Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata (helpnetsecurity.com)

Posted by EditorDavid on from the knowing-when-you're-awake dept.

Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer -- e.g. an ISP, or a neighborhood WiFi eavesdropper -- can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker... "Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested," the researchers noted. [PDF]
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."

24 comments

  1. Holy shit!!!! by Anonymous Coward · · Score: 0

    A tap on your LAN might allow for device differentiation? Who the fuck knew????? We must commission a study!

  2. Very old news... by gweihir · · Score: 1

    This has been known for a few decades. That it is now for IoT does not make it any more interesting.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re: Very old news... by Anonymous Coward · · Score: 1

      It's very interesting if you are trying to get research funds for the INTERNET OF.... THINGS!

    2. Re: Very old news... by gweihir · · Score: 1

      Well, yes. Research funding has been utterly broken for a long time now.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Very old news... by JaredOfEuropa · · Score: 2

      IoT security or the lack thereof is a real hot topic at the moment. That makes it more interesting for a lot of people... i.e. this research is a bit like click-bait (or grant-bait).

      By the way: burglars (whether they are of the drive-by variety or the more clever ones who target high value marks specifically) in most cases do not have the smarts to employ such methods. They will have to pay someone to do it for them... and in that case there are far simpler (thus cheaper) methods to determine if you're gone for the day or went on holiday. A bored hacker might go for this, real burglars have better things to spend their time on.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  3. Literally not new by fibonacci8 · · Score: 2

    http://lmgtfy.com/?q=identifyi...

    --
    Inheritance is the sincerest form of nepotism.
  4. Whaaaa ..... by CaptainDork · · Score: 1

    ... I'm running analytics on any WiFi I hook to via standard apps and the goddam things self-identify.

    --
    It little behooves the best of us to comment on the rest of us.
  5. Typical by Anonymous Coward · · Score: 0

    Can anyone actually publish unbiased information instead of opinions based on suppositions, exaggerations, hyperbole, and questionable interpretation presented as truth? Sprinkling the words may, could, or possibly throughout an article serves only to protect the publisher from being called a liar. Did the people who published this article work for the NYT's?

    Basically these people have discovered a Wi-Fi scanner can intercept network packets and then "infer" what type of device is sending the packets. In this case a more appropriate word would be "guess" and not "infer". Oh and according to their findings most of the Iot devices today are transmitting encrypted traffic. Now square this with the article headline. The headline "infers" that this "vulnerability" is an extinction level event and you should immediately turn off all your WiFi devices before you spontaneous combust. When someone figures out how to hide encrypted data being transmitted by WiFi devices we can all come out of the fallout shelter confident that our automated lawn sprinklers and landscaping lights can now be safely used.

    1. Re: Typical by Anonymous Coward · · Score: 0

      Seriously. If you have a wifi eavesdropper you've got bigger problems than IoT.

  6. How is this unique? by i_ate_god · · Score: 1

    If my home uses a service that "consumes" some sort input, then you can infer my household activity based on the rates of consumption and when. What makes IoT so different?

    --
    I'm god, but it's a bit of a drag really...
  7. Intelligence services have been doing it for ages by Anonymous Coward · · Score: 4, Interesting

    Radio raffic rates have been used as early as Cold War to anticipate moves of the adversary - there're plenty of mentions of this in literature. It made me laugh when recently some clueless US official dismissed the threat from a Russian reconaissance ship near US because it "won't be able to decrypt US communications with its outdated technology".

  8. The only new aspect of this is machine learning by misnohmer · · Score: 2

    The fact that traffic flow pattern contains potentially sensitive information is not at all new. I built a product that solved this problem for some companies all most two decades ago. There is something new to this problem that didn't emerge until the recent boom in machine learning capabilities. Machine learning is really good at one thing - pattern recognition. When applied to this problem, it really opens up the depth of information that can be gathered from data flow patterns. For starters, it can identify what flow belongs to what device, then it can identify what could cause this traffic, then it can combine all the devices behavior looking for more complex patterns. Just looking at your home Internet, it's not hard to identify who is home, are they awake or sleeping or exercising or
    watching TV or doing taxes or whatever. Products using this are just emerging, but it's amazing what can be gleaned from just Internet traffic pattern, or electricity usage pattern (or combined!).

