Paper accepted at IMC ’19.

Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach.

Jingjing Ren, Daniel J. Dubois, David Choffnes (Northeastern University); Anna Maria Mandalari, Roman Kolcun, Hamed Haddadi (Imperial College London)

Internet of Things (IoT) devices are increasingly found in everyday homes, providing useful functionality for devices such as TVs, smart speakers, and video doorbells. Along with their benefits come potential privacy risks, since these devices can communicate information about their users to other parties over the Internet. However, understanding these risks in depth and at scale is difficult due to heterogeneity in devices’ user interfaces, protocols, and functionality.
In this work, we conduct a multidimensional analysis of information exposure from 81 devices located in labs in the US and UK. Through a total of 34,586 rigorous automated and manual con- trolled experiments, we characterize information exposure in terms of destinations of Internet traffic, whether the contents of communication are protected by encryption, what are the IoT-device interactions that can be inferred from such content, and whether there are unexpected exposures of private and/or sensitive information (e.g., video surreptitiously transmitted by a recording device). We highlight regional differences between these results, potentially due to different privacy regulations in the US and UK. Last, we compare our controlled experiments with data gathered from an in situ user study comprising 36 participants.

lab

About this publication

  • Title: Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach
  • Authors: Jingjing Ren, Daniel J. Dubois, David Choffnes (Northeastern University); Anna Maria Mandalari, Roman Kolcun, Hamed Haddadi (Imperial College London)
  • Venue: Internet Measurement Conference (IMC) 2019
  • Download Full Text (PDF)
  • Download Presentation (will be published here on October 22, 2019)
  • Citation:
    @inproceedings{ren-imc19,
    title={{Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach}},
    author={Ren, Jingjing and Dubois, Daniel J. and Choffnes, David and Mandalari, Anna Maria and Kolcun, Roman and Haddadi, Hamed},
    booktitle={Proc. of the Internet Measurement Conference (IMC)},
    year={2019}
    }

Tools and dataset

To develop our work, we used the Mon(IoT)r Testbed, which is software design to facilitate, organize, and automate the capture of network traffic for IoT devices deployed on a local network. For more information on our testbed and to deploy it yourself for your own IoT experiments, you can visit the dedicated page on this website.

For the purpose of this paper, all the software (including automation and analysis scripts), as well as all anonymized dataset without payload, are available on our public Github repository: https://github.com/NEU-SNS/intl-iot.

If you need access to the full dataset (i.e., with payload of all the packets), please contact the Mon(IoT)r research group at moniotr@ccs.neu.edu.

Disclaimer
Several news reports indicate that our study found TVs were sending personal data to third parties. This is incorrect, and we never indicated otherwise. We found that some TV devices contact third parties but we do not know whether they send any personal data because the communication is encrypted.
Additionally, several news reports suggest that TVs are sending information even when they are turned off. We have never indicated that. Our research shows that data were sent when the TVs were turned on but no streaming service or an application were used.