Danny Yuxing Huang
Skip Abstract Section
Abstract
The proliferation of smart home devices has created new opportunities for empirical research in ubiquitous computing, ranging from security and privacy to personal health. Yet, data from smart home deployments are hard to come by, and existing empirical studies of smart home devices typically involve only a small number of devices in lab settings. To contribute to data-driven smart home research, we crowdsource the largest known dataset of labeled network traffic from smart home devices from within real-world home networks. To do so, we developed and released IoT Inspector, an open-source tool that allows users to observe the traffic from smart home devices on their own home networks. Between April 10, 2019 and January 21, 2020, 5,404 users have installed IoT Inspector, allowing us to collect labeled network traffic from 54,094 smart home devices. At the time of publication, IoT Inspector is still gaining users and collecting data from more devices. We demonstrate how this data enables new research into smart homes through two case studies focused on security and privacy. First, we find that many device vendors, including Amazon and Google, use outdated TLS versions and send unencrypted traffic, sometimes to advertising and tracking services. Second, we discover that smart TVs from at least 10 vendors communicated with advertising and tracking services. Finally, we find widespread cross-border communications, sometimes unencrypted, between devices and Internet services that are located in countries with potentially poor privacy practices. To facilitate future reproducible research in smart homes, we will release the IoT Inspector data to the public.
- M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, "Understanding the Mirai Botnet," in USENIX Security Symposium, 2017.Google Scholar
- G. Chu, N. Apthorpe, and N. Feamster, "Security and Privacy Analyses of Internet of Things Children's Toys," IEEE Internet of Things Journal, vol. 6, no. 1, pp. 978--985, 2019.Google Scholar
- J. Ortiz, C. Crawford, and F. Le, "Devicemien: Network device behavior modeling for identifying unknown iot devices," in Proceedings of the International Conference on Internet of Things Design and Implementation, ser. IoTDI '19. New York, NY, USA: ACM, 2019, pp. 106--117. [Online]. Available: http://doi.acm.org/10.1145/3302505.3310073Google ScholarDigital Library
- Rob van der Meulen. (2017) Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016. [Online]. Available: https://www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8-billion-connected-things-will-be-in-use-in-2017-up-31-percent-from-2016Google Scholar
- D. Kumar, K. Shen, B. Case, D. Garg, G. Alperovich, D. Kuznetsov, R. Gupta, and Z. Durumeric, "All Things Considered: An Analysis of IoT Devices on Home Networks," in USENIX Security Symposium, 2019.Google Scholar
- N. Apthorpe, D. Y. Huang, D. Reisman, A. Narayanan, and N. Feamster, "Keeping the smart home private with smart (er) iot traffic shaping," arXiv preprint arXiv:1812.00955, 2018.Google Scholar
- D. Wood, N. Apthorpe, and N. Feamster, "Cleartext Data Transmissions in Consumer IoT Medical Devices," in Proceedings of the 2017 Workshop on Internet of Things Security and Privacy. ACM, 2017, pp. 7--12.Google Scholar
- S. Sundaresan, S. Burnett, N. Feamster, and W. De Donato, "BISmark: A Testbed for Deploying Measurements and Applications in Broadband Access Networks," in USENIX Annual Technical Conference (ATC), 2014.Google Scholar
- P. Schmitt, F. Bronzino, R. Teixeira, T. Chattopadhyay, and N. Feamster, "Enhancing transparency: Internet video quality inference from network traffic," Research Conference on Communications, Information and Internet Policy, 2018.Google Scholar
- X. Feng, Q. Li, H. Wang, and L. Sun, "Acquisitional rule-based engine for discovering internet-of-things devices," in USENIX Security Symposium, 2018, pp. 327--341.Google Scholar
- Y. Mirsky, T. Doitshman, Y. Elovici, and A. Shabtai, "Kitsune: an ensemble of autoencoders for online network intrusion detection," Network and Distributed Systems Security Symposium (NDSS), 2018.Google Scholar
- M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A. Sadeghi, and S. Tarkoma, "Iot sentinel: Automated device-type identification for security enforcement in iot," in 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), June 2017, pp. 2177--2184.Google Scholar
