back to article Internet of snitches: Anyone who can sniff 'Thing' traffic knows what you're doing

Princeton boffins reckon the Internet of woefully insecure things yields sensitive information about connected homes with nothing more than a bit of network traffic analysis. The problem is that single devices have very individualistic traffic profiles – a thermostat behaves differently from a lighting controller, both of …

  1. Brian Miller

    Watch the windows

    If someone is casing a house, they'll just watch the windows! No burglar is going to be sniffing IP traffic to see when someone is up and awake. Why go to all the trouble, even if they had the knowledge?

    1. Anonymous Coward
      Anonymous Coward

      'Casing a house / No burglar is sniffing IP traffic'

      That's shows a serious lack of imagination there! Entire new industries will spring up as a result of this (all the holes in IoT)! We simply have no idea yet. But a few people are beginning to glimpse the nightmares that await.... Expect to see new criminal enterprises, new governmental control departments, new espionage based industries. They may not all come around to your place, but they will tap the IoT data stream of people you know and care about. Why? The temptation is just too great....

      1. Anonymous Coward
        Anonymous Coward

        Re: 'Casing a house / No burglar is sniffing IP traffic'

        Worse than "Entire new industries will spring up as a result of this", entirely new theories of crime and legal defences could spring up as a result of this, and then they'll be followed by the ambulance-chasing shysters of the "Have you been injured in an accident that wasn't your fault" variety ....

      2. GrumpyOldMan

        Re: 'Casing a house / No burglar is sniffing IP traffic'

        They will just because they can. And to monetise it before someone else gets there first.

    2. Pompous Git Silver badge

      Re: Watch the windows

      "No burglar is going to be sniffing IP traffic to see when someone is up and awake."
      Your name is Fagin and you sniff the IP traffic to hundreds of homes and send out your little Oliver Twits as appropriate.

      1. Cynical Observer
        Coat

        Re: Watch the windows

        @Pompous Git

        Your name is Fagin and you sniff the IP traffic to hundreds of homes and send out your little Oliver Twits as appropriate.

        You've got to pick-a-packet or two, boys; You've got to pick-a-packet or two.

        1. Anonymous Coward
          Anonymous Coward

          Re: Watch the windows

          As an aside I was once working at a large bank as a contractor, a colleague (also a contractor) was more fond of the opening lines of "Got to pick a pocket or two":

          "In this life, one thing counts, in the bank, large amounts....."

          He would quietly sing it to himself whenever anyone was out of hearing distance

      2. 's water music Silver badge
        Coat

        Re: Watch the windows

        >> "No burglar is going to be sniffing IP traffic to see when someone is up and awake."

        Your name is Fagin and you sniff the IP traffic to hundreds of homes and send out your little Oliver Twits as appropriate.

        Disruptive imagineers will sweep away the legacy burglary industry like the dinosaurs. Which is just as it should be.

        Icon for maximising revenue opportunities whiles travelling between burglary opportunities-->

    3. Steve Davies 3 Silver badge

      Re: Watch the windows

      Now you can have a thief sitting in the comfort of their own home monitoring tens if not hundreds of houses.

      IOT becomes a tool for 'remote casing' of properties.

      And people will still want to and do install this crap in their homes.... {mind boggles}

      None of this stuff will be allowed in my home.

      Thanks for the list of Domains that some of this TAT uses. I'll be adding them to my firewall later today.

      1. Christoph Silver badge

        Re: Watch the windows

        "Now you can have a thief sitting in the comfort of their own home monitoring tens if not hundreds of houses."

        They don't need to monitor it. Just have software monitor the streams for the pattern of someone going on holiday and then send an alert to the local operatives. It can also include the details of the security systems it's identified. If the house has been sold in the last few years it can include the floor plans and internal photographs from Rightmove. (photos will be out of date but still useful for familiarisation).

      2. collinsl

        Re: Watch the windows

        Don't block pool.ntp.org though! That one's the only useful one, and I recommend you point your gateway at it and your internal machines at your gateway for NTP where possible.

    4. The Bionic Man

      Re: Watch the windows

      Because people don't rob banks with guns any more, they just sit at computers emptying bank accounts.

      1. F0rdPrefect

        Re: Watch the windows

        "Because people don't rob banks with guns any more, they just sit at computers emptying bank accounts."

        Well they do still ram raid cash points.

    5. fajensen Silver badge

      Re: Watch the windows

      No burglar is going to be sniffing IP traffic ....

      Yet ... Already the rats are sniffing around in databases to find the homes of elderly people where they can fore their way in so much easier, the databases are the ones used by those other rat bastards, the telephone salespeople, who LOVES half-deaf possibly senile people with few relatives to take the fight for them.

      Once those convenient resources are *eventually* blocked over EU privacy laws and such, then, they will do IP sniffing. Of course they will. They sniff car key codes already. They may be rats but not stupid.

  2. Rol Silver badge

    "Whoa! What's that you got there Agrippa?"

    "It's a gun"

    "A what?"

