Devices that make up the Internet of Things (IoT) collect a monumental amount of data about their owners. In most cases, the data they gather benefits the owner of the device and performs some useful purpose for them. However, when viewed in aggregate, the data gathered can reveal an enormous amount of information about the devices’ owner that can be very invasive if this information were to fall into the wrong hands. Over the course of several months, Charles Givre did an experiment in which he collected data from several IoT devices including a Nest Thermostat, the Automatic Car dongle, the Wink hub, and a few others in order to determine what could be learned about the owner of the devices. Givre approached this experiment like a law enforcement or intelligence investigation, beginning with a bit of seed knowledge about the target, and built a profile about the target using the data that was available via these devices’ APIs and the data they transmit over the internet. This presentation is not about how to bypass the devices’ security features, hack them, or how to mess with people by randomly turning off their A/C; but rather focuses on the consequences of IoT devices collecting and storing data.

1. What does your Smart
Device know about
you?
Charles S. Givre
Über Nerd
Booz | Allen | Hamilton
givre_charles@bah.com

2. Who am I?

3. Who am I?Charles Givre @cgivre
givre_charles@bah.com

4. Stuff my Company Wants me to Say
§ The techniques I demonstrated here are the results of my own research. I have no
knowledge of anyone using or not using the techniques demonstrated here.
§ The data I gathered all belongs to me and was gathered from devices that I own.
Please remember that unauthorized access to someone else’s computer or network
IS A CRIME.
§ The views presented here represent only my own and not those of my company or
anyone else.
§ I have no financial interest in any of the products you are seeing here, nor do I have
any connection with their parent companies, aside from having purchased their
products.
§ Always drink upstream from the herd. (Just seeing if you are actually reading this)

5. The Experiment
§ Using data collected from “smart”
devices, see what could be learned
about the owner.
§ I start out knowing only that the
target owns a Wink hub.
§ I limit the data to that which can be
gathered via automated means.

6. Conclusions
“Smart” devices collect and broadcast a lot of
information beyond what you might expect. In
aggregate, this information can reveal a great deal
about the device’s owner.

7. Conclusions
The devices typically do not store the data locally, but
rather on a remote (cloud) servers.

8. Conclusions
To facilitate interoperability, most of these devices make
portions of their data available via an API.

9. Conclusions
Access to this data is typically protected by your
email address and a password.

10. Meet the target

13. http://docs.wink.apiary.io/

14. [{
"linked_service_id": "aad234fce-oanqtqi1",
"service": "facebook",
"account": "XXXXXXXX",
}, {
"linked_service_id": "bbe345edd-q2it1ahnh",
"service": "twitter",
"account": "cgivre",
}]

15. What we’ve learned from the Wink Hub:
§ The target’s FacebookID and Twitter handle

18. [device_manufacturer] => quirky_ge
[model_name] => Refuel
[upc_id] => 17
[upc_code] => 840410100866
[lat_lng] => Array
(
[0] => 39.374XXX
[1] => -76.706XXX
)
[location] => 21208
[mac_address] => 0c2a6907794b
[serial] => ACAB00015458
[tare] => 18
[tank_changed_at] => 1441593829
)

19. [device_manufacturer] => quirky_ge
[model_name] => Refuel
[upc_id] => 17
[upc_code] => 840410100866
[lat_lng] => Array
(
[0] => 39.374XXX
[1] => -76.706XXX
)
[location] => 21208
[mac_address] => 0c2a6907794b
[serial] => ACAB00015458
[tare] => 18
[tank_changed_at] => 1441593829
)

20. [device_manufacturer] => quirky_ge
[model_name] => Refuel
[upc_id] => 17
[upc_code] => 840410100866
[lat_lng] => Array
(
[0] => 39.374XXX
[1] => -76.706XXX
)
[location] => 21208
[mac_address] => 0c2a6907794b
[serial] => ACAB00015458
[tare] => 18
[tank_changed_at] => 1441593829
)

22. What we’ve learned from the Wink Hub:
§ The target’s FacebookID and Twitter handle
§ What other devices the target has:
§ Nest Thermostat
§ Nest Protect
§ Refuel Propane Tank Doodad
§ Ring Doorbell
§ Where the target lives (?)
§ When the target added these devices to the network

