Security is one of the biggest hurdles to jump over in the Internet of Things movement, and researchers want to know if recently implemented devices made it over. Researchers from Princeton’s Center for Information Technology Policy (CITP) investigated the most popular IoT devices to get a better sense of the state of smart devices.

The devices explored included a Belkin WeMo Switch, the Nest Thermostat, an Ubi smart speaker, a Sharx Security Camera, a PixStar digital photo frame, and a SmartThings hub.

Initially, the researchers expected to find end-to-end encryption that would prevent any attempts at monitoring traffic to and from the device. What they found was that many of the devices failed to encrypt at least some of the traffic.

(Related: How to deal with the nettlesom Internet of Things)

“Investigating the traffic to and from these devices turned out to be much easier than expected, as many of the devices exchanged personal or private information with servers on the Internet in the clear, completely unencrypted,” wrote Nick Feamster, acting director for Princeton’s CITP, in a blog post.

Specifically:

• Nest revealed information such as the user’s home location and nearest weather station. According to the researchers, the company has since fixed this bug. “Nest has contacted the media to clarify that the information being leaked in clear text was not the zip code of the thermostat, but merely the zip code of the weather station that the user enters when configuring the device. Yet, this clarification seems to be a red herring: When would a user ever enter a zip code other than that of their home, where the thermostat was located?” Feamster wrote.

• Ubi used unencrypted communication methods that would reveal sensitive information such as if the user were home or if there were any movements within the house.

About Christina Cardoza

Christina Cardoza, formerly known as Christina Mulligan, is the Online & Social Media Editor of SD Times. She covers agile, DevOps, AI, machine learning, mixed reality and software security. Follow her on Twitter at @chriscatdoza!