How much does your smart home know about you? That was the question that Charles Givre, a data scientist at Booz Allen Hamilton, set out to answer in a recent experiment. Givre has an account on Wink, a platform designed to control, from a single screen, his Internet-connected home devices, such as door locks, window shades and LED lights. He wanted to learn what could be learned from his usage behavior. It turned out it was a little too much.
Last week, at a big data conference in New York, Givre presented his results. By accessing his Wink account, he (or anyone with his login information) could identify his social media accounts, the names of his devices (like “Charles’s iPad) and his network information. An app that monitors his grill’s propane tank recorded the tank’s latitude and longitude, thus revealing the exact location of his house. From his Nest thermostat, he could figure out when his house was occupied and when it was not.
The goal of his experiment, Givre said, was not to demonstrate security flaws in his devices, but to document the wealth of information that they amass through everyday use. To access his usage history, some accounts required verification keys; others only asked for Givre’s email address and password. He wrote programs to “ping” his devices to gather new information about what was going on in his home in real time, and to find patterns there. He noted that his smart devices seemed to transmit information securely on its way to the companies’ servers, “but most of the interesting stuff was in the cloud anyway.”
As the trend toward networked “smart homes” and “connected cars” continues, security precautions are more important than ever. The Federal Trade Commission put out areport this year with best practices about how companies should notify their customers about data retention. Device makers say that customers can opt in or out of sharing their personal information with developers and third-party apps. But customers may not always be aware of just how much information their devices are collecting about them in the first place.
The account for Givre’s “Automatic” device, which plugs into his car and tracks its trips and performance, included his car’s vehicle identification number (VIN), with which accident and ownership history is easily accessible. He had also hooked his Automatic account to the web-based service IFTTT (“If This Then That”), which connects smart devices with shortcuts and triggers like “when the ‘Automatic’ device senses my car is home, turn on the lights.”
Interconnectedness, while convenient, is a trade-off. This portion of the experiment demonstrated how someone could “leapfrog” from one less-secure account to other accounts with more sensitive information. IFTTT collected his individual car trips in spreadsheets—including times, locations and even the exact routes he had taken—and protected this information only with an email address and password.
“If you were to start aggregating this over time, you could get a frighteningly accurate picture of pretty much where I am at any given time of day,” Givre said.
In fact, this data could also help build a character profile of someone. At the conference, Givre showed a graph of his car-trip frequencies by day of the week; there was a noticeable lack of activity on Saturdays. Why could that be? “I don’t roll on Shabbos,” Givre said, quoting “The Big Lebowski.”
When asked about Givre’s findings this week, a spokesperson from Wink emphasized that each customer can only access his or her own account information. “Users should not share their passwords with others or grant access to untrusted applications,” he wrote. A spokesperson from Nest wrote, “Customers have complete control” over what types of information developers would have access to, “and can stop sharing at any time.”
Buckley Slender-White, a spokesperson from Automatic, said Givre’s car’s VIN was only accessible to the app because Givre had opted to share it. As to Automatic’s sending his car trip information to IFTTT, Slender-White said, “importantly — that data is only accessible to the user and any app that they explicitly grant permission to.” Wink, Nestand Automatic address security and privacy concerns on their websites and suggest best practices to keep account information safe. (Attempts to reach the grilling app and IFTTT were unsuccessful.)
Smart home devices are part of an industry called the Internet of Things, which attaches data-collecting sensors to objects in order to track, measure or remote-control them. While the technology involved is not new, the industry is still young. Last summer, Ben Kaufman, the founder of Wink’s former parent company Quirky, told The New York Times that the Internet of Things is “still for hackers, early adopters and rich people.” But the industry continues to grow. “I think consumers need to understand that their relationship with their devices is fundamentally going to change,” Givre said.
–Lauren Kirchner, ProPublica
Sherry E says
Actually. . . your smart TV could be watching you and doing much the same data collecting. . . YES, “Big Brother” could be in your living room. . . check it out. . . this from CNN:
When we tried to fight Smart Meters, folks here were ridiculed for that, while others in California have seen unexplained fires and robberies. Big Brother is winning too many of these disputes.
Maybe people shouldn’t use so many of these “smart” devices and apps that can remotely control things. The more people put their personal info out there, the more vulnerable they make themselves to people who are up to no good. It amazes me how many people carry around their whole life”s personal info on their smart phones. If they lose the phone or someone steals it—good luck.
That is a good reason for not doing banking online or from smart phone or filling out IRS forms online–it can be hacked more and more easily these days.
Sherry E says
I’m paying an extra fee every month to help keep a meter reader employed as well as keeping my privacy and my family healthier. NO Smart Meters!
Many of us are paying extra just like you, Sherry. But it didn’t stop local politicians, and media from ridiculing us.
You are so right Layla! It’s all about maximizing profits over American jobs and our citizens’ health and privacy.
Just look at the next maneuver in which FPL wants the tax payers to pay for moving their poles. I say, put them underground through culverts. . . just like water and sewerage. . . and NOT at taxpayer expense. Good luck with that one!