23. [device_manufacturer] => quirky_ge
[model_name] => Refuel
[upc_id] => 17
[upc_code] => 840410100866
[lat_lng] => Array
(
[0] => 39.374XXX
[1] => -76.706XXX
)
[location] => 21208
[mac_address] => 0c2a6907794b
[serial] => ACAB00015458
[tare] => 18
[tank_changed_at] => 1441593829
)

24. [device_manufacturer] => quirky_ge
[model_name] => Refuel
[upc_id] => 17
[upc_code] => 840410100866
[lat_lng] => Array
(
[0] => 39.374XXX
[1] => -76.706XXX
)
[location] => 21208
[mac_address] => 0c2a6907794b
[serial] => ACAB00015458
[tare] => 18
[tank_changed_at] => 1441593829
)

30. Network Information
{
"serial_number": "02AA01AC301302UB",
"scale": "F",
"location": "7d7c1d80-726b-11e3-b782-12313d224c5e",
"network": {
"online": false,
"last_connection": "2015-02-19 20:19:51",
"wan_ip": "98.233.236.XX",
"local_ip": "192.168.2.8",
"mac_address": "18b4300a269c"
},

31. Network Information
{
"serial_number": "02AA01AC301302UB",
"scale": "F",
"location": "7d7c1d80-726b-11e3-b782-12313d224c5e",
"network": {
"online": false,
"last_connection": "2015-02-19 20:19:51",
"wan_ip": "98.233.236.XX",
"local_ip": "192.168.2.8",
"mac_address": "18b4300a269c"
},

32. Network Information
"wan_ip": "98.233.236.XX"
The following results may also be obtained via:
http://whois.arin.net/rest/nets;q=98.233.236.XX?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
Comcast Cable Communications, Inc. DC-CPE-31 (NET-98-233-0-0-1) 98.233.0.0 - 98.233.255.255
Comcast Cable Communications, Inc. JUMPSTART-5 (NET-98-192-0-0-1) 98.192.0.0 - 98.255.255.255

33. What we’ve learned from the Nest:
The target uses Comcast for their
internet service

34. Network Information
"wan_ip": "98.233.236.XX"
https://www.iplocation.net

35. Network Information
"wan_ip": "98.233.236.XX"
https://www.iplocation.net

36. Network Information
"wan_ip": "98.233.236.XX"
https://www.iplocation.net

37. What we learned so far from the Nest:
The target uses Comcast for their
internet service
The target lives in Pikesville, Maryland

38. {
"start": 55918,
"end": 55918,
"type": 0,
"touched_by": 6,
"touched_when": 1417520705,
"touched_timezone_offset": -18000,
"touched_where": 1,
"touched_id": "Charles's iPhone",
"heat_temp": 17.772,
"previous_type": 4,
"event_touched_by": 1,
"event_touched_where": 0
},

39. {
"start": 55918,
"end": 55918,
"type": 0,
"touched_by": 6,
"touched_when": 1417520705,
"touched_timezone_offset": -18000,
"touched_where": 1,
"touched_id": "Charles's iPhone",
"heat_temp": 17.772,
"previous_type": 4,
"event_touched_by": 1,
"event_touched_where": 0
},

40. 0
5.5
11
16.5
22
Wink Charles's iPhone Charles's iPad

41. What we learned so far from the Nest:
§ The target uses Comcast for their internet service
§ The target lives in Pikesville, Maryland
§ The target owns an iPhone, iPad and Wink hub

42. {
"start": 55918,
"end": 55918,
"type": 0,
"touched_by": 6,
"touched_when": 1417520705,
"touched_timezone_offset": -18000,
"touched_where": 1,
"touched_id": "Charles's iPhone",
"heat_temp": 17.772,
"previous_type": 4,
"event_touched_by": 1,
"event_touched_where": 0
},

43. When are you home?

44. When are you home?
§ Away
§ Auto Away
§ Manual Away

45. When are you home?
date away auto_away manual_away
2015-05-06 16:05:01 FALSE FALSE FALSE
2015-05-06 16:00:01 FALSE FALSE FALSE
2015-05-06 15:55:01 FALSE FALSE FALSE
2015-05-06 15:50:02 FALSE FALSE FALSE
2015-05-06 15:45:01 FALSE FALSE FALSE
2015-05-06 15:40:01 FALSE FALSE FALSE
2015-05-06 15:35:01 FALSE FALSE FALSE

