Even encrypted data streams allow many conclusions to be drawn!

Even with encryption, the Internet of Things (IoT) remains a threat to user privacy. This is the result of a study by computer scientists at Princeton University. The problem: Various devices, such as a security camera or Amazon's Echo, generate traffic with a very characteristic profile. This means that even encrypted data streams can reveal sensitive details if someone analyzes the network traffic accordingly.

Treacherous data streams

“We were surprised at how easy it would be for a passive network observer to draw conclusions about user behavior from encrypted smart home traffic,” the computer scientists write in a paper on “arXiv”.

The team came to this conclusion based on an analysis of the data traffic from four devices, including a sleep monitor, a security camera, Amazon's Echo and a WeMo Switch from Belkin, which is used for home automation. Because each of the sensor-equipped devices generates data streams with a specific profile. According to the computer scientists, this remains recognizable even despite encryption. That means an information leak.

Amazon Echo: reveals private information online (Photo: amazon.com)
Amazon Echo: reveals private information online (Photo: amazon.com)

If someone monitors the network and analyzes data streams, which would theoretically not be difficult for the respective provider, for example, they could learn a lot from encrypted IoT traffic. The sleep monitor tested, for example, reveals the sleep pattern, while with Amazon's Echo, the analysis shows that the traffic clearly shows when the user asks the device a question. At first glance, this doesn't seem too worrying if the question itself is encrypted. But the Princeton team warns that even information about when someone uses a particular device could be relevant for advertising purposes.

Technical tricks required

“We would not be surprised if many other smart home devices currently available had similar privacy vulnerabilities,” said the computer scientists. They also emphasize that they simply analyzed the data rates of encrypted traffic, but not data packets using deep packet inspection. In order to effectively protect privacy in the Internet of Things, technical tricks seem necessary. According to the team, even the use of solutions such as VPN tunneling would make analysis more difficult. A systematic solution to protect privacy would have to obscure the traffic characteristics that ultimately reveal information about user behavior.

About the paper “ A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic ”:

Source: press release

Sign up for the Mimikama newsletter

Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )