Consent to take part in a research study

Princeton University


Overview

You are being invited to take part in a research study. Before you decide to participate, it is important that you understand why the research is being done and what it will involve.

Please take the time to read the following information carefully, and ask the researchers if there is anything that is not clear or if you need more information.


Title of Research: IoT Inspector: Identifying Privacy, Security, and Performance Risks of Consumer IoT Devices

Principal Investigators:
Nick Feamster, Professor (feamster@cs.princeton.edu)
Danny Yuxing Huang, PhD (yuxingh@cs.princeton.edu)

Principal Investigators' Department: Computer Science



Purpose of the Research

Many people use smart-home devices, also known as the Internet-of-Things (IoT), in their daily lives, ranging from bulbs, plugs, and sensors, to TVs and kitchen appliances. To a large extent, these devices enrich the lives of many users. At the same time, they may bring negative impact to their owners.

  • Security and privacy risks. Many IoT devices are designed with poor security practices, such as using hard-coded passwords, lack of strong authentication, and not running updates. Devices may be hacked, and an attacker could potentially control the devices or steal sensitive information of the user.
  • Performance risks. A user may have a large number of IoT devices in his/her home. Together, these devices compete for limited bandwidth, which may degrade the overall performance of the home network.

Our goal is to measure and visualize these risks, both for research and for the user. To this end, we release IoT Inspector, an open-source software that you can download to inspect your home network and identify any privacy, security, and performance problems associated with your IoT devices.


What is IoT Inspector

IoT Inspector is a Windows/Linux/Mac application that you can run on laptops, desktops, but not tablets or smartphones. By using a technique known as “ARP spoofing,” this software monitors network activities of all IoT devices connected to the home network (e.g., your “smart” appliances). It collects and shows you the following information:

  • who the IoT device contacts on the Internet, and whether the contacted party is malicious or is known to track users
  • how much data is exchanged (in terms of bytes per second) between the device and the contacted parties
  • how often the data is exchanged

IoT Inspector collects and sends the information above to the Principal Investigators only when it is running — until the user terminates or uninstalls IoT Inspector.

Note that IoT Inspector does not collect the following information:

  • network activities of phones, computers, or tablets
  • actual contents of communication
  • any personally identifiable information, such as your home network’s IP address, the MAC addresses of your devices, your name and email

Also note that IoT Inspector is not intended to replace existing security software packages on the your system, such as Avast, McAfee, or Windows Defender. You are still strongly recommended to engage in secure computing practices, e.g., running regular system updates, not reusing passwords, enabling firewalls, and running well-known security software.


Benefits

IoT Inspector aims to provide you with transparency into your IoT devices, e.g.,

  • whether your IoT device is sharing your information with third parties;
  • whether your IoT device is hacked (for instance, engaged in DDoS attacks);
  • or whether your IoT device is slowing down your home network.

Aside from offering the above benefits, IoT Inspector also collects confidential data that helps us with IoT research, specifically, measuring and mitigating the security, privacy, and performance problems of IoT devices. For more information about our research, visit https://iotinspector.org/.


Data Collection

For each IoT device on your network, IoT Inspector will collect the following information and sends it to our secure server at Princeton University:

  • Device names and manufacturers.
  • DNS requests and responses.
  • HTTP user-agent strings.
  • Destination IP addresses and ports contacted.
  • Scrambled MAC addresses (i.e., with a salted hash).
  • Aggregate traffic statistics — i.e., number of bytes sent and received over a period of time.
  • Names of devices on your network. We collect this information from the following sources (because some IoT devices may use none or some of the sources below for self-identification):
    • Your manual input — i.e., you can tell us what devices you have.
    • User Agent string — i.e., a short text (typically fewer than 100 characters) that your IoT device sends to the Internet that announces what type of device it is. This text does not typically include any personally identifiable information. For example, if you have a Samsung Smart TV, the User Agent string might look like “Mozilla/5.0 (Linux; Tizen 2.3) AppleWebKit/538.1 (KHTML, like Gecko)Version/2.3 TV Safari/538.1”.
    • SSDP messages — i.e., a short message (typically fewer than 100 characters) that your IoT device announces to the entire home network which includes its name. Again, this text does not typically include any personally identifiable information. For instance, if you have a Google Chromecast, it typically announces itself as “google_cast” or “Chromecast” via SSDP.
    • DHCP hostnames — i.e., a short text (typically fewer than 100 characters) that your IoT device announces to the entire home network which includes its name. Similarly, this text does not typically include any personally identifiable information. For example, a Wemo smart plug typically announces itself as “wemo” via DHCP.
  • TLS handshake — i.e., a short piece of data (typically fewer than 3,000 characters) that your IoT device sends to the Internet in order to establish a secure connection.
    • This text does not typically include any personally identifiable information.
    • We use this data to identify potentially vulnerable IoT devices — for instance, because they are using an outdated or insecure encryption function, in which case we notify the user of the risks of using the device.

