38C3 Community Stages

In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes
2024-12-30 , Stage YELL
Language: English

The network communication between Internet of Things (IoT) devices on the same local network has significant implications for platform and device interoperability, security, privacy, and correctness. Yet, the analysis of local home Wi-Fi network traffic and its associated security and privacy threats have been largely ignored by prior literature, which typically focuses on studying the communication between IoT devices and cloud end-points, or detecting vulnerable IoT devices exposed to the Internet. In this paper, we present a comprehensive and empirical measurement study to shed light on the local communication within a smart home deployment and its threats. We use a unique combination of passive network traffic captures, protocol honeypots, dynamic mobile app analysis, and crowdsourced IoT data from participants to identify and analyze a wide range of device activities on the local network. We then analyze these datasets to characterize local network protocols, security and privacy threats associated with them. Our analysis reveals vulnerable devices, insecure use of network protocols, and sensitive data exposure by IoT devices. We provide evidence of how this information is exfiltrated to remote servers by mobile apps and third-party SDKs, potentially for household fingerprinting, surveillance and cross-device tracking. We make our datasets and analysis publicly available to support further research in this area.


Motivation and problem statement: Smart devices in modern homes offer advanced features like voice-activated automation and synchronized lighting, all smartphone-controlled and interconnected via the local network for seamless communication and integration across platforms. Prior research largely focused on device-cloud data dissemination and detecting Internet-exposed vulnerabilities, overlooking privacy threats evolved from cross-device communications within homes. Addressing this gap, our comprehensive study reveals how smart devices and apps use side-channels enabled by network protocols (like UPnP and mDNS) to (1) circumvent mobile OS permissions to access sensitive data like geolocation, and (2) unauthorized data collection for household fingerprinting and cross-device tracking, without user consent.

Methodology: We used a combination of techniques to analyze IoT local traffic and device interactions: (1) passive traffic captures and active scans in an IoT lab with 93 devices, (2) dynamic analysis of 2,335 IoT and mobile apps interacting with these devices, and (3) crowdsourced local network traffic analysis from 13,487 devices across 3,800 households collected with consent and IRB approval for demonstrating the feasibility of household fingerprinting and cross-device tracking attacks. Our non-commercial data and artifacts are released for further research.

Main findings: Using this methodology, we uncovered a new class of privacy threats exploited through side channels in smart homes:

  • We reveal how most smart home devices conspicuously expose sensitive data like device names (which can include real names, e.g., “Louis’s TV”), unique IDs, and household geolocation in plaintext using standard protocols like UPnP and mDNS; thus not complying with data minimization principles.
  • We find evidence of privacy-intrusive neighboring devices, mobile apps and embedded SDKs with access to the local network exploiting UPnP and mDNS as side channels to secretly collect sensitive user and household data without user consent. For example, with just the Internet permission, Android apps can infer geolocation of a user through Wi-Fi SSID/BSSID exposed via UPnP; or metadata (e.g., serial number or MAC addresses) exposed by co-located apps and devices in the local network, thus inferring social interactions. Notably, we find InnoSDK, a Chinese advertising library, and Cisco's AppDynamics, an analytics library, use these means for user tracking and advertising.
  • Finally, our analysis of crowdsourced data revealed that a combination of unique identifiers like UUIDs and MAC addresses can precisely identify households among millions using metadata from smart devices with mDNS and UPnP protocols. This highlights the risks and potential for invasive household fingerprinting and cross-device tracking from local network data exposed by smart devices.

Implication and Impact: Our homes, once considered privacy-safe, face new privacy risks as IoT devices or third-party apps exfiltrate sensitive information from the local network for unauthorized tracking and profiling. This first-of-its-kind study highlights the need to adopt zero-trust principles for local networks and to redesign the smart device ecosystem and its foundational protocols to address these critical consumer privacy risks. Following our responsible disclosure to Google and 19 other IoT vendors, Google recognized the Android privacy risk with a bug bounty, removed malicious apps and SDKs from Google Play, and is planning a new permission in Android for risk mitigation, paralleled by patches from other vendors addressing these issues. In contrast, iOS's multi-model permission system already effectively prevents such leaks. Additionally, EU regulators like the Spanish Data Protection Agency (AEPD) and standardization groups like the IETF and IRTF have acknowledged the privacy concerns. Moreover, prominent international media outlets like Wired, CBC News, and El País featured our findings.

See also: Presentation (6.8 MB)

Aniketh is a PhD student at the IMDEA Networks Institute and University Carlos III de Madrid (UC3M), Spain. His research focuses on measuring the prevalence of side channel privacy and security risks of smart home and mobile ecosystems. Prior to his current role at IMDEA, Aniketh earned his Master's in Cybersecurity and Bachelor's in Technology (B.Tech) from UC3M and Amrita Vishwa Vidyapeetham, India, respectively. Aniketh has collaborated with leading research labs, including the Cybersecurity and Privacy Institute at Northeastern University, USA, Rochester Institute of Technology, USA, and industry labs like IIJ Innovation Institute (IIJ-II), Tokyo. Aniketh's research has been recognized at top-tier international peer-reviewed conferences such as USENIX Security and ACM IMC. His contributions have been acknowledged by European Data Protection Agencies and industry leaders, influencing policy changes and security enhancements in IoT and Android platforms. Media outlets like WIRED, CBS, El Correo and El Pais have featured his work.