-
Notifications
You must be signed in to change notification settings - Fork 64
Frequently Asked Questions
You are being invited to take part in a research study. Before you decide to participate in this study, it is important that you understand why the research is being done and what it will involve. Please take the time to read the following information carefully. Please ask the researchers if there is anything that is not clear or if you need more information.
To read more about how we collect your data, scroll down using this link.
Update 15 August 2023: We are still updating this FAQ. Please bear with us as we port the previous version of the FAQ here.
Many people use smart-home devices, also known as the Internet-of-Things (IoT), in their daily lives, ranging from bulbs, plugs, and sensors, to TVs and kitchen appliances. To a large extent, these devices enrich the lives of many users. At the same time, they may bring negative impact to their owners.
-
Security and privacy risks. Many IoT devices are designed with poor security practices, such as using hard-coded passwords, lack of strong authentication, and not running updates. Devices may be hacked, and an attacker could potentially control the devices or steal sensitive information of the user.
-
Performance risks. A user may have a large number of IoT devices in his/her home. Together, these devices compete for limited bandwidth, which may degrade the overall performance of the home network.
Our goal is to measure and visualize these risks, both for research and for the user. To this end, we release IoT Inspector — an open-source software that you can download to inspect your home network and identify any privacy, security, and performance problems associated with your IoT devices.
IoT Inspector is a Windows/Linux/Mac application that you can run on laptops, desktops, but not tablets or smartphones. By using a technique known as “ARP spoofing,” this software monitors network activities of all IoT devices connected to the home network (e.g., your “smart” appliances). It collects and shows you the following information:
- who the IoT device contacts on the Internet, and whether the contacted party is malicious or is known to track users
- how much data is exchanged (in terms of bytes per second) between the device and the contacted parties
- how often the data is exchanged
IoT Inspector collects and sends the information above to the researchers only when it is running — until the user terminates or uninstalls IoT Inspector.
Note that IoT Inspector does not collect the following information:
- network activities of phones, computers, or tablets
- actual contents of communication
- any personally identifiable information, such as your home network’s IP address, the MAC addresses of your devices, your name and email
Also note that IoT Inspector is not intended to replace existing security software packages on the your system, such as Avast, McAfee, or Windows Defender. You are still strongly recommended to engage in secure computing practices, e.g., running regular system updates, not reusing passwords, enabling firewalls, and running well-known security software.
Yes, you're right. When IoT Inspector was first launched, the lead developer, Danny Y. Huang, was a postdoctoral fellow at Princeton University. He has since moved to New York University (about 2 hours' drive away) to join the faculty there. Hence we have dropped the name "Princeton". It's the same project with the same team.
IoT Inspector aims to provide you with transparency into your IoT devices, e.g.,
- whether your IoT device is sharing your information with third parties;
- whether your IoT device is hacked (for instance, engaged in DDoS attacks);
- or whether your IoT device is slowing down your home network.
Aside from offering the above benefits, IoT Inspector also collects confidential data that helps us with IoT research — specifically, measuring and mitigating the security, privacy, and performance problems of IoT devices. For more information about our research, visit https://iotinspector.org/.
For each IoT device on your network, IoT Inspector will collect the following information and sends it to our secure server at New York University:
-
Device manufacturers, based on the first 6 characters of the MAC address of each device on your network
-
DNS requests and responses.
-
Destination IP addresses and ports contacted — but not your public-facing IP address (i.e., one that your ISP assigns to you).
-
Scrambled MAC addresses (i.e., with a salted hash).
-
Aggregate traffic statistics — i.e., number of bytes sent and received over a period of time.
-
Names of devices on your network. We collect this information from the following sources:
-
Your manual input — i.e., you can tell us what devices you have.
-
User Agent string — i.e., a short text (typically fewer than 100 characters) that your IoT device sends to the Internet that announces what type of device it is. This text does not typically include any personally identifiable information. For example, if you have a Samsung Smart TV, the User Agent string might look like “Mozilla/5.0 (Linux; Tizen 2.3) AppleWebKit/538.1 (KHTML, like Gecko)Version/2.3 TV Safari/538.1”.
-
SSDP messages — i.e., a short message (typically fewer than 100 characters) that your IoT device announces to the entire home network which includes its name. Again, this text does not typically include any personally identifiable information. For instance, if you have a Google Chromecast, it typically announces itself as “google_cast” or “Chromecast” via SSDP.
-
DHCP hostnames — i.e., a short text (typically fewer than 100 characters) that your IoT device announces to the entire home network which includes its name. Similarly, this text does not typically include any personally identifiable information. For example, a Wemo smart plug typically announces itself as “wemo” via DHCP.
-
(We collect from the sources above because some IoT devices may use none or some of the sources above for self-identification.)
-
TLS handshake — i.e., a short piece of data (typically fewer than 3,000 characters) that your IoT device sends to the Internet in order to establish a secure connection.
