Investigating Privacy Protection in the Smart Home

Abstract

Consumer-oriented IoT devices, or smart home devices as they are also called, are getting more common. Projections suggest there will be more than 75 billion of these devices in people’s homes by 2025. Given the location of these devices and the nature of the data they collect, this raises questions about how the user’s privacy can be protected. Given this background, this thesis investigates relevant security concepts and the feasibility of some of their software implementations as privacy tools. Moreover, smart home devices are also compared in regards to privacy based on brand recognition, which market they are aimed for and which device category they belong to. This is done in order to be able to draw conclusions about these properties’ impact on privacy. The comparison is made using a testbed where traffic from the smart home devices is analysed in relation to the properties above as well as to a threat model developed based on privacy threats found in the literature. The software Princeton IoT Inspector and Snort in combination with the ELK stack are used and compared in regards to both how well each manage to identify and highlight privacy threats but also their applicability to different user groups. Furthermore, we also design a proof of concept for the viability of a cloud solution. For this we simulate a third party developing rules, based on user-generated Snort logs, which a user can subscribe to. The results show that the properties mentioned above have a significant impact on how the devices behave. That is, they affect which endpoints the devices connect to, which cloud provider they rely on and also the shape of their traffic to a large extent. Furthermore, the results also show that a cloud solution is possible, although the size of the logs quickly becomes an issue. Thus further study on how to optimize the logs is needed while avoiding proprietary solutions. None of the investigated software solutions succeeds in striking a perfect balance between usefulness and user-friendliness. Future work needs to be done on multiple levels, ranging from how to increase user awareness, involve community and third party initiatives as well as to investigate what role legislation might play. This will not be an easy undertaking, although a necessary one in order to protect the privacy in our own homes.