By Lauren Kirchner, ProPublica
How much does your smart home know about you? That was the question that Charles Givre, a data scientist at Booz Allen Hamilton, set out to answer in a recent experiment. Givre has an account on Wink, a platform designed to control, from a single screen, his Internet-connected home devices, such as door locks, window shades and LED lights. He wanted to learn what could be learned from his usage behavior. It turned out it was a little too much.
Last week, at a big data conference in New York, Givre presented his results. By accessing his Wink account, he (or anyone with his login information) could identify his social media accounts, the names of his devices (like “Charles’s iPad) and his network information. An app that monitors his grill’s propane tank recorded the tank’s latitude and longitude, thus revealing the exact location of his house. From his Nest thermostat, he could figure out when his house was occupied and when it was not.
The goal of his experiment, Givre said, was not to demonstrate security flaws in his devices, but to document the wealth of information that they amass through everyday use. To access his usage history, some accounts required verification keys; others only asked for Givre’s email address and password. He wrote programs to “ping” his devices to gather new information about what was going on in his home in real time, and to find patterns there. He noted that his smart devices seemed to transmit information securely on its way to the companies’ servers, “but most of the interesting stuff was in the cloud anyway.”
As the trend toward networked “smart homes” and “connected cars” continues, security precautions are more important than ever. The Federal Trade Commission put out a report this year with best practices about how companies should notify their customers about data retention. Device makers say that customers can opt in or out of sharing their personal information with developers and third-party apps. But customers may not always be aware of just how much information their devices are collecting about them in the first place.
The account for Givre’s “Automatic” device, which plugs into his car and tracks its trips and performance, included his car’s vehicle identification number (VIN), with which accident and ownership history is easily accessible. He had also hooked his Automatic account to the web-based service IFTTT (“If This Then That”), which connects smart devices with shortcuts and triggers like “when the ‘Automatic’ device senses my car is home, turn on the lights.”
Interconnectedness, while convenient, is a trade-off. This portion of the experiment demonstrated how someone could “leapfrog” from one less-secure account to other accounts with more sensitive information. IFTTT collected his individual car trips in spreadsheets—including times, locations and even the exact routes he had taken—and protected this information only with an email address and password.
“If you were to start aggregating this over time, you could get a frighteningly accurate picture of pretty much where I am at any given time of day,” Givre said.
In fact, this data could also help build a character profile of someone. At the conference, Givre showed a graph of his car-trip frequencies by day of the week; there was a noticeable lack of activity on Saturdays. Why could that be? “I don’t roll on Shabbos,” Givre said, quoting “The Big Lebowski.”
When asked about Givre’s findings this week, a spokesperson from Wink emphasized that each customer can only access his or her own account information. “Users should not share their passwords with others or grant access to untrusted applications,” he wrote. A spokesperson from Nest wrote, “Customers have complete control” over what types of information developers would have access to, “and can stop sharing at any time.”
Buckley Slender-White, a spokesperson from Automatic, said Givre’s car’s VIN was only accessible to the app because Givre had opted to share it. As to Automatic’s sending his car trip information to IFTTT, Slender-White said, “importantly — that data is only accessible to the user and any app that they explicitly grant permission to.” Wink, Nest and Automatic address security and privacy concerns on their websites and suggest best practices to keep account information safe. (Attempts to reach the grilling app and IFTTT were unsuccessful.)
Smart home devices are part of an industry called the Internet of Things, which attaches data-collecting sensors to objects in order to track, measure or remote-control them. While the technology involved is not new, the industry is still young. Last summer, Ben Kaufman, the founder of Wink’s former parent company Quirky, told The New York Times that the Internet of Things is “still for hackers, early adopters and rich people.” But the industry continues to grow. “I think consumers need to understand that their relationship with their devices is fundamentally going to change,” Givre said.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.