Metadata generated by IoT devices in a smart home could give hackers valuable clues about its inhabitant’s lifestyle and behavior, according to research published by Princeton University.
According to a research paper published by the university this month, hackers can “infer privacy sensitive in-home activities by analyzing internet traffic from smart homes containing commercially available IoT devices, even when the devices use encryption.”
The flow of data between IoT devices and remote servers is easy to recognize, according to the researchers. The easiest way is by looking at DNS requests; these are unique to particular smart devices. “For example, learning that someone owns an IoT blood sugar monitor or pacemaker effectively reveals a diabetes or heart-disease diagnosis, respectively.”
Hackers could also infer user activities from changes in device traffic rates. “Once an adversary identifies a device and knows its purpose, [then] device states, reflected in traffic rates, directly imply user behaviours,” the researchers write.
Commercial products not up to scratch
Several commercially available smart home devices were analyzed and researchers found that all revealed potentially private user behaviors through network traffic metadata, according to their report.
“Traffic rates from a Sense sleep monitor revealed consumer sleep patterns, traffic rates from a Belkin WeMo switch revealed when a physical appliance in a smart home is turned on or off, and traffic rates from a Nest Cam Indoor security camera revealed when a user is actively monitoring the camera feed or when the camera detects motion in a user’s home,” the paper explains.
The Princeton University team suggests that the general effectiveness of this attack type across a wide range of smart home device types and manufacturers points to a serious need for technical privacy protection strategies.
They warn that as most smart home devices can’t work without an internet connection, such attacks are very easy and this allows hackers to silently monitor victims.
However, the researchers add that there are ways to mitigate such snooping. “Our experiments show that traffic shaping can effectively and practically mitigate many privacy risks associated with smart home IoT devices. We find that 40KB/s extra bandwidth usage is enough to protect user activities from a passive network adversary. This bandwidth cost is well within the Internet speed limits and data caps for many smart homes.”