IoT devices often identify themselves voluntarily, usually by connecting to specific domains or URLs. Even if they didn’t, there are simple ways of profiling them based on observation and some known data.
It’s certainly true that encryption is on the rise online. Data from Mozilla, the company behind the popular Firefox browser, shows that more than half of web pages use HTTPS, the standard way of encrypting web traffic.
When sites like The Atlantic use HTTPS, a lock icon appears in users’ web browsers, indicating that the information being sent to and from servers is scrambled and can’t be read by a third party that intercepts it—that includes ISPs.
But even if 100 percent of the web were encrypted, ISPs would still be able to extract a surprising amount of detailed information about their customers’ virtual comings and goings. This is particularly significant in light of a bill that passed Congress this week, which granted the lobby group’s wish: It allows ISPs to sell their customers’ private browsing history without their consent.
By watching various smart switches, the ISP can see when certain devices are in use: the TV, the space heater, the light in the basement, the garage door.
By watching the IP security camera traffic, the ISP can see when the camera detects motion, when the user is tuned in to watch their home from afar or when they check archived footage.
And if a handful of academics can do it, you better believe a major ISP could — though of course they’ll tell you they won’t. Doesn’t matter, they can collect this stuff and sell it without telling you, since Congress zapped the FCC’s privacy protections. The researchers note this in the paper, in fact.
But don’t worry, there’s actually a pretty good solution! The team found that by transmitting the IoT data through a central hub (e.g. a router with a little custom software), they could effectively camouflage it by transmitting a trickle of junk data at all times. This traffic shaping, as it’s called, doesn’t prevent the devices from working (many of them worked surprisingly well with artificially slowed connections), but it does make it hard for an attacker to tell signal from noise.