Princeton research team hunting down IoT security blunders
Taming Things leaky, sneaky, or creepy
Princeton boffins have taken a small step towards defending consumer-level IoT users from snooping, with what they call the IoT Inspector project.
IoT Inspector is currently at the data-gathering stage, with the aim of launching an open source tool for users to get some idea of what their devices are doing.
The idea for the inspector arose out of various projects of the Princeton group, including for example their test of health monitors for data leaks.
In that project, the group – Princeton's Daniel Wood, Noah Athorpe and Nick Feamster – captured traffic from four medical devices, and are worried that finding cleartext transmissions in such a small sample bodes ill for the broader medical device market.
Capturing transmissions from the kit was simple enough, they explained in this late-March arXiv paper (first presented at a 2017 conference): they configured a Raspberry Pi as a wireless access point to capture traffic, searched that traffic for any cleartext transmissions, and also combed metadata transmitted by devices to see what could be inferred without cleartext access to traffic.
For Bluetooth-connected devices they included a smartphone connected to their traffic-harvesting access point.
The four devices tested were: the Withings Wireless Blood Pressure Monitor; the Withings Body Composition Wi-Fi Scale; the 1byOne Digital Smart Wireless Body Fat Scale; and the iHealth Ease Wireless Blood Pressure Monitor.
The Withings blood pressure device leaks its own identity in URLs, they found: any request from the device to its server, and any response from the server, included its brand. This is sufficient, the paper said, to tell an attacker that someone is using the monitor and how often they're taking their blood pressure.
On the other hand, the paper said, the 1byOne Digital Smart Wireless Body Fat Scale was the most secure: it “not only used encrypted protocols to deliver application data, but also masked names of packet destinations”.
As the group explained in the paper, even limited data leaks from health devices could easily result in a breach of America's Health Insurance Portability and Accountability Act (HIPAA), since any electronic personal health information has to be protected against disclosure.
The Raspberry Pi code for that project is here.
As the Princeton group's Nick Feamster explained this week at Freedom To Tinker, medical devices aren't the only IoT concern.
The researchers also looked at 'net-connected toys, and found that none “used HTTPS or SSL when communicating with manufacturer-owned servers. One toy lacked authentication for user profile pictures. An eavesdropper could record or replay device communications to obtain profile photos.”
Other findings that led to the launch of the IoT Inspector project were:
- Many home devices (smart TVs, security cameras, smoke detectors, and smart light bulbs) communicate widely with third-party servers. For example, in the first minute after its first connection, the Samsung TV Princeton tested communicated with “Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook” without alerting the user; and
- Things' communications are predictable, which is a plus since at least it should be easy for products like routers and gateways to detect anomalies (such as a CCTV camera being recruited into a botnet).
The group recently published its work on detecting IoS devices recruited into DDoS networks. ®