The privacy threat of IoT device traffic rate metadata
Even though many IoT devices for smart homes encrypt their traffic, a passive network observer – e.g. an ISP, or a neighborhood WiFi eavesdropper – can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata.
Examining IoT smart home devices
A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker.
Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard. “Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams (bytes per second) revealed potentially private user interactions for each device we tested,” the researchers noted.
What could someone do with this data?
The adversary could, thusly, work out a particular user’s sleeping patterns (and problems), presence in the home, or use of the intelligent personal assistant service Alexa.
While this might not seem like much of a privacy problem now, consider the fact that we are sure to have and use many more specialized IoT devices in the future. Also, consider the fact that some of these devices will be related to your healthcare or physical security. Would you like your ISP or another adversary knowing what you do every waking moment of your life or what ailments you have?
Encryption alone is not the answer
The researchers noted that encryption alone does not provide adequate privacy protection for smart homes, as their analysis did not rely on deep packet inspection, just send/receive rates of encrypted traffic.
“A systematic solution for preserving consumer privacy would therefore require ob- fuscating or shaping all smart home traffic to mask variations that encode real world behavior,” they pointed out, and added that such a solution should ideally not negatively impact IoT device performance, should respect data limits, and should not require modification of proprietary device software.
Strategies for increasing privacy
In a subsequently published paper, the same researchers have offered four strategies that device manufacturers and third parties can implement to protect consumers’ privacy from such intrusions.
Those include:
- Blocking outgoing connections to deprive an observer of smart home device data
- Encrypting DNS queries to prevent an observer from identifying devices
- Tunneling all smart home traffic through a VPN, preventing an observer from correlating tunneled traffic originating from a smart home to individual devices.
- Shaping or injecting traffic to limit an observer’s confidence when identifying devices or inferring behaviors, either by masking interesting traffic patterns or spoofing devices that are not on the network.
The researchers are aware that each of these solutions is not currently ideal. For example, all the tested IoT devices have limited or no functionality when firewalled to prevent communication outside of the smart home LAN, and that’s something that definitely won’t work both for users and manufacturers. But, on the other hand, developers should consider how their devices default to a ‘minimum reliable product’ in the face of limited Internet connectivity.
Ultimately, though, policymakers should also do their part by mandating protections for consumers, they concluded, as the side-channel privacy threat of traffic rate metadata will continue to grow along with the market for IoT smart home devices.