Blocking Without Breaking: Identification and Mitigation of Non-Essential IoT Traffic

Mandalari, Anna Maria; Dubois, Daniel J.; Kolcun, Roman; Paracha, Muhammad Talha; Haddadi, Hamed; Choffnes, David

doi:10.2478/popets-2021-0075

Cited by 35 publications

(22 citation statements)

References 45 publications

(51 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A difference between our findings and the ones of the above works is that Amazon smart speakers in our study contact additional endpoints from Amazon, skills vendors, and third-parties that have never been reported before. For example, with respect to the endpoints reported in a 2021 study [72], we have observed 4 new Amazon domains (acsechocaptiveportal.com, amazon-dss.com, a2z.com, amazonalexa.com. ), 2 skills-specific endpoints (see skills row in Table 1) and 12 new third-party endpoints (see third party row in Table 1).…”

Section: Parallels With Other Iot Platformsmentioning

confidence: 93%

“…Having such interface unlocked for developers and auditors would reveal the actual data being shared. Another example of a possible user defense is to selectively block network traffic that is not essential for the skill to work (e.g., using an approach similar to [72]). TABLE 14: Endpoint organizations observed in the network traffic from skills run on the Amazon Echo: only 32 skills exhibit non-Amazon endpoints.…”

Section: Possible Defensesmentioning

confidence: 99%

“…Several IoT works have measured network traffic to detect data sharing. For example, [73], [65], [79], [80], [72] have shown that tracking is common in several IoT platforms, regardless of the presence of specific apps/skills. A difference between our findings and the ones of the above works is that Amazon smart speakers in our study contact additional endpoints from Amazon, skills vendors, and third-parties that have never been reported before.…”

Section: Parallels With Other Iot Platformsmentioning

confidence: 99%

See 2 more Smart Citations

Your Echos are Heard: Tracking, Profiling, and Ad Targeting in the Amazon Smart Speaker Ecosystem

Iqbal¹,

Bahrami²,

Trimananda³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Smart speakers collect voice input that can be used to infer sensitive information about users. Given a number of egregious privacy breaches, there is a clear unmet need for greater transparency and control over data collection, sharing, and use by smart speaker platforms as well as third party skills supported on them. To bridge the gap, we build an auditing framework that leverages online advertising to measure data collection, its usage, and its sharing by the smart speaker platforms. We evaluate our framework on the Amazon smart speaker ecosystem. Our results show that Amazon and third parties (including advertising and tracking services) collect smart speaker interaction data. We find that Amazon processes voice data to infer user interests and uses it to serve targeted ads on-platform (Echo devices) as well as off-platform (web). Smart speaker interaction leads to as much as 30× higher ad bids from advertisers. Finally, we find that Amazon's and skills' operational practices are often not clearly disclosed in their privacy policies.

show abstract

Section: Parallels With Other Iot Platformsmentioning

confidence: 93%

Section: Possible Defensesmentioning

confidence: 99%

Section: Parallels With Other Iot Platformsmentioning

confidence: 99%

See 1 more Smart Citation

Your Echos are Heard: Tracking, Profiling, and Ad Targeting in the Amazon Smart Speaker Ecosystem

Iqbal¹,

Bahrami²,

Trimananda³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Finally, recent work by Mandalari et al [19] describes a system that determines when privacy interventions break user desirable systems, but for internet-of-things devices instead of websites. Their system automatically distinguishes necessary traffic flows from noncore flows, and only applies privacy protections (i.e.…”

Section: Compatibility Of Privacy Protectionsmentioning

confidence: 99%

Blocked or Broken? Automatically Detecting When Privacy Interventions Break Websites

Smith¹,

Snyder²,

Haller³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

A core problem in the development and maintenance of crowdsourced filter lists is that their maintainers cannot confidently predict whether (and where) a new filter list rule will break websites. This is a result of enormity of the Web, which prevents filter list authors from broadly understanding the impact of a new blocking rule before they ship it to millions of users. The inability of filter list authors to evaluate the Web compatibility impact of a new rule before shipping it severely reduces the benefits of filter-list-based content blocking: filter lists are both overly-conservative (i.e. rules are tailored narrowly to reduce the risk of breaking things) and error-prone (i.e. blocking tools still break large numbers of sites). To scale to the size and scope of the Web, filter list authors need an automated system to detect when a new filter rule breaks websites, before that breakage has a chance to make it to end users.In this work, we design and implement the first automated system for predicting when a filter list rule breaks a website. We build a classifier, trained on a dataset generated by a combination of compatibility data from the EasyList project and novel browser instrumentation, and find it is accurate to practical levels (AUC 0.88). Our open source system requires no human interaction when assessing the compatibility risk of a proposed privacy intervention. We also present the 40 page behaviors that most predict breakage in observed websites.

show abstract

“…Peekaboo's hub is similar in spirit to cloudlets [67], but the key difference is that the computation running on the hub is structured and enforced using the operator-based manifest. Peekaboo is also inspired by past smart home hub/gateway/firewall projects [11], [14], [39], [51], [76]. Peekaboo has two major differences.…”

Section: Related Workmentioning

confidence: 99%

Peekaboo: A Hub-Based Approach to Enable Transparency in Data Processing within Smart Homes (Extended Technical Report)

Jin¹,

Liu²,

Hwang³

et al. 2022

Preprint

View full text Add to dashboard Cite

We present Peekaboo, a new privacy-sensitive architecture for smart homes that leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before sending it to external cloud servers. Peekaboo's key innovations are (1) abstracting common data preprocessing functionality into a small and fixed set of chainable operators, and (2) requiring that developers explicitly declare desired data collection behaviors (e.g., data granularity, destinations, conditions) in an application manifest, which also specifies how the operators are chained together. Given a manifest, Peekaboo assembles and executes a pre-processing pipeline using operators pre-loaded on the hub. In doing so, developers can collect smart home data on a need-to-know basis; third-party auditors can verify data collection behaviors; and the hub itself can offer a number of centralized privacy features to users across apps and devices, without additional effort from app developers. We present the design and implementation of Peekaboo, along with an evaluation of its coverage of smart home scenarios, system performance, data minimization, and example built-in privacy features.

show abstract

Blocking Without Breaking: Identification and Mitigation of Non-Essential IoT Traffic

Cited by 35 publications

References 45 publications

Your Echos are Heard: Tracking, Profiling, and Ad Targeting in the Amazon Smart Speaker Ecosystem

Your Echos are Heard: Tracking, Profiling, and Ad Targeting in the Amazon Smart Speaker Ecosystem

Blocked or Broken? Automatically Detecting When Privacy Interventions Break Websites

Peekaboo: A Hub-Based Approach to Enable Transparency in Data Processing within Smart Homes (Extended Technical Report)

Contact Info

Product

Resources

About