We live in the glorious future that technophiles have long dreamed of. Almost everything can now connect to the internet: cameras, coffee pots, televisions, vacuums, toilets, children’s toys, sex toys. If you build it, a wireless connection will come for it. These smart devices are always on, always connected, and often up to more than you realise.
Last year, I bought a bunch of internet-connected objects—from a smart toothbrush to a smart bed—and then monitored my smart home to see what it got up to. The “glorious future” turned out to be more dystopic than a modern consumer would like: My smart TV was telling data brokers what I was watching, and my Echo was pinging Amazon’s servers every few minutes, regardless of whether I was using it or not.
After that story came out, we released the code for the tool I used to spy on my smart things, but it took some technical chops to set up. So I’m happy to report that researchers at Princeton University have developed a new, simple tool for monitoring the secret life of your smart devices, called the Princeton IoT inspector.
I’ve road-tested it for the last couple of weeks, and it is incredibly easy to install and use. The trade-offs are that it only works on Mac for now, and, by using the tool, you will be sending data about your devices to a database at Princeton University so that this group of computer scientists can study smart homes in the wild. They plan to write an academic paper about their findings and to delete all the data they collected within a year after the paper is published.
The researchers, led by Danny Huang and Princeton professor Nick Feamster, have a thorough FAQ page, that you should definitely read before installing the tool: It explains how the tool works (tl;dr: using a technique usually employed by bad guys); exactly what data it collects (a lot!); what it doesn’t collect to try to protect users’ privacy (such as users’ IP addresses or the payload of packets); and how to keep from outing yourself as a research participant (you can label the devices to help you keep track of them, but if you do, don’t name your vacuum ‘Kashmir Hill’s Roomba’ and avoid connecting devices to the network that have your name in their digital signature, such as ‘Kashmir Hill’s iPhone’).
After reading that page closely—and deciding you’re okay with being a smart home guinea pig—you can download the IoT inspector from Princeton’s website.
The researchers didn’t try to get it into Apple’s App Store, because they were fairly certain that a tool designed to spy on a person’s internet network wouldn’t pass muster there. The tool hasn’t been subject to a security audit, but it is open source, so you can review the code behind it if you’re a code-reviewing type.
If you run the tool on your computer, it will first ask you in a browser window to sign a consent form to take part in Princeton’s research and then it will start studying the traffic on your internet network to identify all the devices connected to it. Then it will tell you, again in a browser window, how active those devices are, and with whom they are communicating.
Beyond finding out what your smart home is up to, this would be a useful tool to employ when you rent an Airbnb to make sure there’s not a hidden camera secretly livestreaming your stay. Because that’s the world we now live in.
Once connected, the Inspector identifies the devices it’s seeing, based on what it already knows from devices that have been analysed by its handful of beta testers. For instance, on my network, it immediately recognised the Amazon Echo (yes, fuck, we still have that listening device in our home), but it couldn’t identify another device, telling me just that it was “hardware with Delta Electronics” components that was sending traffic to a generic Microsoft server at regular intervals.
When I inspected my network, I found a mystery device that was regularly accessing the internet. (Screenshot: Princeton IoT inspector)
This device briefly had me mystified and a little alarmed. But then I started activating the various smart things in my home, and by looking at the activity as relayed to me by the tool, I figured out that it was my Behmor smart coffee pot. (Yeah, I’m that person.)
The tool will not analyse other computers or smartphones on the network unless you give it a full MAC address for that device, in the hopes that creepers don’t use the Inspector to spy on what their roommates or loved ones are doing.
Even though I did an in-depth story on the secret life of smart homes just last year, I was still surprised by some of the activity I was seeing. The tool told me about traffic that was being sent unencrypted or with weak encryption. And it showed my devices making surprising connections. For example, this is my Echo when I’m not using it:
The Amazon Echo, at rest (Screenshot: Princeton IoT Inspector)
When the tool sees your device making outside connections, it tries to figure out what service it’s talking to. This isn’t an exact science, because it doesn’t always know who an IP address belongs to, so you’ll see question marks next to some of the URLs to indicate that the researchers aren’t sure about the identification they’ve made. But my Echo is talking to 17 different domains every few minutes when it’s just sitting on my counter, unused.
“An Echo device maintains its network connection, including when the device has not detected the wake word and when the microphone off button is enabled,” said an Amazon spokesperson by email. “It does so to periodically contact Amazon’s servers to perform routine maintenance activities, like confirming an internet connection is available and downloading software updates, as well as to make sure the device can perform basic functions like keeping accurate time.”
Some of these strange connections it’s making reflect the oddity of how the communal internet works, with a reliance on a cluster of volunteer servers, called the NTP pool, which various devices use, basically, to check the time.
Here’s my Google Chromecast when my daughter is watching Sesame Street via HBO Go on our Vizio Smart TV:
What the Chromecast is up to when my 2-year-old is watching Sesame Street (Screenshot: Princeton IoT Inspector)
One of the outside parties displayed there, Conviva, is a “video intelligence service” that helps optimise performance and video ad delivery. A Google spokesperson said that the content provider is responsible for this connection. HBO hasn’t yet responded to an enquiry about what role Conviva plays in my daughter’s TV-watching experience.
To turn off the tool, you have to press a “Stop Inspection and Logout” button in the browser window or close the browser window. If you see data being displayed that you don’t want in Princeton’s database, you can delete it via the “settings” option in that same browser window.
If you want to see the invisible activity in your home (or in your Airbnb), this is a nice option. Just know that, in order to see whether your devices are spying on you in unexpected ways, you’re letting researchers at Princeton spy on you, too.