An international team of researchers, led by IMDEA Networks and Northeastern University in collaboration with NYU Tandon School of Engineering, Universidad Carlos III de Madrid, IMDEA Software, University of Calgary, and the International Computer Science Institute, has posted some of the challenges that have to do smart home devices.

The research has unveiled latest findings on the security and privacy challenges posed by the ever-growing prevalence of opaque and technically complex Internet of Things (IoT) devices in smart homes.

For now, smart homes are becoming increasingly interconnected, and they comprise an array of consumer-oriented IoT devices ranging from smartphones and smart TVs to virtual assistants and CCTV cameras.

These devices have cameras, microphones, and other ways of sensing what is happening in our most private spaces—our homes.

However, can people trust that these devices in their homes are safely handling and protecting the sensitive data they have access to?

David Choffnes, Associate Professor of Computer Science and Executive Director of the Cybersecurity and Privacy Institute at Northeastern University makes the following statement.

“When we think of what happens between the walls of our homes, we think of it as a trusted, private place. In reality, we find that smart devices in our homes are piercing that veil of trust and privacy—in ways that allow nearly any company to learn what devices are in your home, to know when you are home, and learn where your home is.

“These behaviors are generally not disclosed to consumers, and there is a need for better protections in the home.”

The research team’s extensive study, is titled “In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes.” It was presented at the ACM Internet Measurement Conference (ACM IMC’23) in Montreal (Canada). The paper delves for the first time into the intricacies of local network interactions between 93 IoT devices and mobile apps, revealing a plethora of previously undisclosed security and privacy concerns with actual real-world implications.

So, here’s the issue:

The study’s findings illuminate new threats associated with the inadvertent exposure of sensitive data by IoT devices within local networks using standard protocols such as UPnP or mDNS. Even though some may have trusted these devices in the past, now is the time to do what is called a re-evaluation.

These threats include the exposure of unique device names, UUIDs, and even household geolocation data, all of which can be harvested by companies involved in surveillance capitalism without user awareness. Of course, while some of the companies have honest intentions at the start, bad eggs are soon to follow.

Vijay Prakash, Ph.D. student from NYU Tandon who co-authored the paper, “analyzing the data collected by IoT Inspector, said his team found evidence of IoT devices inadvertently exposing at least one PII (Personally Identifiable Information), like unique hardware address (MAC), UUID, or unique device names, in thousands of real world smart homes.

According to him, “Any single PII is useful for identifying a household, but combining all three of them together makes a house very unique and easily identifiable. For comparison, if a person is fingerprinted using the simplest browser fingerprinting technique, they are as unique as one in 1,500 people. If a smart home with all three types of identifiers is fingerprinted, it is as unique as one in 1.12 million smart homes.”

These local network protocols can be used to access data that is supposedly protected by several mobile app permissions such as household locations. All they have to do is just asking for it to other IoT devices deployed in the local network using standard protocols like UPnP.

Juan Tapiador, professor at UC3M makes the following remark:

“Our study shows that the local network protocols used by IoT devices are not sufficiently protected and expose sensitive information about the home and the use we make of the devices. This information is being collected in an opaque way and makes it easier to create profiles of our habits or socioeconomic level.”

The impact of this research makes it clear that stakeholder should take action to enhance the privacy and security guarantees of smart home devices and households.