Spying on your smart home

Your smart home Internet-of-Things (IoT) devices could be spying on you. There is already plenty of press coverage on hacked baby cameras, smart TVs watching your activities, or smart speakers listening to your conversations.

Beyond hackers and device makers, you might also be worried about people around you that set up the IoT devices. Your roommate or your partner could be harassing you by messing with the thermostates or listening to you via smart speakers, as reported in this New York Times article. If you stay in an Airbnb room, the host could be secretly recordingly you with hidden cameras, as reported in this article on The Atlantic.

Many of the IoT activities are unfortunately hidden. You walk into a space — owned by you or somebody else — and there could be things collecting information about you behind the scene and sharing the information with someone on the Internet.

They are watching you! Photo by Viviane Pasta on Unsplash

To find out these hidden activities, concerned users and non-users can rely on a few tools. For example, the Fing app could quickly discover IoT devices on the network; or you might run Wireshark to sniff the network packets to see where they are going. However, Fing can only identify devices that it already knows and cannot analyze individual IoT activities, because it cannot observe any IoT network traffic. Although Wireshark can capture IoT network traffic, it requires certain technical expertise.

Given these challenges, we introduce IoT Inspector, an open-source tool that anyone can download to discover IoT devices on their network, analyze the network traffic, and identify potential security and privacy violations on the IoT devices.

For instance, here’s what I did to see what my Google Chromecast was doing when I was not actively using it. I downloaded IoT Inspector on my computer, ran it, inspect my Chromecast, and IoT Inspector showed me the following screen:

Screenshot of IoT Inspector analzying the network activities of Google Chromecast when it is idle.

Here’s another example, where I was streaming the CBS LiveNews on my Roku TV. In the video below, the top half shows what was on the Roku TV screen, and the bottom half shows IoT Inspector’s traffic graph, focusing on just the advertising and tracking services contacted by Roku.

IoT Inspector (bottom half) showing network traffic to advertising and tracking services while I was streaming the CBS Live News on my Roku TV (top half).

As you can see, even though I was passively watching the live news, the CBS app on my Roku TV was communicating with two advertising and tracking services: omtrdc.net (Adobe Marketing Cloud) and scorecardresearch.com (Comscore).

We released a prototype of IoT Inspector in April 2019. Within three months of its launch, the tool attracted more than 5,000 users from all around the world to collect the network traffic from more than 50,000 devices. We detailed our findings in a 2020 paper, published in the Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies.

We didn’t stop there. We have been continuously improving the tool to make it even more user-friendly. We are currently partnerning with Consumer Reports Digital Labs to polish the user interface, enhance the user experience, and scale out the deployment. Stay tuned for more updates.

In the meantime, feel free to try out the current prototype of IoT Inspector at https://iotinspector.org.

About the author:

• Danny Y. Huang is an Assistant Professor at New York University. His research primarily focuses on the security and privacy of everyday technologies.

About All Things Inspected: We are a group of academic researchers who are passionate about security and privacy issues that affect daily lives. For more details, view this story.