    1. Re:The only new aspect of this is machine learning by Zero__Kelvin · · Score: 2

      Well, to be fair that was never very hard for some use cases. I see here that he is doing an HTTP get from slashdot.org, so he clearly is never exercising!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  9. The Mere Existence of Traffic Can Be a Problem by DERoss · · Score: 3, Informative

    If a house with extensive I0T devices is being monitored, the mere existence of Internet traffic can be a serious problem. If such traffic ceases or merely drops, that can be an indicator that no one is home, making the house a target for burglars.

    More than four years ago, this vulnerability was described relative to so-called smart electric meters. The lack of encryption in the signals transmitted by those meters made it even easier to determine which houses should be targeted for burglary. That is because a vacant house might still have a refrigerator running or a lamp left on. With no encryption, the meter readings can be analyzed to determine the amount of electricity being used. Minimal usage means no one is home. The reality of this vulnerability was described in a research paper presented at the 19th ACM Conference on Computer and Communications Security in 2012.

    1. Re:The Mere Existence of Traffic Can Be a Problem by Anubis+IV · · Score: 1

      This vulnerability has been well known and documented far earlier as well. For instance, military networks (used to? still do?) fill most of the remaining capacity in their channels with junk data that's designed to be indistinguishable from real data that's been encrypted, that way an adversary listening passively can't tell when there's more activity.

  10. Early adopter but sitting this out by asjk · · Score: 1

    due to dubious cost:benefit ratio.

    1. Re:Early adopter but sitting this out by Anonymous Coward · · Score: 1

      As far as I am concrned, all of this IoT crap has NO benefits at all except for the companies that are using them to spy on the people who buy them!

  11. Warning: turning on lights leads to data leak by mveloso · · Score: 1

    Lights on in the home are indication that residents are at home! News at 11.

    1. Re:Warning: turning on lights leads to data leak by SeaFox · · Score: 2

      Lights on in the home are indication that residents are at home!

      Just like the timer on the table lamp making the lights go on and off like someone's home when you're gone, it wouldn't be that hard to do the same things to add noise to the IoT info. Have an automated recording make unnecessary requests to the Amazon Echo (8pm: recording has Echo play Hootie and the Blowfish songs for a half hour), or send signals to WeMo outlets to turn things on/off.

  12. Gasp, someone just discovered traffic analysis by CharlieG · · Score: 2

    Ah, folks, well known issue in communications. Even if you can't crack the encryption, looking at WHO is talking when, and who is talking to whom (or who broadcasts, and who replies) is well known in ELINT fields, like for decades. The ways around it are known too - false transmissions/replies etc. If I always, and I mean ALWAYS send data at the same rate (by sending non important traffic at all times) make traffic analysis hard, or if I build in code to randomly add bursts of traffic, all this starts to get complex, as now you have to do statistical analysis to see if there really is something there or not.
    Crypto/ELINT guys have worried about this kind of stuff for decades

    --
    -- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
    1. Re:Gasp, someone just discovered traffic analysis by Agripa · · Score: 1

      It is just metadata so who cares? I mean, metadata cannot be important? Can it? After all, the government says metadata is not protected.

    2. Re:Gasp, someone just discovered traffic analysis by CharlieG · · Score: 1

      Wish I could moderate this up.

      --
      -- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
  13. Lack of info about IoT by houghi · · Score: 2

    I was looking for a remote thing to turn on and of a light. Only one said that the information would be send to a server in China. All the rest did not talk about it and made it appear as if it would only connect to your router and then you could connect to it with your cellphone.

    And I have looked at many of them in several countries. So if I, who understands a little bit about Internet, can almost be fooled in buying one, How will the 95% of the people who have no idea protect themselves?

    People have NO idea what is going to be send, where it is going to be send and how to protect themselves of sending or receiving things.

    Because if they did, we would not getting any more spam.

    --
    Don't fight for your country, if your country does not fight for you.
  14. Straw man argument by kriston · · Score: 1

    Straw man argument depends on the breaking of the WiFi network. Of course if you're on the network you can monitor activity. However, breaking WiFi remains a serious challenge for over a decade.

    Another non-story.

    --

    Kriston