Systematically Quantifying IoT Privacy Leakage in Mobile Networks

Privacy leakage of Internet of Things (IoT) has become a great challenge with the popularity of IoT services through mobile networks, such as smart homes, wearables, and healthcare. While previous work summarized general structures to analyze IoT privacy and provide case studies of specific devices or scenarios, it is still challenging to conduct a comprehensive and systematic quantification study of large-scale IoT privacy leakage in real world. To combine systematic analyses with real-world measurements, we provide a method to quantify IoT privacy leakage on a large-scale mobile network traffic data set containing 47651 IoT devices. We generate privacy fingerprints and attribute them to a privacy quantification framework. The framework is constructed based on the semantics of multiple privacy sensitive markers selected from the traffic along with the involved network entity types in IoT (i.e., user, device, and platform), and the fingerprints are generated from sensitive information extracted in the traffic via their markers. Our quantification shows that IoT users, devices, and platforms have considerable risks, respectively. Moreover, IoT devices have a larger scale of privacy leakage than users and platforms, and they perform different daily patterns on privacy leakage following their working conditions. In addition, we present three case studies on the leakage of location information, application calling, and voice service, which illustrate that a third party can profile a network entity in both cyberspace and physical space.

Automated summary

Privacy leakage of Internet of Things (IoT) has become a significant challenge as IoT services become more popular on mobile networks. While previous work has provided general structures for analyzing IoT privacy and case studies for specific devices or scenarios, conducting a comprehensive and systematic study of large-scale IoT privacy leakage in the real world remains challenging. Our method to quantify IoT privacy leakage on a large-scale mobile network traffic data set demonstrates considerable risks for IoT users, devices, and platforms respectively, and shows that IoT devices have a larger scale of privacy leakage than users and platforms, with different daily patterns of privacy leakage. Three case studies on location information, application calling, and voice service illustrate the ability of a third party to profile a network entity in both cyberspace and physical space.