New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata (helpnetsecurity.com) 24
Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer -- e.g. an ISP, or a neighborhood WiFi eavesdropper -- can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker... "Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested," the researchers noted. [PDF]
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."
Very old news... (Score:2)
This has been known for a few decades. That it is now for IoT does not make it any more interesting.
Re: Very old news... (Score:1)
It's very interesting if you are trying to get research funds for the INTERNET OF.... THINGS!
Re: (Score:2)
Well, yes. Research funding has been utterly broken for a long time now.
Re: (Score:3)
By the way: burglars (whether they are of the drive-by variety or the more clever ones who target high value marks specifically) in most cases do not have the smarts to employ such methods. They will have to pay someone to do it for them... and in that case there are far simpler (thus cheaper) methods to determine if you're
Literally not new (Score:3)
Whaaaa ..... (Score:2)
... I'm running analytics on any WiFi I hook to via standard apps and the goddam things self-identify.
How is this unique? (Score:2)
If my home uses a service that "consumes" some sort input, then you can infer my household activity based on the rates of consumption and when. What makes IoT so different?
Intelligence services have been doing it for ages (Score:4, Interesting)
Radio raffic rates have been used as early as Cold War to anticipate moves of the adversary - there're plenty of mentions of this in literature. It made me laugh when recently some clueless US official dismissed the threat from a Russian reconaissance ship near US because it "won't be able to decrypt US communications with its outdated technology".
The only new aspect of this is machine learning (Score:3)
The fact that traffic flow pattern contains potentially sensitive information is not at all new. I built a product that solved this problem for some companies all most two decades ago. There is something new to this problem that didn't emerge until the recent boom in machine learning capabilities. Machine learning is really good at one thing - pattern recognition. When applied to this problem, it really opens up the depth of information that can be gathered from data flow patterns. For starters, it can identify what flow belongs to what device, then it can identify what could cause this traffic, then it can combine all the devices behavior looking for more complex patterns. Just looking at your home Internet, it's not hard to identify who is home, are they awake or sleeping or exercising or
watching TV or doing taxes or whatever. Products using this are just emerging, but it's amazing what can be gleaned from just Internet traffic pattern, or electricity usage pattern (or combined!).
Re: (Score:3)
The Mere Existence of Traffic Can Be a Problem (Score:4, Informative)
If a house with extensive I0T devices is being monitored, the mere existence of Internet traffic can be a serious problem. If such traffic ceases or merely drops, that can be an indicator that no one is home, making the house a target for burglars.
More than four years ago, this vulnerability was described relative to so-called smart electric meters. The lack of encryption in the signals transmitted by those meters made it even easier to determine which houses should be targeted for burglary. That is because a vacant house might still have a refrigerator running or a lamp left on. With no encryption, the meter readings can be analyzed to determine the amount of electricity being used. Minimal usage means no one is home. The reality of this vulnerability was described in a research paper presented at the 19th ACM Conference on Computer and Communications Security in 2012.
Re: (Score:2)
This vulnerability has been well known and documented far earlier as well. For instance, military networks (used to? still do?) fill most of the remaining capacity in their channels with junk data that's designed to be indistinguishable from real data that's been encrypted, that way an adversary listening passively can't tell when there's more activity.
Early adopter but sitting this out (Score:2)
Re: (Score:1)
As far as I am concrned, all of this IoT crap has NO benefits at all except for the companies that are using them to spy on the people who buy them!
Warning: turning on lights leads to data leak (Score:2)
Lights on in the home are indication that residents are at home! News at 11.
Re: (Score:3)
Lights on in the home are indication that residents are at home!
Just like the timer on the table lamp making the lights go on and off like someone's home when you're gone, it wouldn't be that hard to do the same things to add noise to the IoT info. Have an automated recording make unnecessary requests to the Amazon Echo (8pm: recording has Echo play Hootie and the Blowfish songs for a half hour), or send signals to WeMo outlets to turn things on/off.
Gasp, someone just discovered traffic analysis (Score:3)
Ah, folks, well known issue in communications. Even if you can't crack the encryption, looking at WHO is talking when, and who is talking to whom (or who broadcasts, and who replies) is well known in ELINT fields, like for decades. The ways around it are known too - false transmissions/replies etc. If I always, and I mean ALWAYS send data at the same rate (by sending non important traffic at all times) make traffic analysis hard, or if I build in code to randomly add bursts of traffic, all this starts to get complex, as now you have to do statistical analysis to see if there really is something there or not.
Crypto/ELINT guys have worried about this kind of stuff for decades
Re: (Score:2)
It is just metadata so who cares? I mean, metadata cannot be important? Can it? After all, the government says metadata is not protected.
Re: (Score:2)
Wish I could moderate this up.
Comment removed (Score:3)
Straw man argument (Score:2)
Straw man argument depends on the breaking of the WiFi network. Of course if you're on the network you can monitor activity. However, breaking WiFi remains a serious challenge for over a decade.
Another non-story.