IoT Inspector: Princeton releases a tool to snoop on home IoT devices and figure out what they're doing


#1

Originally published at: https://boingboing.net/2018/04/23/promiscuous-mode.html


#2

Finally someone to check up on me, for free.


#3

Couldn’t you gather this sort of data with tools like Wireshark etc?


#4

I’m sure you could. You could probably also disassemble your router and put the chips under an electron scan microscope and pull the data out of RAM, but this utility looks like it’s probably a lot easier.


#5

Somewhat more of a challenge with the ones that use an embedded cell modem for at least some functions; but the big deal is in comprehension rather than collection.

Capturing packets is easy and can be more or less wholly automated. Getting an exact sense of just how panopticonic a device is requires a decent bit of manual grovelling; potentially involving actual skilled labor if you want cryptoanalysis, poking for side channels and inferential attacks, and the like.(And the poking would potentially not just be through packet dumps; if you want to know more than an IP or some cryptic domain name that was cheap about who is being informed of your activities you may also have to grovel through a thicket of Delaware LLCs, LinkedIn profiles of asshole tech bros, and similar not-strictly-technical work.)


#6

There’s a difference between a product doing what the purchaser expects (like the “Smart” TV checking in on the various services that are most likely apps preinstalled, and which most likely is checking version information in case updates are needed, something you’d expect a “Smart” TV to do, even with unactivated apps), and a product doing something malicious (which none of these seem to be doing). The article here seems a bit sensationalized, no?


#7

Uh … great … so where is the tool? There’s not even a github, let alone an exe or anything :frowning:


#8

I know that you can read out data from non-volatile EEPROM/flash memory using electron scan microscopes; haven’t yet heard whether this works on volatile SRAM(1)/DRAM, and am somewhat sceptical.

(1) Data is eventually lost when the memory is not powered, I’d say that qualifies as volatile.


#9

On their front page they say they are about to release an open-source tool, and give a link to get on an email waiting list.

The “Help our research” link above that takes you to a form where you can suggest what devices they should look at.

I’m sure some community momentum would help them move these things along.


#10

I was being facetious merely to emphasize that while there are many ways to discover what your IoT devices are broadcasting, this tools simplifies the process so that more people could potentially be aware of how insecure most IoT devices are. Maybe this will encourage IoT developers to use better security (though I sincerely doubt it).


#11

I am checking up on you right now!


#12

They haven’t outlawed this yet?


#13

Yep. The general public won’t even worry about their IoT devices until they see something on FB about it.
Facetiousness aside, the general public really could use a simple link that they could click on that would tell them which devices were broadcasting what. Then they could be aware of the problem. When a bunch of techies and nerds tell the general public there’s a problem, they tune out. But a simple link? That could even be promoted on a morning show!


#14

Yeah, I did see that … but the headline is “releases a tool” :slight_smile:


#15

Wow, I totally missed that!


#16

This topic was automatically closed after 5 days. New replies are no longer allowed.