    "A gun. If throws small arrow heads out like a ballista, and you don't even need to wind it. You just put this magic black powder in this hole here and then your arrowhead and then you point this end at what you're trying to kill, and then smash this bit of flint on this bit of iron here and..."

    "Is it supposed to do that?"

    "Err, I don't think so. Does it look as bad as it feels?"

    "Err, Are you in excruciating agony and wish you were dead?"

    "Yes"

    "Then yes it is a bad as it feels. You appear to have lost half of your face"

    "I think we should wait a millennium or two until they've ironed out the flaws"

  3. Pompous Git Silver badge

    "the Echo leaks when someone is talking to it"

    I have a similar problem when people of a certain nature talk to me; I have a sudden and urgent need to take the piss.

  4. fidodogbreath Silver badge

    Missed opportunity

    The paper stops short of telling manufacturers to quit collecting data unnecessarily, which seems an obvious first step to The Register.

    Right; because Internet companies would immediately stop surveilling users collecting usage data to improve the user experience, if only some random researcher would tell them to.

    1. Ken Hagan Gold badge

      Re: Missed opportunity

      It's not the manufacturers who need to know. It's their customers. It would be much more effective to tell a few scriptwriters, so that this sort of spyware becomes more widely known in popular culture.

      For bonus points, someone can thwart such attacks by knowing how to configure the firewall on their (ordinary) router. Obviously that is going to stretch credibility somewhat (sigh) but that's the writer's problem and they're a pro, right?

  5. PNGuinn
    Pirate

    Optional

    So "can of worms" becomes "nest of worms".

    Progress at last!

  6. GrumpyOldMan

    Refused one on Saturday

    I had a very 'lively and interesting' discussion with a bloke in town flogging Smartmeters on Saturday. Wifey walked off in embarasment, but the sales guy had no clue what he was talking about and was adamant that they are secure. Adamant I tell you! I think I drew a small crowd but he was talking rubbish.

  7. John Smith 19 Gold badge
    Gimp

    Collecting unnecessary data.

    That's not a bug.

    It's a feature (of their revenue model).

    Not all data fetishists work for government departments.

  8. Scott Broukell
    Coat

    iTWATS

    i - internet

    T - Things

    W - Without

    A - Any

    T - Twatting

    S - Security

  9. RainForestGuppy

    If you've got access to ISP data then you don't need smart devices to track user activities.

    1.) Did the home owner recently go to a airline online check-in page?

    2.) Has the amount of web traffic reduced.

    Assumption: home owner is away.

    Any type of date and be analysed, pattern matched and assumptions made.

  10. Cuddles Silver badge

    Sleep sensor?

    OK, some of the IoT crap I can at least see why people might think it could be vaguely useful or interesting in some way, but what on Earth is the point of a sleep sensor? It's not exactly difficult to figure out if you've had a good night's sleep or not, and even if you were desperate to quantify exactly how good it was how does streaming the data while you're sleeping help with that? I suppose you could try to use it to monitor someone else's sleep, but children are pretty damn good at letting you know when they're not asleep, and why the fuck would you need to spy on anyone else? Other than occasional medical use for people with actual sleep disorders, I just can't imagine why anyone would want one of these things, let alone one that constantly livestreams data to let everyone know exactly when you're sleeping and how well you're doing it.

    1. David Nash Silver badge

      Re: Sleep sensor?

      Because extending the "occasional medical use" to "diagnostic use" to "Check whether you have a problem" is the usual way it works in marketing. Convince people they have, or may have, a problem and they need the latest gadget to identify and/or fix it.

      I'd guess that it's not streaming while you're asleep so someone can view it, it's streaming it to a cloud, sorry server, so that you can review it later.

      See also the current fad for wearable fitness monitors, which were recently reported to be rubbish at measuring calories used.

    2. 's water music Silver badge
      Joke

      Re: Sleep sensor?

      I just can't imagine why anyone would want one of these things, let alone one that constantly livestreams data to let everyone know exactly when you're sleeping and how well you're doing it.

      Out of interest, how do you stalk your ex-partners?

  11. Ian Chard

    WeMo switches use--

    nat.xbcs.net

    api.xbcs.net

    fs.xbcs.net

    www.belkin.com

    any or all of which might be needed for them to work.

  12. Daniel Palmer

    I dunno guys. If someone is already on your network sniffing your data to do traffic analysis it either means they already have access to your wifi or are in your house already. I think that means you have more problems than some IoT device selling the ambient temperature of where it's located to "the cloud data mafia" for big buckeroos.

    Sorry, totally forgot this is el reg. I should have written:

    oh noes small microcontroller based thing on my network is so much more scary than the 3 or 4 windows machines I have because it's called IoT. Whats that? IoT uses IPv6? How will I remember all the digits? What about my NAT?

  13. AnoniMouse

    Internet of Trojans

    And we are being encouraged to buy these "things" in their millions and connect them to our home networks INSIDE any firewall our routers may have.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019