Devices that make up the Internet of Things (IoT) collect a monumental amount of data about their owners. In most cases, the data they gather benefits the owner of the device and performs some useful purpose for them. However, when viewed in aggregate, the data gathered can reveal an enormous amount of information about the devices’ owner that can be very invasive if this information were to fall into the wrong hands.
Over the course of several months, Charles Givre did an experiment in which he collected data from several IoT devices including a Nest Thermostat, the Automatic Car dongle, the Wink hub, and a few others in order to determine what could be learned about the owner of the devices. Givre approached this experiment like a law enforcement or intelligence investigation, beginning with a bit of seed knowledge about the target, and built a profile about the target using the data that was available via these devices’ APIs and the data they transmit over the internet.
This presentation is not about how to bypass the devices’ security features, hack them, or how to mess with people by randomly turning off their A/C; but rather focuses on the consequences of IoT devices collecting and storing data.
4. Stuff my Company Wants me to Say
§ The techniques I demonstrated here are the results of my own research. I have no
knowledge of anyone using or not using the techniques demonstrated here.
§ The data I gathered all belongs to me and was gathered from devices that I own.
Please remember that unauthorized access to someone else’s computer or network
IS A CRIME.
§ The views presented here represent only my own and not those of my company or
anyone else.
§ I have no financial interest in any of the products you are seeing here, nor do I have
any connection with their parent companies, aside from having purchased their
products.
§ Always drink upstream from the herd. (Just seeing if you are actually reading this)
5. The Experiment
§ Using data collected from “smart”
devices, see what could be learned
about the owner.
§ I start out knowing only that the
target owns a Wink hub.
§ I limit the data to that which can be
gathered via automated means.
6. Conclusions
“Smart” devices collect and broadcast a lot of
information beyond what you might expect. In
aggregate, this information can reveal a great deal
about the device’s owner.
22. What we’ve learned from the Wink Hub:
§ The target’s FacebookID and Twitter handle
§ What other devices the target has:
§ Nest Thermostat
§ Nest Protect
§ Refuel Propane Tank Doodad
§ Ring Doorbell
§ Where the target lives (?)
§ When the target added these devices to the network
32. Network Information
"wan_ip": "98.233.236.XX"
The following results may also be obtained via:
http://whois.arin.net/rest/nets;q=98.233.236.XX?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
Comcast Cable Communications, Inc. DC-CPE-31 (NET-98-233-0-0-1) 98.233.0.0 - 98.233.255.255
Comcast Cable Communications, Inc. JUMPSTART-5 (NET-98-192-0-0-1) 98.192.0.0 - 98.255.255.255
33. What we’ve learned from the Nest:
The target uses Comcast for their
internet service
41. What we learned so far from the Nest:
§ The target uses Comcast for their internet service
§ The target lives in Pikesville, Maryland
§ The target owns an iPhone, iPad and Wink hub
51. The Automatic Car Dongle
WTH does it do?
§ Puts your car’s data to work
§ Decodes check engine light
diagnostics
§ Improves driving with real-time
feedback
§ 24/7 Crash Response
§ See your driving in their dashboard
58. What we learned from the Automatic:
§ The target owns a 2010 Mazda 3 and a 2005
Honda Odyssey
§ Complete vehicle history (If you want to pay…)
§ Target removed a Hyundai Santa Fe in May and
replaced it with the Honda minivan.
59.
60. Allows you to build a spreadsheet
of all your trips…automatically.
61. Also, IFTTT is only protected by
your username/password.
64. Trips per day
Monday Tuesday Wednesday Thursday Friday Saturday Sunday
84
3
102
126
111110
98
65.
66. What we learned from the Automatic:
§ The target owns a 2010 Mazda 3 and a 2005
Honda Odyssey
§ Complete vehicle history (If you want to pay…)
§ Target removed a Hyundai Santa Fe in May and
replaced it with the Honda minivan.
§ Target doesn’t roll on Saturdays…
72. Privacy Policy Sample
§ “We will never sell or share your personally identifiable information, like name,
where you drive, or VIN.”
§ “We want you to get the most value out of your Automatic experience and may
present offers from trusted partners to provide a solution that we think would make
your car ownership or driving experience better. For example, we might partner with
a tire manufacturer that is willing to extend your tire warranty if you choose to share
your data related to tire wear. These opportunities will always be user “opt-in” only.”
§ “Our products and services (and our business) may change from time to time. As a
result, at times we may need to make changes to this Privacy Policy. We reserve
the right to update or modify this Privacy Policy at any time and from time to time
without prior notice. However, if we make any material changes we will notify you by
email or by a notice on our website. “
76. Data Ownership You own the data generated
Data Reuse Your data may be used with
personally identifying information
removed to derive aggregate
statistics about…
Data Removal You may request that your data be
removed from our system by emailing
XXX. It will be removed within 48
hours of receiving the request.
Data Resale Your data may be sold to …