This article has been reviewed in accordance with Science X's editorial processes and policies. The editors emphasized the following qualities while ensuring the authenticity of the content:
fact confirmed
trusted sources
proofread
got it! David Choffnes is one of a group of researchers who recently discovered security and privacy vulnerabilities in his smart home devices.Credit: Matthew Modono/Northeastern University
×Close
David Choffnes is one of a group of researchers who recently discovered security and privacy vulnerabilities in smart home devices.Credit: Matthew Modono/Northeastern University
Our homes are becoming smarter every day. The next time you buy a toaster, refrigerator, or dishwasher, setup may require connecting to your home's WiFi network and downloading an app to your phone.
But such interconnections come with risks, said David Choffnes, an associate professor of computer science at Northeastern University.
“We've gone from thinking that the walls of our homes are private spaces to having all the devices that communicate over the internet placed in the space within the walls,” says Choffnes.
Ideally, smart home gadgets, also known as Internet of Things (IoT) devices, make people's lives easier. Some of these products make it easy to automate tasks like setting your thermostat, making your morning coffee, or ordering new ink for your printer or complete them with your smartphone.
“[But]when these things communicate with each other or communicate over the Internet, they're communicating in ways that we can't see,” Choffnes said.
Some of these devices share their location, allowing other devices in the local network to determine their location, Choffnes said. A local network in this context refers to a group of connected devices within a specific location, such as a home.
“They're also transmitting other information that's specific to that household, which means that even if you're doing your best to protect your privacy, you can't use all the tracking capabilities on your phone, whether it's iOS or Android. It means turning off. What you have in place to protect yourself can fall apart,” Choffnes says.
“Online trackers can learn who you are by the collection of devices in your home, which makes it unique to you,” he added.
New research by Choffnes and others reveals privacy and security flaws in this emerging technology category. The team will present their findings at the ACM Internet Measurement Conference in Montreal this week.
For this study, the team tested 93 IoT devices to see how they interact within a local network.
The results of the study were encouraging, explains Choffnes.
“One of the things we observed is that the device scans the local network to figure out what all the other devices in the home are,” Choffnes adds. “For example, Amazon's smart speaker can learn whether you have a smart refrigerator. It can also learn about your printer. It could also learn your name. Because if you have an Apple HomePod, for example, the default name for it is usually yours, such as “Dave's HomePod.''
The team also found security issues in the way mobile apps connected to these devices operated.
“On Android, mobile apps can access location information and unique “They can bypass the permission restrictions that Android imposes, such as access to identifiers, which the OS has been keeping away from them,” he says.
Choffnes said Google acknowledges the team's findings and is collaborating on developing mitigations that “may be implemented through the Android OS, the app review process, and general IoT standardization efforts.” .
Choffnes emphasizes that these systems don't necessarily have to work this way. Enable devices to interoperate without major risks to privacy or security.
“There are ways they can find each other without exposing information that could be used to track us,” Choffnes says.
In their study, the team points to a number of potential solutions, including a call for further standardization between these devices. They cite the Matter Smart Home protocol as an example, but note that the system has not yet addressed the specific vulnerabilities the team discovered.
The study's authors include Tinanru Hu, a doctoral student at Northeastern University, and Daniel J. Dubois, an associate research scientist at Northeastern University.
Hu said companies are not given much incentive to standardize. One of the goals of the research is to educate the public about these issues.
“Through our research, we want to make users aware of this issue,” he says. “The more users know about this issue, the more companies will be incentivized to move toward best-practice privacy and security standards.”
Greater regulation and government involvement could also help curb some of these problems, the team says, pointing to EU Cyber Resilience Law and the US National Cybersecurity Strategy.