Connecting the Dots: Tracing Data Endpoints in IoT Devices

Authors: Md Jakaria (North Carolina State University), Danny Yuxing Huang (New York University), Anupam Das (North Carolina State University)

Volume: 2024
Issue: 3
Pages: 495–522
DOI: https://doi.org/10.56553/popets-2024-0090

Artifact: Available

Download PDF

Abstract: Smart home devices are constantly exchanging data with a variety of remote endpoints. This data encompasses diverse information, from device operation and status to sensitive user information like behavioral usage patterns. However, there is a lack of transparency regarding where such data goes and with whom it is potentially shared. This paper investigates the diverse endpoints that smart home Internet-of-Things (IoT) devices contact to better understand and reason about the IoT backend infrastructure, thereby providing insights into potential data privacy risks. We analyze data from 5,413 users and 25,123 IoT devices using the IoT Inspector, an open-source application allowing users to monitor traffic from smart home devices on their networks. First, we develop semi-automated techniques to map remote endpoints to organizations and their business types to shed light on their potential relationships with IoT end products. We discover that IoT devices contact more third or support-party domains than first-party domains. We also see that the distribution of contacted endpoints varies based on the user's location and across vendors manufacturing similar functional devices, where some devices are more exposed to third parties than others. Our analysis also reveals the major organizations providing backend support for IoT smart devices and provides insights into the temporal evolution of cross-border data-sharing practices.

Keywords: Internet of Things, network traffic analysis

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.