren, Jingjing and Dubois, Daniel J. and Choffnes, David and Mandalari, Anna Maria and Kolcun, Roman and Haddadi, Hamed}, booktitle={Proc. of the Internet Measurement Conference (IMC)}, year={2019} }
Tools and dataset
To develop our work, we used the Mon(IoT)r Testbed, which is software design to facilitate, organize, and automate the capture of network traffic for IoT devices deployed on a local network. For more information on our testbed and to deploy it yourself for your own IoT experiments, you can visit the dedicated page on this website.
For the purpose of this paper, all the software (including automation and analysis scripts) is available on our public Github repository: https://github.com/NEU-SNS/intl-iot.
If you need access to the dataset (i.e., pcap files for each manual and automated experiment and idle data for both US and UK), please read the terms of our data sharing agreement.
If you agree to those terms, send an email to the Mon(IoT)r research group at moniotr@ccs.neu.edu with subject “IMC 2019 Payload Dataset.” In the body of the email, you must state that you have read our data sharing agreement and that you agree to abide by its terms. Please be sure to include your name and affiliation in your email as well. We are asking this because, despite our best efforts to anonymize the data, there can still be private or security-sensitive information that we were unable to remove from the traces.
Several news reports indicate that our study found TVs were sending personal data to third parties. This is incorrect, and we never indicated otherwise. We found that some TV devices contact third parties but we do not know whether they send any personal data because the communication is encrypted.
Additionally, several news reports suggest that TVs are sending information even when they are turned off. We have never indicated that. Our research shows that data were sent when the TVs were turned on but no streaming service or an application were used.