46. When are you home?
Start End Week Day Duration
2015-03-18 09:35:03 2015-03-18 19:10:01 Wed 09:34:58
2015-03-19 09:35:04 2015-03-19 23:55:01 Thu 14:19:57
2015-03-20 00:00:01 2015-03-20 13:55:01 Fri 13:55:00
2015-03-21 14:10:01 2015-03-21 15:20:02 Sat 01:10:01
2015-03-23 10:10:02 2015-03-23 14:45:03 Mon 04:35:01

47. When are you home?
Weekday Average Time Away
Fri 05:06:39
Mon 01:56:15
Sat 03:32:30
Thu 05:49:58
Tue 02:23:16
Wed 05:53:59

48. When are you home?
0
7.5
15
22.5
30
9 10 11 12 13 14 15 16
Monday Tuesday Friday

49. The Automatic Car Dongle

50. The Automatic Car Dongle
WTH does it do?

51. The Automatic Car Dongle
WTH does it do?
§ Puts your car’s data to work
§ Decodes check engine light
diagnostics
§ Improves driving with real-time
feedback
§ 24/7 Crash Response
§ See your driving in their dashboard

52. The Automatic Car Dongle

53. The Automatic Car Dongle

54. The Automatic Car Dongle

55. The Automatic Car Dongle
https://developer.automatic.com/api-reference
https://github.com/adamwulf/automatic-php-api

56. The Automatic Car Dongle
{
"url": "https://api.automatic.com/vehicle/XXXXXXXXX/",
"id": "XXXXXXXXXXX",
"vin": “JM1BL1SG9AXXXXX",
"make": "Mazda",
"model": "3",
"year": 2010,
"submodel": "Base",
"color": "#000000",
"display_name": “Mazda 3",
"created_at": "2015-03-15T14:15:32.588000Z",
"updated_at": "2015-03-15T14:15:32.588000Z",
"fuel_level_percent": 60.54
}

57. The Automatic Car Dongle
{
"url": "https://api.automatic.com/vehicle/XXXXXXXXX/",
"id": "XXXXXXXXXXX",
"vin": “JM1BL1SG9AXXXXX",
"make": "Mazda",
"model": "3",
"year": 2010,
"submodel": "Base",
"color": "#000000",
"display_name": “Mazda 3",
"created_at": "2015-03-15T14:15:32.588000Z",
"updated_at": "2015-03-15T14:15:32.588000Z",
"fuel_level_percent": 60.54
}

58. What we learned from the Automatic:
§ The target owns a 2010 Mazda 3 and a 2005
Honda Odyssey
§ Complete vehicle history (If you want to pay…)
§ Target removed a Hyundai Santa Fe in May and
replaced it with the Honda minivan.

60. Allows you to build a spreadsheet
of all your trips…automatically.

61. Also, IFTTT is only protected by
your username/password.

62. § Trip Start/Stop
§ Coordinates
§ Paths
§ Duration
§ Vehicle Used

63. Calculate the target’s
pattern of life

64. Trips per day
Monday Tuesday Wednesday Thursday Friday Saturday Sunday
84
3
102
126
111110
98

66. What we learned from the Automatic:
§ The target owns a 2010 Mazda 3 and a 2005
Honda Odyssey
§ Complete vehicle history (If you want to pay…)
§ Target removed a Hyundai Santa Fe in May and
replaced it with the Honda minivan.
§ Target doesn’t roll on Saturdays…

