What your connected smart home IoT devices are really doing

 - 
04/24/2019

As more and more people connect IoT devices to their homes, making them smarter, living machines, the more fodder hackers have to breach systems and gain access to consumers’ personal identifiable information, or even gain entrance into their humble abodes. The fact is, no security standards exist for IoT manufactures to follow when creating networked devices. 

Lawmakers and states are stepping up, looking at ways to help protect consumers.

Industry talk of late about protecting owners of IoT devices have circled around the Cybersecurity Improvement Act of 2019 which would require the National Institute of Standards and Technology to develop new recommendations for device makers to follow. Even some states have created specific rules for IoT device creators to follow, such as California, that will require devices to be shipped with unique passwords or force users to set or reset passwords when setting up a device as of January 1, 2020.

But, are laws really the answer to this seemingly never-ending debacle? Shouldn’t the security industry come together as a whole to offer protection to consumers, their data and their homes? After all, we are in the business of protecting people while offering comfort and ease of living. I think a more proactive approach is in order, where device manufacturers step up to protect consumer data as well as empowering consumers to protect themselves.

A group of computer scientists from Princeton University and the University of California, Berkeley created a tool called Princeton IoT Inspector, an open-source desktop application that passively monitors smart home networks, showing potential security and/or privacy issues. It identifies all IoT devices on a smart home network, shows when these devices communicate/exchange data with an external server, and determines which servers these devices contacted and if those communications are secure. According to the IoT Inspector website, the goal is to answer three questions:

  1. Who do your devices talk to?
  2. What information is gathered?
  3. Are the devices hacked?

Sounds great, right? Well, there are two cautions to be noted when using this tool. First, device names are included in the data sent, so that data will be accessible by Princeton. The app asks users to consent to this the first time the app is used. (Tip: Make sure your devices don’t include your name or any other personal identifiable information. If they do, rename them.)

Second, the research team is using a specific technique the “bad guys” typically use called ARP spoofing, a type of attack where a malicious actor sends false Address Resolution Protocol (ARP) messages over a local area network. Personally, I think it’s creative and smart to use the same techniques to beat the bad guys at their own games, turning malicious acts into something good. Just be sure you trust Princeton should you decide to use this tool. 

Currently, Princeton IoT Inspector is only available on macOS, but there is a waitlist for Windows, which will be released next month, and Linux to be released the week of April 24th, 2019.