The house has traditionally been the most private place for a family. But first the mobile phone came in, and now so have smart devices. Their digital conversations mean that, often without users knowing, they give intimate details about each home that were previously impossible to obtain. Research on these devices until now focused on external risks, which come from outside the home: is it possible to access a home camera from the Internet? Is a smart speaker vulnerable? …

Register for free to continue reading

If you have an account in EL PAÍS, you can use it to identify yourself

The house has traditionally been the most private place for a family. But first the mobile phone came in, and now so have smart devices. Their digital conversations mean that, often without users knowing, they give intimate details about each home that were previously impossible to obtain. Research on these devices until now focused on external risks, which come from outside the home: is it possible to access a home camera from the Internet? Is a smart speaker vulnerable? Now, pioneering work by several universities and research centers, including the Spanish Imdea Networks, Imdea Software and the Carlos III University, discovers that also, beneath the theoretical calm of a house, there are many risks.

“One of the biggest problems is the invasion of privacy,” says David Choffnes, professor at Northeastern University (Boston, USA) and one of the co-authors of the work. “These weaknesses give attackers a clear idea of ​​what is in your home, who is there, and also when they are moving and where. We discovered that some apps They take advantage of this to collect data from the houses, for purposes that have nothing to do with their function. If our homes are the most private place, it seems like a serious invasion of privacy to me,” he adds.

Choffnes and his team set up a “living laboratory/apartment with more than 100 devices” at their university called Mon(IoT)r Lab (IoT stands for the Internet of Things). It's like a big party, but with devices. There, researchers from the university and other centers study the entire variety of behaviors and relationships that exist between them, from light bulbs and refrigerators, to routers and speakers, which communicate with each other. This research also studies the connections of all of them with apps, both those that manage these devices and others that have Android users on their phones, and both those who live in that house and those who visit it. Apple's environment is much more private.

Image of the Mon(IoT)r laboratory at Northeastern University where this study was carried out and which serves to understand how smart home devices relate to each other: from doorbells and light bulbs to all types of household appliances.Northeastern University

EL PAÍS has asked Google, which bought Android in 2005 and has a line of smart devices, about this study. Here's a spokesperson's response: “We greatly appreciate the security community's investigation. “We are constantly improving our security protections to help keep Android users safe.” The Android environment, due to its characteristics and number of actors, has a lot of challenges to solve.

“I think people don't have the slightest idea that all devices connected to Wi-Fi talk to each other in some way. And that has implications,” says Juan Tapiador, professor at the Carlos III University and also co-author of the study.

What type of information do these devices share? They are not the conversations or messages we send. The type of information that circulates ranges from unique device addresses (called MAC), serial numbers, versions of vulnerable protocols or even names of specific devices such as “Jorge's speaker in the dining room.”

All this information, and the services to which they connect, allow many details of our lives to be inferred, and could provide a digital fingerprint of our home, which would allow targeted attacks or surveillance: “The exposure of this information without control,” he says Narseo Vallina-Rodríguez, researcher at Imdea Networks and co-author, “allows advertising services or spy applications to create a digital fingerprint of your home that uniquely identifies it or can infer your income level and habits.” Not only that. If these devices frequently scan for new information, “they can infer who enters and leaves the house and your social structures to monitor their activities across networks and devices,” adds the expert.

We do not fully understand the risks

Someone may think that all this is not so serious because it does not seem so intimate. Users tend to misunderstand the risk involved in gathering dozens of specific pieces of information about a home. These data are captured, for example, by apps that we carry in our cell phones and collect the serial number of the router or the name of the connection, which allows you to know the location (without even accessing the device's GPS). There are pages where wifis from all over the world are mapped. If two mobile phones access the same Wi-Fi, you not only know that they are close, but also where they are. Yes one app The visitor's mobile phone scans how many smart devices are there, and which ones, that data can help calculate the income of a home.

“One of the things that was most difficult for us to get people to understand is that the informative value of technical data is sometimes difficult to predict,” says Tapiador. For example the SSID, which is the name of the Wi-Fi network. When a mobile scans the available networks, the name of all the nearby ones is seen. “There are many services on-line that from that name they provide you with geolocation information,” continues Tapiador.

A concrete example of the fearsome use of the combination of information that can be gathered thanks to these devices is given by Vijay Prakash, a researcher at New York University, and co-author of the study: “If a malicious actor abuses the information that floats freely in With smart home networks, you can track a user across devices from multiple vendors. For example, if a malicious application takes fingerprints from several users' smart homes, and one of them visits the home of one of the users, say Juan, with his phone on him, the application could infer user Juan's social relationships and schedules. in which other users visit you.” It must be taken into account that this would not happen just once, but continuously.

Apps analyzed in the study with millions of downloads contain software that collects this type of information. Yes one app, For example, you have access to location and scan Wi-Fi networks, you already know that those networks are there: “This is crowdsourcing (collective work) carried out by millions of people,” continues Tapiador. “There are maps from all over the world with those names. When you tell someone, 'hey, this light bulb is picking up the SSID or MAC address of the router', It is the same as saying 'this light bulb is picking up the location of your house'. That is not the only problem: “The question is what other relationships they can weave from there. Allowing you to have access to traffic generated by your devices can have unanticipated consequences,” she says.

Without legal permissions

Many of these examples are not legal, but the Android environment is a jungle: “These practices have many implications, since they often occur without any type of user consent, and sensitive information such as geolocation or devices and users is also obtained. , data protected by the General Data Protection Regulation,” says Vallina-Rodríguez.

This is an example of the dance of conversations that devices have within a home, as explained in the research: “Six applications (from home devices) transmit addresses (unique MAC) of devices to the cloud, and the recipients are their own domains. (e.g. Alexa) or third-party providers such as Tuya, a China-based (home device) platform provider, and Amplitude, an analytics service.”

To a human, all this combination of data may seem overwhelming and unbearable. But for machines it is their daily work. Beyond hypothetical security risks, this information feeds the enormous and dark machinery of the marketing and global advertising, also called “commercial surveillance.” At the moment it is not happening, but just as we receive personalized advertising on mobile phones, the industry could already identify our home to personalize the advertising to our economic conditions and family: what is easier than discovering when a couple separates or what level of income Do you have friends who are going to your birthday party?

“Just as many pages make a digital fingerprint of the user to recognize them between sessions even if you delete the cookies”, says Tapiador, “we saw that it is possible to do the same for a house using the devices. It is a theoretical observation in the sense that today personalization aimed at specific homes may not be done, but the possibility that it can be done is there,” he adds.

You can follow EL PAÍS Technology in Facebook and x or sign up here to receive our weekly newsletter.

You May Also Like

More From Author

+ There are no comments

Add yours