Systematically Quantifying IoT Privacy Leakage in Mobile Networks

Abstract

Privacy leakage of Internet of Things (IoT) has become a great challenge with the popularity of IoT services through mobile networks, such as smart homes, wearables, and healthcare. While previous work summarized general structures to analyze IoT privacy and provide case studies of specific devices or scenarios, it is still challenging to conduct a comprehensive and systematic quantification study of large-scale IoT privacy leakage in real world. To combine systematic analyses with real-world measurements, we provide a method to quantify IoT privacy leakage on a large-scale mobile network traffic data set containing 47651 IoT devices. We generate privacy fingerprints and attribute them to a privacy quantification framework. The framework is constructed based on the semantics of multiple privacy sensitive markers selected from the traffic along with the involved network entity types in IoT (i.e., user, device, and platform), and the fingerprints are generated from sensitive information extracted in the traffic via their markers. Our quantification shows that IoT users, devices, and platforms have considerable risks, respectively. Moreover, IoT devices have a larger scale of privacy leakage than users and platforms, and they perform different daily patterns on privacy leakage following their working conditions. In addition, we present three case studies on the leakage of location information, application calling, and voice service, which illustrate that a third party can profile a network entity in both cyberspace and physical space.