IoT devices send user data to third-parties including Netflix, Microsoft, and Google

• 56 % of the US IoT devices and 83.8 % of the UK devices are exposing information to third-parties.
• The most common data shared by IoT devices to third-parties include location data and IP addresses.

What was the study about?

Researchers from Northeastern University and Imperial College London have examined 81 Internet of Things (IoT) devices in the US and UK, including TVs, smart home hubs, smart speakers, doorbells, and appliances.

The researchers analyzed Smart TVs from popular vendors such as Samsung, LG, Phillips, etc as well as streaming devices such as Apple TV, Amazon's FireTV and Roku.

What did they find?

The analysis revealed that 71 out of 81 devices send user information to third parties including Netflix, Spotify, Microsoft, Akamai, and Google.

• 56 % of the US IoT devices and 83.8 % of the UK devices are exposing information to third-parties.
• The most common data shared by IoT devices to third-parties include location data and IP addresses.
• Almost all the smart TVs included in the study were found to share user data with Netflix.
• Almost all IoT devices expose information to network eavesdroppers via at least one plaintext flow.
• User and device behavior including user interactions with television sets and other household IoT products can be easily inferred by an eavesdropper via the traffic from at least 30 IoT devices.
• Video doorbells send video recordings to its service provider based on movement sensors.

“We analyzed both unencrypted and encrypted content in this section. First, we found very limited sensitive or personal information exposed in plaintext—a welcome observation given the sensitivity of data potentially exposed by such devices. Second, we found that even when devices use encryption, the timing patterns of their network traffic permits reliable identification of the interactions that caused the network traffic. Put another way, an eavesdropper can reliably learn a user’s interactions with a device across a wide range of categories, opening the potential for profiling and other

privacy-invasive techniques,” researchers said in a paper titled ‘Information Exposure From Consumer IoT Devices’.