The house has traditionally been the most private place for a family. But first the mobile phone came in, and now so have smart devices. Their digital conversations mean that, often without users knowing, they give intimate details about each home that were previously impossible to obtain. Research on these devices until now focused on external risks, which come from outside the home: is it possible to access a home camera from the Internet? Is a smart speaker vulnerable? Now, pioneering work by several universities and research centers, among them the Spanish Imdea Networks, Imdea Software and the Carlos III University, discovers that also, beneath the theoretical calm of a house, there are many risks.

“One of the biggest problems is the invasion of privacy,” says David Choffnes, professor at Northeastern University (Boston, USA) and one of the co-authors of the work. “These weaknesses give attackers a clear idea of ​​what is in your home, who is there, and also when they are moving and where. We discovered that some apps take advantage of this to collect data from homes, for purposes that have nothing to do with their function. If our homes are the most private place, it seems like a serious invasion of privacy to me,” he adds.

Choffnes and his team at Northeastern set up a “living laboratory/apartment with more than 100 devices” called Mon(IoT)r Lab [IoT son las siglas en inglés del internet de las cosas]. It’s like a big party, but with devices. There, researchers from the university and other centers study the entire variety of behaviors and relationships that exist between them, from light bulbs and refrigerators, to routers and speakers, which communicate with each other. This research also studies the connections of all of them with apps, both those that manage these devices and others that Android users have on their mobile phones, and both those who live in that house and those who visit it. Apple’s environment is much more private.

Image of the Mon(IoT)r laboratory at Northeastern University where this study was carried out and which serves to understand how smart home devices relate to each other: from doorbells and light bulbs to all types of household appliances. Northeastern University

EL PAÍS has asked Google, which bought Android in 2005 and has a line of smart devices, about this study. Here’s a spokesperson’s response: “We greatly appreciate the security community’s investigation. “We are constantly improving our security protections to help keep Android users safe.” The Android environment, due to its characteristics and number of actors, has a lot of challenges to solve.

“I don’t think people have the slightest idea that all devices connected to Wi-Fi talk to each other in some way. And that has implications,” says Juan Tapiador, professor at the Carlos III University and also co-author of the study.

What type of information do these devices share? They are not the conversations or messages we send. The type of information that circulates ranges from unique device addresses (called MAC), serial numbers, versions of vulnerable protocols or even names of specific devices such as “Jorge’s speaker in the dining room.”

All this information, and the services to which they connect, allow many details of our lives to be inferred, and could obtain a digital fingerprint of our home, which would allow targeted attacks or surveillance: “The exposure of this information without control,” he says Narseo Vallina-Rodriguez, researcher at Imdea Networks and co-author, “allows advertising services or spy applications to create a digital fingerprint of your home that uniquely identifies it or can infer your income level and habits.” Not only that. If these devices scan frequently in search of new information “they can infer who enters and leaves the house and your social structures to monitor their activities through networks and devices,” adds the expert.

We do not fully understand the risks

Someone may think that all this is not so serious because it does not seem so intimate. Users tend to misunderstand the risk involved in gathering dozens of specific pieces of information about a home. This data is captured, for example, by apps that we carry on our phones and they collect the serial number of the router or the name of the connection, which allows us to know the location (without even accessing the device’s GPS). There are pages where wifis from all over the world are mapped. If two mobile phones access the same Wi-Fi, you not only know that they are close, but also where they are. If an app on the visitor’s mobile scans how many smart devices are there, and which ones, that data can help calculate the income of a home.

“One of the things that was most difficult for us to understand is that the informative value of technical data is sometimes difficult to predict,” says Tapiador. For example the SSID, which is the name of the Wi-Fi network. When a mobile scans the available networks, the name of all the nearby ones is seen. “There are many online services that provide you with geolocation information based on that name,” continues Tapiador.

A concrete example of the fearsome use of the combination of information that can be gathered thanks to these devices is given by Vijay Prakash, researcher at New York University, and co-author of the study: “If a malicious actor abuses information floating freely on smart home networks, they can track a user across devices from multiple vendors. For example, if a malicious application takes fingerprints from several users’ smart homes, and some of them visit the home of one of the users, say Juan, with their phone on them, the application could infer user Juan’s social relationships and schedules. in which other users visit you.” It must be taken into account that this would not happen just once, but continuously.

Apps analyzed in the study with millions of downloads contain software that collects this type of information. If an app, for example, has access to location and scans Wi-Fi networks, it already knows that those networks are there: “This is crowdsourcing [labor colectiva] carried out by millions of people,” continues Tapiador. “There are maps from all over the world with those names. When you tell someone, ‘hey, this light bulb is picking up the SSID or MAC address of the router’ it’s the same as saying ‘this light bulb is picking up the location of your house.'” That is not the only problem: “The question is what other relationships they can weave from there. Allowing you to have access to traffic generated by your devices can have unanticipated consequences,” he says.

Without legal permissions

Many of these examples are not legal, but the Android environment is a jungle: “These practices have many implications, since they often occur without any type of user consent, and sensitive information such as geolocation or devices and users is also obtained. , data protected by the General Data Protection Regulation,” says Vallina-Rodríguez.

This is an example of the dance of conversations that devices have within a home, as explained in the research: “Six applications [de dispositivos caseros] transmit addresses [únicas MAC] from devices to the cloud, and the recipients are their own domains [por ejemplo, Alexa] or third party providers such as Tuya, a platform provider[de dispositivos caseros] based in China, and Amplitude, an analytics service.”

To a human, all this combination of data may seem overwhelming and unbearable. But for machines it is their daily work. Beyond hypothetical security risks, this information feeds the enormous and dark machinery of global marketing and advertising, also called “commercial surveillance.” At the moment it is not happening, but just as we receive personalized advertising on mobile phones, the industry could already identify our home to personalize the advertising to our economic conditions and family: what is easier than discovering when a couple separates or what level of income Do you have friends who are going to your birthday party?

“Just as many pages make a digital fingerprint of the user to recognize them between sessions even if you delete the cookies”, says Tapiador, “we saw that it is possible to do the same for a house using the devices. It is a theoretical observation in the sense that today personalization aimed at specific homes may not be done, but the possibility that it can be done is there,” he adds.

You can follow EL PAÍS Technology in Facebook and x or sign up here to receive our weekly newsletter.

Subscribe to continue reading Read without limits

_