Cameras installed by criminals may not be the only devices secretly watching you (see cover story.) As consumer electronics companies sell more and more devices that connect to the Internet — everything from fridges to toilets to doobells — it’s worth wondering who is watching the devices that are watching us.
A team of Princeton and Berkeley researchers led by Princeton postdoctoral fellow Danny Huang has created a way to do that. Their new software tool for desktop computers allows users to discover “Internet of Things” devices, analyze their network traffic, and identify security and privacy issues. The researchers say using the program requires no technical skills or special hardware.
Currently, Princeton IoT Inspector is available only for Mac OS, although the team is planning to release Windows and Linux versions. To download the tool, visit iot-inspector.princeton.edu.
The program can discover what third party services your different smart devices are talking to, what information they are gathering and if it is being shared, and whether or not the device is hacked.
The IoT Inspector does send data of its own back to the scientists who developed it. The researchers plan to use the data they gather from IoT Inspector to write a research paper next year, then they will delete all of the data they collected. The data will be “anonymized” to protect the privacy of users.
This approach offers a number of benefits for the scientists as opposed to conducting a study under lab conditions. “It is difficult to produce generalizable results in the study of IoT security and privacy. Although a researcher can purchase a few devices and conduct penetration tests on them in lab settings, the conclusion may not apply to diverse devices that are actually being used in consumer homes or enterprise networks,” the team wrote.
So far the team has used IoT Inspector to analyze several popular smart devices. Here is what they found:
Chromecast: Even when the team was not actively using Chromecast — the Google tool that allows you to stream content from a laptop or mobile phone on a television — the device constantly contacted Google’s servers.
Smart Bulb: Princeton also monitored a Geeni smart bulb with IoT Inspector. Like Chromecast, this device was constantly communicating with the cloud — sending/receiving traffic with tuyaus.com every few seconds. Of particular note, tuyaus.com is operated by TuYa Inc., a China-based company that offers a platform that controls IoT devices.
They also learned that smart TVs contacted advertising/tracking services as the researchers watched TV, caught a “secure” communication from a smart TV to the cloud that turned out not to be so secure, and found a WiFi-enabled camera communicating with Russia, the Czech Republic, India, Brazil, and other countries.