David Choffnes is part of a group of researchers who recently discovered security and privacy vulnerabilities in smart home devices. Photo by Matthew Moduno/Northeastern University
Our homes are getting smarter every day. The next time you buy a toaster, refrigerator or dishwasher, setting it up may require connecting it to your home WiFi network and downloading an app onto your smartphone.
But such interconnectivity carries risks, says David Choffnes, an associate professor of computer science at Northeastern University.
“We're moving from thinking of the walls of our homes as our private space to now thinking of the space inside those walls as containing all sorts of devices that communicate over the internet,” Choffnes says.
Ideally, smart home gadgets, aka Internet of Things (IoT) devices, make people's lives easier. Tasks like setting the thermostat, brewing your morning coffee, and ordering new ink for your printer can all be easily automated or completed on your smartphone with some of these products.
“[But]when these things communicate with each other or over the internet, it's done in ways that are invisible to us,” Choffnes said.
Some of these devices share their location, Choffnes said, allowing other devices in a local network to determine their location — a group of connected devices in a particular location, like a home.
“They're also transmitting other information specific to your household, which means that even if you try your best to protect your privacy and turn off phone tracking on iOS and Android, all of these mechanisms you put in place to protect yourself can potentially be undermined,” Choffnes said.
“Online trackers can determine who you are from the collection of devices in your home because it will be unique to you,” he added.
New research by Choffnes and others exposes privacy and security gaps in this emerging technology area, and the team will present their work this week at the ACM Internet Measurement Conference in Montreal.
The research team tested 93 IoT devices to see how they interacted within a local network.
The findings were enlightening, Choffnes explains.
“One of the things we've observed is that devices will scan the local network to figure out what all the other devices are in your home,” Choffnes adds. “For example, a smart speaker from Amazon can know if you have a smart refrigerator. It can also know about your printer. It might even know your name, because if you have an Apple HomePod, for example, the default name for that device is usually your name, like 'Dave's HomePod.'”
The team also found security issues with the operation of mobile apps connected to these devices.
“On Android, mobile apps can circumvent permission restrictions that Android imposes, such as access to location or unique identifiers, by simply querying the device or sending messages to other devices on the home network, which then tell the app the same information that the OS hides,” he says.
Choffnes noted that Google has acknowledged the team's findings and is working with them to develop mitigations that “can be implemented through the Android OS, our app review process, and general IoT standardization efforts.”
Choffnes emphasized that these systems don't necessarily have to work this way: It's possible for devices to work interoperably without significant risks to privacy or security.
“There are ways for them to find each other without revealing any information that could be used to track us,” Choffnes said.
The research team points to several potential solutions, such as calling for greater standardization between these devices. They point to the Matter smart home protocol as an example, but note that the system does not yet address the specific vulnerabilities the team discovered.
Tinnanl Hu, a doctoral student at Northeastern University, and Daniel J. Dubois, an associate research scientist at Northeastern University, are among the study's authors.
Hu said companies haven't had much incentive to standardize, and one of the goals of the study is to educate the public about these issues.
“Through our research, we want to raise awareness of this issue for users,” he said. “The more users know about this issue, the more motivated companies will be to adopt best practices for privacy and security standards.”
Increased regulation and government involvement could also help curb some of these problems, the researchers said, citing the EU Cyber ​​Resilience Act and the US National Cybersecurity Strategy as examples.
Provided by Northeastern University
This story is reprinted courtesy of Northeastern Global News https://news.northeastern.edu/
Source: Study Finds Your Home's Smart Home Technology Isn't As Secure as You Think (October 26, 2023) Retrieved June 18, 2024 from https://techxplore.com/news/2023-10-smart-home-tech.html
This document is subject to copyright. It may not be reproduced without written permission, except for fair dealing for the purposes of personal study or research. The content is provided for informational purposes only.