Home > Article > In-depth research from Princeton University and Boston Northeastern University, does smart home have no privacy?

In-depth research from Princeton University and Boston Northeastern University, does smart home have no privacy?

Two research papers by Princeton University and Boston Northeastern University have attracted wide attention from foreign media. Both papers have focused their research on the privacy leakage problem of modern smart homes.

Text ︱Aaron

Figure︱Network

In recent days, two papers from Princeton University and Boston Northeastern University have attracted wide attention from foreign media. Both papers have focused their research on the privacy leakage of modern smart homes. After rigorous experiments, negative results have been obtained. People are dumbfounded. Today, with the rapid development of the Internet of Things and smart homes, we seem to be losing our personal privacy quickly.

What does the paper say?

First introduce the concept of OTT (Over The Top), which refers to the provision of various application services to users through the Internet. The device provides an alternative to multi-channel TV subscription services and makes money through advertising.

According to the "Smart TV User Insights Report" released by the Kugo User Research Institute in conjunction with Dangbei Market and Tencent Video Aurora TV at the end of last year, the number of cable payment subscribers has shown a clear downward trend, while the number of smart TV activations has increased rapidly. The number of traditional TV users will be surpassed in 2019 (as shown in the figure below).

The sudden increase in numbers has also brought hidden dangers. In a Princeton University paper, its research team developed a "crawler" system that automatically downloads OTT applications (APP) and interacts with them when intercepting network traffic and TLS (Transport Security Protocol) interception . The smart crawler visited 2000 channels on two mainstream OTT platforms (Roku and Amazon Fire TV).

The results show that tracking is widespread on both OTT platforms, with 69% of Roku channels and 89% of Amazon Fire TV channels having known tracker traffic. In addition, the research team also discovered the collection and transmission of unique identifiers (such as device ID, serial number, WiFi MAC address, and SSID) on unencrypted connections. Finally, it is concluded that measures such as restricting advertising tracking options and advertising blocking on these devices are actually ineffective.

Arvind Narayanan, an associate professor of computer science at Princeton University, told The Verge: “If you can watch TV with devices like Roku and Amazon Fire TV, then big companies will use what you watch to create a comprehensive portrait. Their approach is hardly affected. Supervise or pay attention, you don’t know where the data is sold."

The foreign media also said that data is the reason why TV prices are so cheap. Technically, people have agreed to sell personal data when setting up the device in the initial stage, but many people don't even know that this has happened.

In another paper from Northeastern University in Boston, the research team conducted a similar study. We analyzed and studied 81 IoT devices with IP connections, 46 of which were purchased from a US store and deployed on the US test platform, and 35 were purchased from a UK store and deployed on the UK test platform.

Picture: US IoT Lab (Northeastern University, Boston)

The type of equipment selected is as follows: camera (security camera and video doorbell), smart gateway, home automation (smart lights, router and thermostat), TV (smart TV and TV dog), audio (smart voice assistant), home Electrical appliances (refrigerators, cleaning appliances, cooking utensils, weather stations).

In the end, it is concluded that most devices use encryption or other encoding to protect the user's PII (personal identifiable information), thereby minimizing the exposure of plaintext PII. However, even if the traffic is encrypted and does not rely on MITM (Man-in-the-Middle Attack) or any type of IoT device modification, there are obvious cases of exposing information, with 57.45% (50.27%) tested The device will contact a third-party platform in the US (UK) region. 56% of U.S. equipment and 83.8% of U.K. equipment contact areas outside of the equipment.

In addition, in many cases, the device will allow an eavesdropper to test the consumer's network and "stealing" the device. More surprisingly, it turns out that when the user is not using the device, different smart home devices such as Amazon's doorbell, Alexa, and Zmodo's doorbell still monitor when the user speaks or moves.

These two latest research papers have concluded that most smart home devices are not safe.

No privacy?

If you follow this type of news for a long time, it's not uncommon in fact.

As early as 2017, LeEco’s Vizio was fined $2.2 million by the Federal Trade Commission (FTC) for illegally collecting data. During the prosecution, it was accused of using its TV to track users’ viewing records and selling this information to marketing companies. None of the clients' consent was obtained.

Last year there was an exaggerated case. A woman in Portland broke the news to the TV station: The Echo speakers placed in her home not only recorded the conversation between her and her husband at home without permission, but also sent this conversation to the TV station. An employee of her husband. After the employee who was confused after receiving the recording contacted the client, she knew that she had been recorded unknowingly.

Subsequently, Amazon released an investigation report, restoring the entire process of this incident:

"The Echo speaker first captured a voice similar to "Alexa" in the noisy background sound, and was awakened. Then, Alexa understood the subsequent dialogue in the background sound as an instruction to "send a message" and issued "Who to send?" After that, Alexa once again misunderstood the environmental conversation that he heard as someone in the user's contact list. Asked again in Alexa, "Is it right to send to XX?" "After that, the last misunderstanding occurred. This time Alexa understood the environmental dialogue as "right", and the user's recording was sent out as a message."

The sales growth of Alexa has not stopped due to privacy issues. In January of this year, according to TechCrunch, Dave Lip, senior vice president of Amazon’s equipment division, revealed in an interview that more than 100 million units have been sold so far. Smart assistant Alexa device. These 100 million devices not only have more room for growth, but it also seems to allow bad things to spread.

Within a few months after that, Bloomberg quoted people familiar with the matter as revealing that an Amazon team responsible for evaluating Alexa user instructions obtained user location data, and in some cases, the user's home address can be found.

In the article, Lindsey Barrett, a lawyer who is also a faculty member at Georgetown Law School, said that geolocation data is more sensitive than many other user information because it is more difficult to trace the real person.

According to the "Guardian" report on August 28, after the suspension of Apple's Siri service manual hearing and scoring project, at least 300 contract workers of Apple's company in Cork, Ireland were fired. The reason is that there is no work done for them due to a "technical error". In July, the media exposed that Apple secretly eavesdropped on Siri and users' recordings.

Apple then chose to apologize, and the plan allows contractors to review a small portion of people's conversations with their Siri voice assistant. The company said it will make some improvements to enable users to better control how Siri requests are processed.

Source: "2019 China Smart Home Development White Paper"

The "2019 China Smart Home Development White Paper" shows that the global smart home market will reach US$1,220 in 2022, and the average annual growth rate from 2016 to 2022 is predicted to be 14%. Under a gold rush, our personal privacy has also become a traded item in the market, without knowing it.