Your Internet of Things Speaks Volumes About You

If only Marv and Harry were burglars today; they might have found it much easier to case houses and — perhaps — would know which houses were occupied by technically inclined kids by capitalizing on the potential  vulnerability that [Luc Volders] has noticed on ThingSpeak.

As an IoT service, ThingSpeak takes data from an ESP-8266, graphs it, and publicly displays the data. Some of you may already see where this is going. While [Volders] was using the service for testing, he realized anyone could check the temperature of his man-cave — thereby inferring when the house was vacant since the location data also happened to be public. A little sleuthing uncovered several other channels with temperature data or otherwise tied to a location that those with nefarious intent could abuse.

Not a vulnerability with the software per se, but [Volders] well observes that privacy settings must needs be altered whenever you’re using an online IoT service. Despite the awesomeness of IoT inter-connectivity, always be aware of the downsides and take steps to mitigate them.

29 thoughts on “Your Internet of Things Speaks Volumes About You

    1. I agree this is boy with a hammer taken to the limit. While I can see some utility with this degree of fine control in some business/institutional situations, it is simply overkill for a private dwelling.

    2. It’s not needless. The internet connected part comes from benefits of remote access and a logging service. For the most part I think there’s a desperate need for an easy to setup home of things alternative to what we are doing today, but really the problem is that nothing is universal. Most companies provide something proprietary and that drives users to put it on the internet without actually having to.

      1. remote access should be minimized and logging should be done locally. On a FruitPi like device if you do not want to waste the power with a continuously running PC. Or perhaps with some application on an OpenWRT based router or a tablet computer.
        This is just not the kind of data I want in the hands of general public or a third party service provider.

  1. This is a variation on the old wireless power meter issue where reading the signal of the meters, and doing a bit of radio finding work, will let you profile a given house’s activity level which you can then use for criminal purposes.

    All the sensors on your mobile phone are a more generalised form of this threat.

  2. Having data remotely accessible does have its advantages for some people. Unfortunately to do it easily usually means lack of security. It’s not often at the forefront of your mind that what data I’m looking at in the privacy of my office can also be seen by anybody else – it’s kind of like your in your house at night with the lights turned on. You can see clearly everything inside and nothing outside and in your mind you are in a private place but so totally oblivious to the fact anyone outside can see straight in.

    Keeping security/privacy at the front of your mind is somewhat difficult when your focused on developing a cool project for your personal gratification.

  3. With the amount of data we are talking Internet seems unsafe overkill. Why not a dialup modem or SMS, most important data would not take more than a few kb, maybe more with some light crypto and simply obscure format.

  4. IOT devices are usually good for people who travel. Got to the airport and forgot to turn down your thermostat.. no problem log in and turn it down. The issue of boy with a hammer comes in on things like toasters and refrigerators with forced cloud connectivity. Every IOT device should be able to operate in a stand alone fashion with an option for local cleartext protocol or over an SSL connection with proper documentation. I don’t buy devices that don’t fall into this category. That way security of the devices is totally up to the end user.

  5. In my experience, you have to explicitly provide lat/lon to the ThingSpeak channel, so it’s pretty easy to remain anonymous, location-wise. ThingSpeak does NOT use the uploading IP address to get location. So in fact in the example above the person creating the “channel” went out of his way to give his location (or perhaps gave a bogus one?)

    1. You are correct. ThingSpeak channels have to be specified to public and location data is optional. Most channels are private. In some cases like our weather station, we are deliberately sharing the channel publically so others can use the data in weather data analytics.

  6. Is it only me or this is the poorest/quickest/emptiest article ever written for hackaday? Jesus Christ, I do understand the point of it (“privacy”) but an 174-word stuff can’t even be considered eligible for “hackaday article”, right?

    1. Why do so many feel the need to whine about the purported “quality” of the articles that someone else wrote, and hackaday is publishing online for you to read for free?

      I still believe that this falls under the category of: “if you think you can do better, then go ahead and do it? No-one is stopping you.”

      It is far more helpful to use the comments section to discuss something actually relevant to the article. How to replace these insecure services with ones hosted locally? Or how to flash new firmware that uses ssh, or calls to a server over https. Or alternative solutions that may offer a secure service…

      1. Mr. Anon, that is exactly my point! let me explane it to you: Hackaday often opens job positions for article writers, for anyone to apply (people like me and you). I have been flerting with the possibility of applying for the last two opportunities, but NEVER DID. Do You know why? I KNOW I WON’T BE ABLE TO KEEP THE BAR HIGH ENOUGH, so therefore I DO NOT APPLY. If one is going to write for hackaday, one has to understand the opportunity and responsibilities of the duty. That’s all .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s