Exfiltrating Personal Data from IoT devices
Cyber Security
Semester programme:Cyber Security
Edris Rahimi,
Salih Musap Işik
Dailion Janga
Gabriel Lepinay
Yasen Alchev
Brandie Pawlowski
Project description
To what extent do Internet of Things (IoT) devices exfiltrate personal data and do the manufacturers abide by their own personal policies?
Context
Internet of Things (IoT) devices have privacy risks as they collect, transmit, and store sensitive personal information. Although manufacturers assure privacy protection, the actual behavior of these devices do not always align with their privacy policies. This study examines a range of IoT devices to identify data privacy concerns that apply to these devices, assesses the accuracy of their manufacturer’s privacy statements, and determinesthe technical challenges in evaluating privacy practices of IoT devices.
Results
Some of the most important results:
1. Many IoT devices do not behave in line with the privacy promises made by their manufacturers. Even if policies are technically accurate, they are often vague or misleading.
2. Devices marketed as "idle" or privacy-focused still communicate with external servers regularly, often without user awareness. This includes DNS queries, telemetry uploads, and communication with third parties.
3. While encryption (e.g., TLS) is widely used, it often masks what data is being sent. Encryption does not automatically mean responsible or transparent data handling.
Download Research Documentation (PDF)
About the project group
Multi-cultural diverse group, American, Caribbean, French, Turkish, Bulgarian, Afghan, with different educational backgrounds. We spent a total of 16 weeks on the project and used a SCRUM agile-approach.