IoT devices reveal private information despite encryption, study warns
Fri 18 Aug 2017
IoT devices are giving away private data despite encryption measures, according to recent findings of a Princeton study.
The research found that adversaries are able to infer private information about people who have internet-connected devices in their home by looking at traffic levels and metadata.
The researchers looked at an example of a smart sleep monitor, which saw traffic spikes at the times when the user was awake and moving, meaning a person with no access to actual data, only traffic levels, would be able to assess the user’s sleeping pattern.
The paper summarises growing use of IoT devices and looks at the roles of various smart devices. The authors note that examples of offline activities recorded by current smart home devices include sleeping patterns, exercise routines, child behaviours, medical information, and sexual activity.
It notes that consumers have concerns about privacy with internet-connected home devices and that there are more groups than expected that might have access to the data – not just the manufacturer but also ISPs, Wi-Fi eavesdroppers and state surveillance.
The paper argues that although encryption is commonplace in these types of devices, ‘smart home metadata is sufficient for a passive network adversary.’
There can also be extremely simple ways of discovering private information. Domain Name System (DNS) queries, for example, can provide a way for an adversary to find out that a person owns an IoT blood sugar monitor, which would imply that that person had diabetes.
More detailed data can also be detected from a change in traffic rates from IoT devices – as with the sleep monitor. The article states that ‘tunnelling smart home traffic through a VPN makes the traffic metadata privacy attack considerably more challenging, but does not provide guaranteed protection.’
The authors recommend that independent link padding (ILP) is used to protect against metadata traffic attacks while ensuring the devices still work as they should. ILP is a process through which traffic rates are pushed to match a predetermined rate, meaning that any changes due to smart devices would go unnoticed.
For smart homes without video or audio IoT devices, the authors estimate that this type of padding would require around 0.4% of the average U.S. household’s monthly internet usage. For those with video or audio IoT devices, they claim a figure of under 2%.
The research team argues that ILP is often dismissed as being too costly or having too much of an effect on latency, but states that these figures prove otherwise.
The study does note that almost all packet content from IoT devices was encrypted, meaning adversaries would have to rely on traffic rate and packet header metadata to reveal the activities of those they are looking to follow.