When your refrigerator knows too much about you

Our homes are full of appliances. And these devices are getting “smarter” all the time – that means they can do things their ancestors from analog times couldn’t. To take advantage of their benefits and make our lives easier, they almost always need internet access: for example, a smart thermostat can retrieve the weather forecast and be controlled remotely.

These devices are avid data collectors. Smart security cameras and smart assistants are ultimately cameras and microphones in our homes that collect video and audio information about our presence and activities. And by no means all devices are such obvious data octopuses. Smart vacuum cleaners recognize objects in the house and map every centimeter there. Smart lightbulbs that automatically adjust to the color of the television picture or light up in time when you’re listening to music can tell a tech-savvy spy what music you’re listening to.

As the “Internet of Things” (IoT) progresses, the number of smart devices will continue to increase and at the same time the amount of data they collect autonomously will increase – also because they share some of it with each other. There is already intelligent building technology that collects data about almost every step of the occupants and thus knows their sleeping times, media preferences and eating habits. Most manufacturers of smart home technology – at least in the US – do not disclose what data is collected, how it is collected and whether it is shared.

It is often said that data is the currency of the digital age. Data collected by smart home devices can be of interest to both companies and government agencies. The latter need not be about the paranoid machinations of an Orwellian surveillance state; for example, a state interest in such private data may also consist of solving a criminal case. When smart home devices are present at a crime scene, the data they capture can be invaluable to investigators.

This area, which is of course still in its infancy, is called IoT forensics. In the MIT Technology Review, journalist Tate Ryan-Mosley recently published an article on this subject, which is still largely neglected. She spoke with two experts: Mattia Epifani, a digital forensics analyst and instructor at SANS Institute who works with both law enforcement and private clients, and Steve Watson, founder of VTO Labs, a digital forensics lab based in the United States.

Police turn to Epifani when data needs to be extracted from an object. Usually these are smartphones or computers – devices that we know of course store data. But evidence of a crime can come from any source, Epifani says. As an example, he mentions an intelligent refrigerator from Samsung: it stores data internally, but also externally – in apps or in the cloud.

There, Epifani found “a veritable treasure trove of personal data,” as Ryan-Mosley writes. The list is impressive: information about Bluetooth devices near the refrigerator, Samsung user account details such as email addresses and home Wi-Fi networks, temperature and geolocation data, and hourly electricity consumption statistics.

The data also provided information about when a user played music through an iHeartRadio app. Epifani was even able to retrieve images of the shelves in the fridge taken by the device’s tiny internal camera. Incidentally, the refrigerator could store much more data if it were connected by the user to other Samsung devices via a central account.

Ryan-Mosley emphasizes that none of this is necessarily secret or hidden from buyers of this device. However, she did not expect that “a police officer – with a search warrant, of course – would be able to see my hungry face every time I opened my refrigerator for cheese if I was under investigation”.

For their data to be useful in criminal investigations, the devices don’t even have to be particularly sophisticated. Watson mentions a sea buoy whose circuit board has been examined by VTO Labs to look for possible data on the movements of drug smugglers. The experts found evidence of a satellite communications provider on the circuit board – and finally the account number of a smuggler.

Beyond the capabilities IoT devices provide law enforcement, the privacy and security risks associated with their use are compounded by the fact that many of these devices run outdated operating systems. This is because their users hardly ever think about updating them. Who would update their refrigerator?

Incidentally, VTO Labs’ Watson isn’t too concerned about government agencies or technology companies spying on IoT device users, writes Ryan-Mosley. He sees the problem more with data brokers who could collect such user data and sell it to interested companies. As an example, he mentions a smart bed that registers the user’s data, such as heart rate or sleep and wake times.

This data can be sold to an insurance company, which evaluates it and can deduce, for example, that the user suffers from sleep apnea. The result could be that his application for supplementary insurance is rejected without him knowing that it is his bed that has betrayed him. Such issues, according to Watson, will become even more pressing as IoT technology enters our lives. It is becoming increasingly difficult to control what and how much data is collected, where it goes, who ultimately gets their hands on it and what they do with it. (i.e)