Cloud Hosting

Theres really no escaping the internet of broken things.

On any given day, Americans connect thousands of internet-enabled devices to the internet, despite repeated warnings from cybersecurity experts that such devices often lack even the most rudimentary privacy and security protections.

The results havent been pretty. From smart televisions that hoover up your living room conversations to webcams that can be hacked and used in DDoS attacks in a matter of seconds, the problem is monumental. And its enabled by companies that routinely prioritize profits over consumer privacy, security, or the well being of the internet.

Researchers at Carnegie Mellon University have released a beta of an app they hope can address some of these problems. Dubbed the The Internet of Things (IoT) Assistant, (iOS, Android) the app will scan any unidentified IOT nearby, tell you what they do, and guide you toward the ability to opt out of data collection (assuming such an option exists).

IOT devices are often designed with little to no end user transparency into what devices do once theyre connected to the internet. Studies have shown IOT devices routinely collect far more data than consumers realize, then sell and share that data with a laundry list of companies.

One recent study showed a popular IOT camera made contact with 52 unique global IP address destinations when transmitting data, while one Samsung television made contact with 30 different IP addresses. Some of these points of contact are innocuous, and some arent. Few are revealed to consumers, and often the data isnt secure in transit.

Many people do a pretty poor job disclosing what data they collect and what they do with it, Professor Norman Sadeh, a CyLab faculty member in Carnegie Mellons Institute for Software Research told Motherboard. Sometimes this is intentional, sometimes it's due to a lack of expertise, and sometimes it's a combinationprivacy engineering is challenging.

Some efforts, like Princetons open source IOT Inspector, have tried to help consumers take a closer look at IOT device traffic itself in a bid to see whats collected and where its sent.

Sadeh says his groups new app takes a different approach.

We don't rely on scanning in this release, Sadeh said. In general, it's not sufficientespecially when the traffic is encrypted, which ideally would always be the case. Even if traffic is unencryptedwhich is a red flagthis will not tell you how long the data is retained.

Instead, the new app relies on a database compiled by volunteers, cybersecurity experts, and companies trying to simplify compliance with new privacy legislation like the California Consumer Privacy Act (CCPA) or Europes General Data Protection Regulation (GDPR).

People need to be informed about what data is collected about them and they need to be given some choices over these processes, Sadeh said. We have built an infrastructure that enables owners of IoT technologies to comply with these laws, and an app that takes advantage of this infrastructure to empower people to find out about and control data collected by these technologies.

Sadeh said such solutions are particularly important in bringing some transparency to the ever expanding use of IOT surveillance in public areas, where signs will sometimes inform the public theyre being watched, but little else.

These signs tell you nothing about what is being done with your footage, how long its going to be retained, whether or not it uses facial recognition, or with whom this is going to be shared, Sadeh said. Hes hopeful his app, once the database is fleshed out, can help fix that.

Sadehs team at Carnegie Mellon arent the only ones trying to address the IOT problem. Consumer Reports has also been building an set of open source standards to include privacy and security issues in product reviews, letting consumers avoid dubious products before they even have a chance to make it into your home.

Excerpt from:
What the Hell Is That Device, and Is It Spying on You? This App Might Have the Answer - VICE