- Y. Meidan, M. Bohadana, A. Shabtai, J. D. Guarnizo, M. Ochoa, N. O. Tippenhauer, and Y. Elovici, "Profiliot: A machine learning approach for iot device identification based on network traffic analysis," in Proceedings of the Symposium on Applied Computing, ser. SAC '17. New York, NY, USA: ACM, 2017, pp. 506--509. [Online]. Available: http://doi.acm.org/10.1145/3019612.3019878Google ScholarDigital Library
- J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, "Imagenet: A large-scale hierarchical image database," in 2009 IEEE conference on computer vision and pattern recognition. Ieee, 2009, pp. 248--255.Google Scholar
- M. Chetty, D. Haslem, A. Baird, U. Ofoha, B. Sumner, and R. Grinter, "Why is My Internet Slow?: Making Network Speeds Visible," in SIGCHI Conference on Human Factors in Computing Systems (CHI), 2011.Google Scholar
- S. Grover, M. S. Park, S. Sundaresan, S. Burnett, H. Kim, B. Ravi, and N. Feamster, "Peeking Behind the NAT: An Empirical Study of Home Networks," in Internet Measurement Conference (IMC), 2013.Google Scholar
- C. Kreibich, N. Weaver, B. Nechaev, and V. Paxson, "Netalyzr: Illuminating the Edge Network," in ACM Internet Measurement Conference (IMC), 2010.Google Scholar
- L. DiCioccio, R. Teixeira, M. May, and C. Kreibich, "Probe and Pray: Using UPnP for Home Network Measurements," in International Conference on Passive and Active Measurement (PAM), 2012.Google Scholar
- L. DiCioccio, R. Teixeira, and C. Rosenberg, "Measuring Home Networks with HomeNet Profiler," in International Conference on Passive and Active Measurement (PAM), 2013.Google Scholar
- S. Shasha, M. Mahmoud, M. Mannan, and A. Youssef, "Playing With Danger: A Taxonomy and Evaluation of Threats to Smart Toys," IEEE Internet of Things Journal, 2018.Google Scholar
- G. Acar, D. Huang, F. Li, A. Narayanan, and N. Feamster, "Web-based Attacks to Discover and Control Local IoT Devices," in ACM SIGCOMM Workshop on IoT Security and Privacy (IoT S&P), 2018.Google Scholar
- IEEE. Organizationally unique identifier. [Online]. Available: http://standards-oui.ieee.org/oui.txtGoogle Scholar
- Netdisco. Netdisco. [Online]. Available: https://github.com/home-assistant/netdiscoGoogle Scholar
- Debian. Arpspoof - intercept packets on a switched lan. [Online]. Available: https://manpages.debian.org/jessie/dsniff/arpspoof.8.en.htmlGoogle Scholar
- inverse.ca. Fingerbank. [Online]. Available: https://fingerbank.org/Google Scholar
- C. Kreibich, N. Weaver, G. Maier, B. Nechaev, and V. Paxson, "Experiences from netalyzr with engaging users in end-system measurement," in Proceedings of the First ACM SIGCOMM Workshop on Measurements Up the Stack, ser. W-MUST '11. New York, NY, USA: ACM, 2011, pp. 25--30. [Online]. Available: http://doi.acm.org/10.1145/2018602.2018609Google ScholarDigital Library
- F. Security. Farsight security passive dns faq. [Online]. Available: https://www.farsightsecurity.com/technical/passive-dns/passive-dns-faq/Google Scholar
- T. Libert, "Exposing the invisible web: An analysis of third-party http requests on 1 million websites," International Journal of Communication, vol. 9, no. 0, 2015. [Online]. Available: https://ijoc.org/index.php/ijoc/article/view/3646Google Scholar
- DisconnectMe. (2019) Disconnect tracking protection. [Online]. Available: https://github.com/disconnectme/disconnect-tracking-protection/Google Scholar
- N. Lomas. (2019) Spy on your smart home with this open source research tool. [Online]. Available: https://techcrunch.com/2019/04/13/spy-on-your-smart-home-with-this-open-source-research-tool/Google Scholar
- G. A. Fowler. (2019) You watch tv. your tv watches back. [Online]. Available: https://www.washingtonpost.com/technology/2019/09/18/you-watch-tv-your-tv-watches-back/Google Scholar
- K. Hill. (2019) This simple tool will reveal the secret life of your smart home. [Online]. Available: https://gizmodo.com/this-simple-tool-will-reveal-the-secret-life-of-your-sm-1832264323Google Scholar
- R. Pringle. (2019) 'it's time for us to watch them': App lets you spy on alexa and the rest of your smart devices. [Online]. Available: https://www.cbc.ca/news/technology/pringle-smart-home-privacy-1.5109347Google Scholar
- I. Flatow. (2019) Your smart tv is watching you. [Online]. Available: https://www.sciencefriday.com/segments/smart-tv-roku-spying/Google Scholar
- MQTT. (2019) Message Queuing Telemetry Transport. [Online]. Available: http://mqtt.org/Google Scholar
- Seth Schoen. (2019) ESNI: A Privacy-Protecting Upgrade to HTTPS. [Online]. Available: https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-httpsGoogle Scholar
