Our homes are becoming smarter every day. The next time you buy a toaster, refrigerator, or dishwasher, setup may require connecting to your home's WiFi network and downloading an app to your phone.
But such interconnections come with risks, said David Choffnes, an associate professor of computer science at Northeastern University.
“We've gone from thinking that the walls of our homes are our private space to a space within the walls where all the devices that communicate via the Internet are located,” Tchovnes said. Masu.
Assistant Professor David Choffness.Adam Glanzman/Northeastern University
Ideally, smart home gadgets, also known as Internet of Things (IoT) devices, make people's lives easier. Some of these products make it easy to automate tasks like setting your thermostat, making your morning coffee, or ordering new ink for your printer or complete them with your smartphone.
“[But]when these things communicate with each other or over the Internet, they communicate in ways that are invisible to us,” Choffnes says.
Some of these devices share their location, allowing other devices in the local network to determine their location, Choffnes said. A local network in this context refers to a group of connected devices within a specific location, such as a home.
“They're also transmitting other information that's specific to that household, which means that even if you're doing your best to protect your privacy, you can't use all the tracking capabilities on your phone, whether it's iOS or Android. It means turning off. What you have in place to protect yourself can fall apart,” Choffnes says.
“Online trackers can learn who you are by the collection of devices in your home, which makes it unique to you,” he added.
New research by Choffnes and others reveals privacy and security flaws in this emerging technology category. The team will present their findings at the ACM Internet Measurement Conference in Montreal this week.
For this study, the team tested 93 IoT devices to see how they interact within a local network.
The results of the study were encouraging, explains Choffnes.
“One of the things we observed is that the device scans the local network to figure out what all the other devices in the home are,” Choffnes adds. “For example, Amazon's smart speaker can learn if you have a smart refrigerator. It could learn about your printer. For example, if you have an Apple HomePod, it typically , it might learn your name because its default name is your name, like “Dave's HomePod.” ”
The team also found security issues in the way mobile apps connected to these devices operated.
“On Android, mobile apps can simply query your device or send messages to other devices on your home network to tell the app the same information, giving you access to your location and unique They can bypass permission restrictions imposed by Android, such as access to identifiers, that the OS has kept them away from,” he says.
Choffnes said Google acknowledges the team's findings and is working with them to develop mitigations that “can be implemented through the Android OS, the app review process, and general IoT standardization efforts.”
Choffnes emphasizes that these systems don't necessarily have to work this way. Enable devices to interoperate without major risks to privacy or security.
“There are ways they can find each other without exposing information that could be used to track us,” Choffnes says.
In their study, the team points to a number of potential solutions, including a call for further standardization between these devices. They cite the Matter Smart Home protocol as an example, but note that the system has not yet addressed the specific vulnerabilities the team discovered.
The study's authors include Tinanru Hu, a doctoral student at Northeastern University, and Daniel J. Dubois, an associate research scientist at Northeastern University.
Hu said companies are not given much incentive to standardize. One of the goals of the research is to educate the public about these issues.
“Through our research, we want to make users aware of this issue,” he says. “The more users know about this issue, the more companies can advance their efforts to standardize privacy and security best practices.”
Greater regulation and government involvement could also help curb some of these problems, the team says, pointing to EU Cyber Resilience Law and the US National Cybersecurity Strategy.
Cesareo Contreras is a reporter for Northeastern Global News. Please email c.contreras@northeastern.edu. Follow him on X/Twitter @cesareo_r and thread @cesareor.