Smart home devices are potentially one of the bigger security threats since there is no easy way to check what they are up to on your network. That’s a problem Princeton University has set out to solve, with the Princeton IoT Inspector.
It works on HomeKit and non-HomeKit devices alike …
The tool is Mac-only for now. Using it, you can see:
- a list of all the IoT devices on your home network
- when they exchange data with an external server
- which servers they contact
- whether those connections are secure
For example, using it I was able to see that my Philips Hue bridge contacted meethue.com a few seconds ago, exchanging 6KB of data, and that the communication was not encrypted. Sadly, you can’t see the actual content of the transmissions even if unencrypted.
Gizmodo came up with one very practical use for the tool.
Beyond finding out what your smart home is up to, this would be a useful tool to employ when you rent an Airbnb to make sure there’s not a hidden camera secretly livestreaming your stay. Because that’s the world we now live in.
Devices are identified by whatever name they give your network, but you can rename them yourself. Anonymized data is then shared with Princeton so that the university can run analysis (you’ll be asked to consent to this the first time you use the app).
One cautionary note here: Princeton advises that your device names are included in the data sent, so if you use your full name for any of them (eg. Ben Lovejoy’s robocleaner), then that data will be accessible by the university.
The university also cautions that it is using techniques normally used by the bad guys, specifically ARP spoofing. This can do all sorts of dangerous things, so it is definitely a tool you should install only if you trust Princeton or have inspected the code (which is available on Github).
To use the Princeton IoT Inspector, you need to install a Mac app which then opens a webpage. You need to use Chrome or Firefox; it doesn’t run in Safari.
You can download the Princeton IoT Inspector from here.
Because the app isn’t signed by the Mac App Store, it will be blocked by default. When you get the security message, open System Preferences > Security > General and check the box to allow it to open. If Safari is your default browser, then just copy and paste the URL that opens into Chrome or Firefox.
Note: I’ve redacted unique device identifiers from the screengrab above