67. Trips

68. Trips

69. Trips

70. }`joF`w}rMWK_@?s@?E{DnACj@Dt@VdAx@tAnA^PH`@A~@[nAKF|EJxIDfBJnAdApKZnFt@lUL`E?d@?
l@e@HKBo@TmKrDaC`AcBz@kDlBmCzAsBp@IGQB_AJwAHkBCyFc@SD]C_DEmHX{KVmECcJ?
eAH{@NmA{EhCmBv@w@ZeCbA_Bt@kCnA{Ah@oAJ_@ACtD@xDXbArAlBbA~B
zANrAHzBBz@Nt@FlJFbFNrEz@fLn@jFv@vEfAjFpBnHzHrXvAvGt@tEx@~G`@|
FjA`^b@vIdApLlA`JhAfGhBbInClJ~BpGhB|
DzBvDzD`FzEhFvBrBpA`BzAvBtAjCdAbCv@zB~CvKhBzF~@pBhAbBdAhArBvApDdBlLdFpQrHfFzBlCdA~Bn
@lARlBN`DDlBMhBU|IiB`J{AnFs@vGi@pEUnGWrVeAtLq@rb@iBrK_@dOi@zOc@bPEfP@ziA@pJCjLB`R?
vMIhPq@v^_CzqBth@cDbIo@~FgA~CcAtCoA|A{@zAcAtC_C`FqFlDqFbD{G`OcfFqL|CuGq@rAqBbAgAtB}
AbCiA|WcGzAc@xAm@`BaAlAaAfAiAnBoChJuQxBsEdLcV`X_k@`ByD|
M_[pFwLpBsFbB_HjImf@r@iEzBgKdBuGzByHtAwD|@_ChBuDjFcJp@_AfEuFnCsCbPsPpDuDrLgMjEkE|
CcDzCuCfBqArC_BdB{@rC}
@bDs@fFk@pOyAxCg@jDkA~As@xBmAtIqFlEsC`PsJjEyBd@W`KkFx@c@H@H@PIvBcA|
@K^DdHrB`AZXRf@r@N^TR|@|DjBrHnDnO~Jva@lAhFxIt]z@pDjBtGvAvDzAjDdBdD|
EhH~HjLvFfIfErGbKbOpGnJnDlFf@v@bCnEp@~AjBlFnDpMdAzDlBbHtB`HpAjDbDnHnEzH`EnFfEtEdMzKnTl
R~gAr`A~h@zd@~H|GzHtHzK`Mxm@pq@dRpS|DfDzB`BhC`BfDhBdI`DrJfD|
KxDn@RJNHHtCjAjAd@n@`@jA~@~@hAjBjDb@vAH~AW~CcBrKcC|P[rBxDClDIr@DRJVXJ?J@VHR
PRGLOHm@EWj@Ib@e@zAqAh@Op@Cn@Nj@`@p@fEdI|B~EpAzB|@`A@?~O|KfB|@jBRxA?|
Ac@xBQvB@nB`@jBlAbBxB~A`Ez@zBzAgAlAeAn@cAM`@FNFMf@rB|@
Path

71. Path
https://developers.google.com/maps/documentation/utilities/polylineutility
Distances Latitude Longitude Duration
0.000000 39.37823 -76.67073 0.000000
0.008891 39.37835 -76.67067 0.016466
0.011058 39.37851 -76.67067 0.020478
0.017969 39.37877 -76.67067 0.033277
0.050259 39.37880 -76.66973 0.093073
0.027666 39.37840 -76.66971 0.051233
0.015289 39.37818 -76.66974 0.028313
0.019731 39.37791 -76.66986 0.036539
0.028725 39.37756 -76.67015 0.053195
0.036604 39.37713 -76.67055 0.067785

72. Privacy Policy Sample
§ “We will never sell or share your personally identifiable information, like name,
where you drive, or VIN.”
§ “We want you to get the most value out of your Automatic experience and may
present offers from trusted partners to provide a solution that we think would make
your car ownership or driving experience better. For example, we might partner with
a tire manufacturer that is willing to extend your tire warranty if you choose to share
your data related to tire wear. These opportunities will always be user “opt-in” only.”
§ “Our products and services (and our business) may change from time to time. As a
result, at times we may need to make changes to this Privacy Policy. We reserve
the right to update or modify this Privacy Policy at any time and from time to time
without prior notice. However, if we make any material changes we will notify you by
email or by a notice on our website. “

73. What does this mean?

74. Consumers should be aware that “smart”
devices are being used to gather data
about their owners.
Awareness

75. Companies should craft understandable
data usage policies and EULAs.
Awareness

76. Data Ownership You own the data generated
Data Reuse Your data may be used with
personally identifying information
removed to derive aggregate
statistics about…
Data Removal You may request that your data be
removed from our system by emailing
XXX. It will be removed within 48
hours of receiving the request.
Data Resale Your data may be sold to …

77. Questions?