-
This text does not typically include any personally identifiable information.
-
We use this data to identify potentially vulnerable IoT devices — for instance, because they are using an outdated or insecure encryption function, in which case we notify the user of the risks of using the device.
For exact details of how we collect these data, see the source code: https://github.com/nyu-mlab/iot-inspector-client/blob/master/core/data_donation.py
Note that IoT Inspector will collect the traffic of all IoT devices connected to your home network while IoT Inspector is in operation. Examples of IoT devices that IoT Inspector can analyze include (but not limited to): Google Home, Amazon Echo, security cameras, smart TVs, and smart plugs. Computers, tablets, or phones will be automatically excluded. You can also manually exclude devices by either powering them down while setting up IoT Inspector, or specifying their MAC addresses.
If you do not want IoT Inspector to collect data from a particular IoT device (e.g., because it collects sensitive medical information), please disconnect it from the network now, before you start running IoT Inspector. If you are unable to disconnect it (e.g., because you need to keep the device running, or because you do not know how to disconnect it), you cannot use IoT Inspector.
We make sure that all data collected is confidential.
-
Privacy: IoT Inspector only collects the information above. It does not collect any personally identifiable information, such as your location or IP address. As a result, we are unable to infer what IoT devices a specific person owns. We will keep the data confidential within the limits of the law.
-
Security: All data collected from your IoT devices is stored on a secure server at New York University. IoT Inspector transmits data to our server over a secure channel, i.e., HTTPS.
-
Security: All data collected from your IoT devices is stored on a secure server at New York University. IoT Inspector transmits data to our server over a secure channel, i.e., HTTPS.
As a result of our privacy and security practices, no one has access to the collected data except us. Even so, we are unable to infer what IoT devices you own, and what you do with your devices.
(In case you're curious, each user is identified by a unique ID, generated at random when the user first runs IoT Inspector. That's how we distinguish between individual users.)
Despite all the effort above, can a user still accidentally send sensitive information to the researchers?
We could potentially gather three sources of sensitive information:
-
A user could enter their name as a part of the device's name (e.g., "Danny's Chromecast"). We warn users on the UI to avoid entering their names. See the screenshot below.
-
IoT Inspector automatically scans the network to guess likely identities of devices on the network. A part of this scan uses SSDP/mDNS, which is a way for devices to announce their identities to their network. Sometimes, a device's own announcement may contain private information. For instance, a Chromecast may announce its name along with the video you're streaming on YouTube.
-
IoT Inspector also parses DHCP Request packets that devices broadcast to the entire network --- a part of the effort to identify devices. These packets may contain sensitive information, as well. For instance, an iPhone's DHCP Request packets may say "Danny's iPhone".
Why don't you ask volunteers to run tcpdump or wireshark themsevles and have them share the pcap files?
A few reasons:
-
Not everyone knows how to set up a wireless network and run tcpdump or wireshark.
-
Even if a person knows how to do this, giving us the pcap files actually has more privacy issues than our current setup:
- The pcap file may include non-IoT devices on the same network.
- The pcap file contains more information than we need; in particular, it may contain packet payload, where, for instance, we may be able to find your password sent from your browser window (if sent over plain HTTP).
A few reasons:
-
Research. We are not aware of any open-source datasets for IoT research at this point; that's why we're building such a dataset through the IoT Inspector project, where we collect labelled data from real IoT devices in the wild (as opposed to in the lab). This dataset would allow us, as well as other academic researchers, to understand the security and privacy issues today and fix these problems in the near future.
-
Crowd intelligence. To provide each user the more relevant information about their IoT devices, IoT Inspector actually analyzes the data from all users.
Here's one example. Suppose User A's device makes a connection to IP address
1.2.3.4, but IoT Inspector does not know the identity of this IP address (e.g., because it failed to observe the corresponding DNS packet).If User B's device resolves
iot.example.comas1.2.3.4, IoT Inspector can then use this information to tell User A that User A's device potentially contactediot.example.com.
You say you don't collect any user's IP addresses, but I see that you're using Leadpages and Statcounter on your main website. What's going on?
Our main website, https://iotinspector.org/, is separate from our tool, IoT Inspector (https://dashboard.iotinspector.org/).
We built the website using Leadpages, which may log individual visitors' IP addresses per their privacy policy. We don't have access to this information.
Also, we use StatCounter to keep track of visitors to our main website (again, not the IoT Inspector tool at https://dashboard.iotinspector.org/), so that we have some rough ideas of where the traffic is coming from (e.g., referrer and visitor locations). For our StatCounter account, we are using the free tier, which means we only have data for the latest 500 visitors. Also, we have configured StatCounter to remove the last number of each visitor's IP address; for instance, if a visitor's actual IP address is 1.2.3.4, the StatCounter log only shows 1.2.3.??.
