Security is one of the biggest hurdles to jump over in the Internet of Things movement, and researchers want to know if recently implemented devices made it over. Researchers from Princeton’s Center for Information Technology Policy (CITP) investigated the most popular IoT devices to get a better sense of the state of smart devices.
The devices explored included a Belkin WeMo Switch, the Nest Thermostat, an Ubi smart speaker, a Sharx Security Camera, a PixStar digital photo frame, and a SmartThings hub.
Initially, the researchers expected to find end-to-end encryption that would prevent any attempts at monitoring traffic to and from the device. What they found was that many of the devices failed to encrypt at least some of the traffic.
“Investigating the traffic to and from these devices turned out to be much easier than expected, as many of the devices exchanged personal or private information with servers on the Internet in the clear, completely unencrypted,” wrote Nick Feamster, acting director for Princeton’s CITP, in a blog post.
• Nest revealed information such as the user’s home location and nearest weather station. According to the researchers, the company has since fixed this bug. “Nest has contacted the media to clarify that the information being leaked in clear text was not the zip code of the thermostat, but merely the zip code of the weather station that the user enters when configuring the device. Yet, this clarification seems to be a red herring: When would a user ever enter a zip code other than that of their home, where the thermostat was located?” Feamster wrote.
• Ubi used unencrypted communication methods that would reveal sensitive information such as if the user were home or if there were any movements within the house.
• Sharx transmits video through unencrypted methods that could potentially be intercepted.
• PixStar’s traffic was completely unencrypted and revealed many user interactions.
“A natural reaction to some of these findings might be that these devices should encrypt all traffic that they send and receive,” Feamster wrote. “Indeed, some devices we investigated (e.g., the SmartThings hub) already do so. Encryption may be a good starting point, but by itself, it appears to be insufficient for preserving user privacy.”
According to Feamster, there needs to be a bigger discussion on how to improve the security of these IoT devices. As a first step, devices should be more transparent and network infrastructure should play a role, he noted.