Note that IoT Inspector will collect the traffic of all IoT devices connected to your home network while IoT Inspector is in operation. Examples of IoT devices that IoT Inspector can analyze include (but not limited to): Google Home, Amazon Echo, security cameras, smart TVs, and smart plugs. Computers, tablets, or phones will be automatically excluded. You can also manually exclude devices by either powering them down while setting up IoT Inspector, or specifying their MAC addresses.

If you do not want IoT Inspector to collect data from a particular IoT device (e.g., because it collects sensitive medical information), please disconnect it from the network now, before you start running IoT Inspector. If you are unable to disconnect it (e.g., because you need to keep the device running, or because you do not know how to disconnect it), you cannot use IoT Inspector.


Confidentiality

  • Privacy: IoT Inspector only collects the information above. It does not collect any personally identifiable information, such as your location or IP address. As a result, we are unable to infer what IoT devices a specific person owns. We will keep the data confidential within the limits of the law.
  • Security: All data collected from your IoT devices is stored on a secure server at the Department of Computer Science in Princeton University. IoT Inspector transmits data to our server over a secure channel, i.e., HTTPS.

As a result of our privacy and security practices, no one has access to the collected data except us. Even so, we are unable to infer what IoT devices you own, and what you do with your devices.


Study Procedure

  1. Disconnect from your network all IoT devices that fulfill the following criteria:
    1. Devices from which you do not want IoT Inspector to collect any data (e.g., medical devices).
    2. Devices used by people under the age of 18.
  2. If you cannot disconnect the devices above, you cannot use IoT Inspector.
  3. Agree to this consent form by clicking the blue button at the bottom of the page. If you are not at least 18 years old, you cannot use IoT Inspector.
  4. Feel free to stop IoT Inspector and restart it anytime.

Risks

Performance degradation: Running IoT Inspector may reduce your network performance. If you are doing latency-sensitive activities, such as playing video games or holding video chats, we recommend that you turn off IoT Inspector. Furthermore, IoT Inspector is experimental software is provided “as is;” we have not comprehensively tested IoT Inspector on all IoT devices or with all possible configurations. As a result, it may fail to work and disconnect your home devices. In this case, simply turning off IoT Inspector and rebooting your home router would likely solve the issues. If you have any critical medical devices, for instance, we suggest you exclude such devices from IoT Inspector or withdrawl from the study.

Data breach: In the unlikely event that our secure server is compromised, an attacker will have access to this form and the collected data. However, the attacker will be unable to infer what IoT devices you own, and what you do with your devices.

Best-effort support: We will regularly maintain and update the software (e.g., fixing bugs) whenever necessary. In case of questions, we try our best to respond to email inquiries within 24 hours during weekdays. However, we do not guarantee long-terms support of the software. Also, we do not guarantee we will answer everyone’s questions if our capacity reaches a certain limit. In the event that IoT Inspector disrupts the normal functionality of your network, simply turn off IoT Inspector.


Compensation

Not applicable.


Who to contact with questions

Principal Investigator: Nick Feamster, Professor
iot-inspector@lists.cs.princeton.edu
Department of Computer Science
35 Olden St, Princeton, NJ 08544
USA

If you have questions regarding your rights as a research subject, or if problems arise which you do not feel you can discuss with the Investigator, please contact the Institutional Review Board at:

Assistant Director, Research Integrity and Assurance
Phone: +1 (609) 258-8543
Email: irb@princeton.edu


Consent

I understand the information that was presented and that:

  • My participation is voluntary, and I may withdraw my consent and discontinue participation in the project at any time. My refusal to participate will not result in any penalty.
  • I do not waive any legal rights or release Princeton University, its agents, or you from liability for negligence.
  • I am at least 18 years of age.

I hereby give my consent to be the subject of your research.

No, I do not give my consent