A new study has once again found that most “internet of things” (IOT) devices routinely deliver an ocean of sensitive data to partners around the world, frequently without making these data transfers secure or transparent to the end user.
The full study, a joint collaboration between Northeastern University and Imperial College London took a closer look at 81 popular smart TVs, streaming dongles, smart speakers, and video doorbells made by vendors including Google, Roku, and Amazon.
The results aren’t comforting: the majority of the devices collected and shared information including your IP address, device specs (like MAC address), usage habits, and location data. That data is then shared with a laundry list of third parties, regardless of whether the user actually has a relationship with those companies.
“Nearly all TV devices in our testbeds contacts Netflix even though we never configured any TV with a Netflix account,” the researchers said. They noted that devices reach out to Netflix to relay information such as the TV set being used and the location it’s being used in.
In a series of 34,586 experiments, the study found that 72 of the devices made contact with someone other than its manufacturer. In many instances, these transfers “expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic,” the researchers said.
The IoT sector has long been ridiculed for rushing to connect everything to the internet without embracing basic security and privacy standards. As a result, everything from your smart tea kettle to your kids’ Barbie dolls now poses a potential privacy and security threat. With millions of such devices coming online every year, it’s a monumental problem.
“A wide variety of internet-connected devices in peoples' homes are potentially exposing information about consumers to other parties over the internet,” study author David Choffnes told Motherboard. “Our paper represents the start of what we expect to be a long line of research for giving consumers better insight into, and control over, the information exposed by their internet-connected devices.”
The problem has been well exemplified by smart television vendors that have—like the broader IoT sector—routinely made security, privacy, and transparency a distant afterthought.
Vizio, for example, settled a $17 million lawsuit last year for secretly tracking and selling the usage habits of sixteen million Vizio owners for around three years. In 2015, Samsung was widely criticized after researchers found the company’s smart television were collecting user voice data then transmitting it unencrypted to the cloud.