Princeton boffins reckon the Internet of woefully insecure things yields sensitive information about connected homes with nothing more than a bit of network traffic analysis.

The problem is that single devices have very individualistic traffic profiles – a thermostat behaves differently from a lighting controller, both of which behave differently from a garage door opener, and so on.

In this paper at arXiv, Noah Apthorpe, Dillon Reisman and Nick Feamster (the latter a critic of slapdash IoT privacy) look at “a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo switch, and an Amazon Echo” – and they reckon the traffic fingerprints are recognisable even when traffic is encrypted.

Each of the devices snitches by generating recognisable traffic patterns: the Sense revealed users' sleeping patterns, the Nest cam lets an attacker infer when it's being monitored or when movement wakes it up; the WeMo lets an observer watch appliances turn on or off; and the Echo leaks when someone is talking to it.

The attacker needs some way to capture traffic. The Princeton paper assumes an attacker is sniffing traffic from the ISP, but that's surely not the only vector.

If you can get to the traffic, there are plenty of ways to identify the device. For example, Sense and Nest Cams talk to different service IP addresses and ports, and even if a device talks to multiple services “the adversary typically only needs to identify a single stream that encodes the device state”.

IoT phone home

Device DNS queries Sense sleep monitor hello-audio.s3.amazonaws.com

hello-firmware.s3.amazonaws.com

messeji.hello.is

ntp.hello.is

sense-in.hello.is

time.hello.is Nest security camera nexus.dropcam.com

oculus519-vir.dropcam.com

pool.ntp.org WeMo switch prod1-fs-xbcs-net-1101221371.us-east-1.elb.amazonaws.com

prod1-api-xbcs-net-889336557.us-east-1.elb.amazonaws.com

Amazon Echo ash2-accesspoint-a92.ap.spotify.com

audio-ec.spotify.com

device-metrics-us.amazon.com

ntp.amazon.com

pindorama.amazon.com

softwareupdates.amazon.com

As the paper explains, while it's possible to infer some user activity from general traffic (for example, machines going to sleep after everyone's gone to bed), “this relies on many assumptions, e.g. that users only stop using their other devices immediately prior to sleeping, that everyone in the home sleeps at the same time and does not share other devices, and that users do not leave their other devices running to perform network-intensive tasks or updates while they sleep.”

Encryption doesn't help when traffic is so easily fingerprinted.

A Sense sleep monitor is much more revealing, because it's a single-purpose device; and the same is true of the other devices the researchers tested.

While the paper takes the usual approach of calling for better user awareness and tools to let users manage their own privacy, “improved regulation … may also be necessary.”

The paper stops short of telling manufacturers to quit collecting data unnecessarily, which seems an obvious first step to The Register. ®