We will release our findings in a journal/conference publication. When a consumer is unsure whether to buy a new IoT device, she can read our paper before making a decision if the device of interest is in our dataset. Otherwise, the consumer can always buy the product, analyze it with IoT Inspector, and return it if the results are unsatisfactory.
Furthermore, we will publish the results of our study in a more publicly accessible form on our center’s official blog (Freedom to Tinker, https://freedom-to-tinker.com/). This will help disseminate findings to public.
A potential benefit of our study is to provide more transparency about privacy, security and performance issues regarding IoT devices. We expect the increased transparency to encourage vendors to manufacture more private, secure and performant devices, which is a net gain for the society as whole.
Our goal is to balance reproducibility and privacy. In particular, we should retain the data long enough for any external researchers to challenge our findings, but not too long such that the data is forgotten or breached.
As such, we have decided to retain the data on our server at New York University for as long as there is an active IRB-approved project or publication using the data. If there are no active IRB-approved project or publication for more than a year, we will delete the dataset. During this data-retention period, any researchers, with the approval of their respective institutional review boards, would have the opportunity to request our dataset, reproduce our results, and verify our findings.
Yes, but they would have to get the approval from the Institutional Review Board (IRB) from NYU and/or their respective institutions first (which typically require the researchers to undergo IRB/ethics training). Yes, but they would have to get the approval from the Institutional Review Board (IRB) from NYU and/or their respective institutions first (which typically require the researchers to undergo IRB/ethics training).
Once the non-NYU researchers have the approval, they will have full access to the data. Even if these researchers were to turn rogue, it is unlikely that they'd be able to infer individual user's real-world identities; see this question. Once the non-NYU researchers have the approval, they will have full access to the data. Even if these researchers were to turn rogue, it is unlikely that they'd be able to infer individual user's real-world identities; see this question.
No.
In order to collect network traffic without significant user intervention, IoT Inspector uses a technique known as "ARP spoofing", which could appear as malicious to some anti-virus products. Additionally, certain behaviors of IoT Inspector, such as updating itself through a Windows batch file, could also appear as malicious to some anti-virus products.
We have no intention of causing harm to users, and we do our best to protect their security and privacy. We are a group of academic researchers interested in building a consumer-facing tool to help everyone understand IoT security and privacy, as well as producing academic research papers without any commercial interest.
You are welcome to inspect our source code and compile it on your own; after all, IoT Inspector is written in pure Python 3. Feel free to reach out to us if you ever have any questions.
Performance degradation: Running IoT Inspector may reduce your network performance. If you are doing latency-sensitive activities, such as playing video games or holding video chats, we recommend that you turn off IoT Inspector. In fact, some of our users complained that IoT Inspector brought down their entire network; if this happens, stop IoT Inspector and reboot your router. Furthermore, IoT Inspector is experimental software is provided “as is;” we have not comprehensively tested IoT Inspector on all IoT devices or with all possible configurations. As a result, it may fail to work and disconnect your home devices. In this case, simply turning off IoT Inspector and rebooting your home router would likely solve the issues. If you have any critical medical devices, for instance, we suggest you exclude such devices from IoT Inspector or withdrawl from the study.
Data breach: In the unlikely event that our secure server is compromised, an attacker will have access to this form and the collected data. However, the attacker will be unable to infer what IoT devices you own (because the attacker would not know the real-world identities behind each device), and what you do with your devices.
Best-effort support: We will regularly maintain and update the software (e.g., fixing bugs) whenever necessary. In case of questions, we try our best to respond to email inquiries within 24 hours during weekdays. However, we do not guarantee long-terms support of the software. Also, we do not guarantee we will answer everyone’s questions if our capacity reaches a certain limit. In the event that IoT Inspector disrupts the normal functionality of your network, simply turn off IoT Inspector.
A domain name that ends with question mark "?" means that we are not confident in the result. One reason is that IoT Inspector has failed to observe any DNS traffic on the monitored device; this DNS traffic would otherwise help IoT Inspector identify exactly what domain name the device contacts.
As such, if your device appears to be communicating with a strange domain marked with "?", do not panic. After all, IoT Inspector could have made a mistake here!
Possible reasons (starting from the most likely reasons):
-
It takes some time for IoT Inspector to discover your devices. Just wait for the list to refresh itself.
-
Maybe your device is offline or in a sleep mode. Try to interact with your device, e.g.,
- turning it off and then on
- interacting with the associated smart phone app (if the device comes with a control app)
-
Your device is in the list; you just don't recognize it. You can check if the IP and MAC addresses in the list corresponds to those of your device.
More info to come here, but the main developer is Prof. Danny Y. Huang (https://engineering.nyu.edu/faculty/danny-yuxing-huang) and his team.
- Ask in our Discussion Board
- Email iot-inspector-study@nyu.edu
- Sign up for our mailing list to receive updates