Botnets are not the only threat to your Internet of Things (IoT) devices: Your internet service provider (ISP) can also detect and track your in-home activities by analyzing internet traffic from smart devices, even when those devices use encryption, according to a paper from Princeton University researchers.
However, the researchers found a simple way to block ISPs from spying on your smart devices: Traffic shaping.
Many smart home devices have always-on sensors that capture users' activities in their home, and transmit information about these activities to cloud services run by the device manufacturers. Devices currently on the market are purchased to record everything from sleeping patterns, exercise routines, medical information, and sexual activity, the researchers noted. And even if a smart home device is not designed to capture private activities, they may still be detected by ISPs.
The privacy threat posed by ISPs is of great concern particularly given the recent reversal of the FCC's broadband consumer privacy rules, which could allow providers like AT&T, Verizon, and T-Mobile to share users personal internet history with third-party advertisers without permission.
The researchers demonstrated how ISPs can get into even encrypted IoT devices via a traffic rate metadata attack. It requires two steps: Using Domain Name System (DNS) queries or device fingerprinting to identify smart home devices from network traffic, and inferring user activities from changes in device traffic rates. Once a hacker can identify a device and its purpose, it can also determine user behaviors.
"Traffic rates from a Sense sleep monitor revealed consumer sleep patterns, traffic rates from a Belkin WeMo switch revealed when a physical appliance in a smart home is turned on or off, and traffic rates from a Nest Cam Indoor security camera revealed when a user is actively monitoring the camera feed or when the camera detects motion in a user's home," the researchers wrote. "The general effectiveness of this attack across smart home device types and manufacturers motivates the need for technical privacy protection strategies."
Many IoT devices do not work without an active internet connection, so firewalling these devices from the internet is not an effective means of mitigating this security threat. And while tunneling smart home traffic through a VPN makes the traffic metadata privacy attack more difficult to carry out, it does not offer guaranteed protection, the researchers wrote.
Instead, traffic shaping by independent link padding (ILP) offers the best means of preventing a traffic metadata attack while still allowing the device to function properly, the researchers found.
"ILP involves shaping traffic rates to match a predetermined rate or schedule, thereby exposing no information about device behavior to an adversary," according to the paper. This typically involves padding or fragmenting all packets to a constant size, and buffering device traffic or sending cover traffic to ensure the predetermined rate is enforced.
For smart homes with devices that stream audio or video, the researchers found that users only need 40KB/s extra bandwidth usage to to mask user activities in this way, which is well within internet speed limits and data caps for many smart homes, they noted.
"Although ILP shaping is well-understood, it is typically dismissed as requiring excessive latency or bandwidth overhead to be practical for real-world use. Our results contradict this common belief," the researchers wrote. "ILP traffic shaping is a reasonable privacy protection method for smart homes with rate-limited broadband access or data caps."
Gartner predicts that by the end of 2017, 8.4 billion connected devices will be in use worldwide, surpassing the world's population. While the growing market for smart home IoT devices offers consumers new conveniences, it also creates many privacy and security challenges. Take Shodan, as ZDNet reported: A search engine used to find and look into unprotected IoT devices around the world.
Security experts predict a rise in IoT security breaches this year, making it extremely important for manufacturers to ensure devices are secure, and for enterprise and consumer users to have security protocols in place.
The 3 big takeaways for TechRepublic readers
1. Internet service providers (ISP) can potentially detect and track your in-home activities by analyzing internet traffic from smart devices, even when those devices use encryption, according to a paper from Princeton University researchers.
2. Users can tap traffic shaping by independent link padding (ILP) to prevent this from happening while ensuring devices are still functional.
3. With a rise in IoT security breaches this year, it's important for manufacturers to ensure that devices are secure, and for enterprise and consumer users to have security protocols in place.
- Enterprise IoT adoption to hit critical mass by 2019, but security remains a top concern (TechRepublic)
- Researchers block ISPs from spying through your smart devices (ZDNet)
- Here are the biggest IoT security threats facing the enterprise in 2017 (TechRepublic)
- 175,000 IoT cameras can be remotely hacked thanks to flaw, says security researcher (ZDNet)
- Enterprise IoT Research 2017: Benefits, Trends, and Security Concerns (Tech Pro Research)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.