Princeton boffins an IoT solution firm have taken steps towards defending consumer-level IoT users from snooping, with what they call the IoT Inspector project
IoT Inspector is currently at the data-gathering stage, with the aim of launching an open source tool for users to get some idea of what their devices are doing. The idea for the inspector arose out of various projects of the Princeton group, including for example their test of health monitors for data leaks.
IoT inspector project findings
The researchers looked at net-connected toys and found that none used HTTPS or SSL when communicating with manufacturer-owned servers. One toy lacked authentication for user profile pictures. An eavesdropper could record or replay device communications to obtain profile photos.
Many home devices (smart TVs, security cameras, smoke detectors, and smart light bulbs) communicate widely with third-party servers. For example, in the first minute after its first connection, the Samsung TV Princeton tested communicated with “Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook” without alerting the user; and
Things communications are predictable, which is a plus since at least it should be easy for products like routers and gateways to detect anomalies (such as a CCTV camera being recruited into a botnet).
Wireless access point to capture traffic points
Capturing transmissions from the kit was simple enough, the company explained in this late-March arXiv paper they configured a Raspberry Pi as a wireless access point to capture traffic, searched that traffic for any cleartext transmissions, and also combed metadata transmitted by devices to see what could be inferred without cleartext access to traffic.
For Bluetooth-connected devices, they included a smartphone connected to their traffic-harvesting access point. The four devices tested were: the Withings Wireless Blood Pressure Monitor; the Withings Body Composition Wi-Fi Scale; the 1byOne Digital Smart Wireless Body Fat Scale and the iHealth Ease Wireless Blood Pressure Monitor.