- Emily Schechter. (2018) A milestone for Chrome security: marking HTTP as "not secure". [Online]. Available: https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/Google Scholar
- Marissa Wood. (2019) Today's Firefox Blocks Third-Party Tracking Cookies and Cryptomining by Default - The Mozilla Blog. [Online]. Available: https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-defaultGoogle Scholar
- H. Mohajeri Moghaddam, G. Acar, B. Burgess, A. Mathur, D. Y. Huang, N. Feamster, E. W. Felten, P. Mittal, and A. Narayanan, "Watching you watch: The tracking ecosystem of over-the-top tv streaming devices," in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS '19. ACM, 2019.Google Scholar
- Z. Durumeric, Z. Ma, D. Springall, R. Barnes, N. Sullivan, E. Bursztein, M. Bailey, J. A. Halderman, and V. Paxson, "The security impact of https interception." in NDSS, 2017.Google Scholar
- A. Razaghpanah, A. A. Niaki, N. Vallina-Rodriguez, S. Sundaresan, J. Amann, and P. Gill, "Studying TLS Usage in Android Apps," in Proceedings of the 13th International Conference on Emerging Networking EXperiments and Technologies, ser. CoNEXT '17. New York, NY, USA: ACM, 2017, pp. 350--362. [Online]. Available: http://doi.acm.org/10.1145/3143361.3143400Google ScholarDigital Library
- O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose, "SoK: Security Evaluation of Home-Based IoT Deployments," in IEEE Symposium on Security and Privacy (S&P), 2019.Google Scholar
- K. McKay and D. Cooper. (2019, Aug) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations.Google Scholar
- Chromium Bugs. (2014) Issue 436391: Add info on end of life of SSLVersionFallbackMin & SSLVersionMin policy in documentation. [Online]. Available: https://bugs.chromium.org/p/chromium/issues/detail?id=436391Google Scholar
- B. Möller, T. Duong, and K. Kotowicz, "This poodle bites: exploiting the ssl 3.0 fallback," Security Advisory, 2014.Google Scholar
- S. Englehardt and A. Narayanan, "Online tracking: A 1-million-site measurement and analysis," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016, pp. 1388--1401.Google Scholar
- A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill, "Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem," 2018.Google Scholar
- N. Apthorpe, D. Y. Huang, D. Reisman, A. Narayanan, and N. Feamster, "Keeping the Smart Home Private with Smart(er) IoT Traffic Shaping," in Proceedings on Privacy Enhancing Technologies Symposium (PETS), 2019.Google Scholar
- Y. Meidan, M. Bohadana, A. Shabtai, J. D. Guarnizo, M. Ochoa, N. O. Tippenhauer, and Y. Elovici, "Profiliot: a machine learning approach for iot device identification based on network traffic analysis," in Proceedings of the symposium on applied computing. ACM, 2017, pp. 506--509.Google Scholar
- J. Ortiz, C. Crawford, and F. Le, "DeviceMien: network device behavior modeling for identifying unknown IoT devices," in Proceedings of the International Conference on Internet of Things Design and Implementation. ACM, 2019, pp. 106--117.Google Scholar
- M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A.-R. Sadeghi, and S. Tarkoma, "Iot sentinel: Automated device-type identification for security enforcement in iot," in 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS). IEEE, 2017, pp. 2177--2184.Google Scholar
Index Terms
- IoT Inspector: Crowdsourcing Labeled Network Traffic from Smart Home Devices at Scale
Recommendations
User Perceptions of Smart Home IoT Privacy
Smart home Internet of Things (IoT) devices are rapidly increasing in popularity, with more households including Internet-connected devices that continuously monitor user activities. In this study, we conduct eleven semi-structured interviews with smart ...
Privacy Lessons Learnt from Deploying an IoT Ecosystem in the Home
EuroUSEC '22: Proceedings of the 2022 European Symposium on Usable SecurityStudies of privacy perception in the Internet of Things (IoT) include in-laboratory evaluations as well as investigations of purchase decisions, deployment, and long-term use. In this study, we implemented identical IoT configurations in eight ...
SaferHome: Interactive Physical and Digital Smart Home Dashboards for Communicating Privacy Assessments to Owners and Bystanders
Private homes are increasingly becoming smart spaces. While smart homes promise comfort, they expose most intimate spaces to security and privacy risks. Unfortunately, most users today are not equipped with the right tools to assess the ...
Comments