Researchers at Princeton University found that many Internet of Things (IoT) devices are vulnerable in terms of data sharing and, thus, may endanger the lives of users. They found several popular IoT devices sharing user information with third parties without the knowledge of the user.
While for common people, IoT is a thing of convenience, for service- and device-providers, this creates an opportunity to measure, collect and analyse an ever-increasing variety of behavioural statistics. This cross-correlation of data could be very helpful for targeted marketing of products and services.
As I had explained in my article “Internet of Things: A Frankenstein?
, 28 Apr-11 May 2017), IoT is the inter-networking of physical (smart) devices, vehicles, buildings and other items embedded with electronics, software, sensors, actuators and network connectivity, that enables these objects to collect and exchange data. The ‘things’, in the IoT sense, refer to a wide variety of devices, such as heart-monitoring implants, bio-chip transponders, electric clams, automobiles with built-in sensors, DNA analysis devices and field operation devices that assist fire-fighters in search and rescue operations, to name a few.
A report from The Guardian
pointed out how dolls connected through Internet allow remote spying on children. Another report
says that botnets from millions of security cameras and digital video-recorders could be behind the attack on a global DNS service-provider. At the same time, surgically implanted pacemakers are susceptible to remote takeover, says a report from CNN Money
The user may not even know which companies or third parties are receiving her personal information from IoT devices, whether the IoT device has been hacked, or whether devices with always-on microphones are listening to private conversations. Especially after analysing more than 50 IoT devices, what the IoT inspector found about data sharing with third parties is quite scary. Here is what IoT inspector says about its findings…
Samsung Smart TV: During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create accounts with any of them.
Amcrest WiFi Security Camera: The camera actively communicates with cellphonepush.quickddns.com using HTTPS. QuickDDNS is a dynamic DNS service-provider operated by Dahua.
Geeni Light Bulb: The Geeni smart bulb communicates with gw.tuyaus.com, which is operated by TuYa, a China-based company that also offers an MQTT service.
The researchers also looked at Samsung Smart Camera and TP-Line Smart Plug and found communications with third parties ranging from network time protocol (NTP) pools (time-servers) to video-storage services. “These third-party services are potentially single points of failure or vulnerability. A third party could aggregate user data from a wide range of devices, creating the possibility for tracking a user’s behaviour across many devices. These devices are also not transparent about the Internet services with which they communicate or share data. Most IoT devices do not mention the specific third parties they communicate with in their privacy policies, which makes it difficult for consumers to make purchasing decisions based on security and privacy considerations,” researchers from the Centre for Information Technology Policy at Princeton say.
We have a tendency to opt for things that make our lives easier—such as connecting every electronic device or gadget through Internet. But blindly rushing into these without even thinking about security aspects will surely make us vulnerable.