Watch your IoT devices watching you

"What is the purpose of the IoT Inspector project?"

"Many people use smart-home devices, also known as the Internet-of-Things (IoT), in their daily lives, ranging from bulbs, plugs, and sensors, to TVs and kitchen appliances. To a large extent, these devices enrich the lives of many users. At the same time, they may bring negative impact to their owners."

There are a number of articles published within the last week regarding Smart TV's watching you.  And it's no surprise that other devices are doing the same.  The Princeton Study linked above offers a way to monitor what you're so-called "Smart Devices" are doing on your network.

I ran the install on Ubuntu 18.04 and it was about as easy as you can get.  When the install is finished, you start the IoT Inspector and you are provided with a unique link back to Princeton which shows you what your devices are doing.  

First thing I'd like to point out is that until you select your devices, you are monitoring nothing.  Because I didn't bother to read the instructions, I started at the monitor -- curious as to why nothing appeared.  Second thing I'd like to point out is that after you select your devices, they will show up as IP addresses until you give them names.  Final point -- this traffic crushes your network.  You are warned in the FAQ but I'm just pointing it out.  Best to run this at night when you're sleeping.  And honestly, that makes the most sense because you can see what these devices are doing while you're sleeping.  IoT never sleep.

I will play with this further but here are a few screenshots --

As I mentioned above, none of the devices are selected and named.  Once everything is setup, the view of the devices looks like this:





Naming the devices is sort of up to you although it does initially appear as these items are pre-configured.  The behavior is a little inconsistent as "mesh" brought up "Wifi mesh" but then on the second device, it didn't.  None of this matters in the grand scheme of things, just get them named so you can identify what you're looking at in the report.





Once everything is configured and running for a bit, the monitor page looks like this:






Pretty amazing really.  Some things I should point out --

1.  The Amazon Echo is not doing anything, it's just plugged in.
2.  The Roku is also doing nothing but I turned it on to see what it would do while idling.  
3.  The Nest thermostats are pinging out when I walked past them or it's a weird coincidence.
4.  Two of the Google mesh devices displayed an orange ring instead of their typical white ring.
5.  Running IoT Inspector crushes the network which might be the cause for item #4.
6.  As soon as I killed IoT Inspector, my traffic returned to normal.

With IoT, you could go cold turkey but I know very few people who can do that.  Personally, I try to find that balance between my paranoia and my desire to have a device that plays any music -- any time.  We also unplug her when we're not using it.  And I can rationalize the other devices similarly.  I like them -- they are handy.

Generally, my paranoia runs high with these devices which is why it's prudent to segment the network.  If you have guest wifi, put all of these devices on THAT network and keep it off of the main network.  If you want to take it a step further, you can buy a switch, setup VLANs and again, like the guest network, you can keep that traffic off your main network.  VLANs give you some greater flexibility.  

When I initially purchased the Google mesh system, I read the fine print.  And while Google does not appear to be particularly trustworthy, the initial language stated they would not monitor the network.  Since then, Google has added features and possibly removed features that are now only available to you if you allow them to monitor your network.  I've declined and these devices will soon be off the network, replaced by something I can trust.

I understand the need for a company like Facebook to turn YOU into the product and monetize your data.  That said, I have a hard time when I'm paying for the device and I'm somehow still the product.  I have an original Echo for which I paid $200.  I think the Nest thermostats were similarly priced.  Seems like that is a fair price for keeping my privacy but apparently not. 

I have a feeling that in the very near future we're going to see methods for blocking or interfering with this unwanted outbound traffic.  Seems like you could blackhole this DNS traffic but given the amount of attention with these devices, someone smart will come up with a clever solution.  Or we're doomed -- could go either way.