This research explores the privacy and security implications of the smart security cameras. For that, we look into the most popular  smart security cameras (Nest – Google and Ring – Amazon) and 2 smart hubs with video call features (Nest Hub – Google and Alexa Echo – Amazon). We are interested in the privacy practices of these devices in action (who they communicate data with and when) and particularly whether they are sharing user information with third parties. We designed a holistic evaluation pipeline in the smart camera ecosystem, looking at the respective smartphone companion apps for these devices on both the Android and iOS platforms. This is the first study to conduct such an analysis on these iOS companion apps. Furthermore, we discuss the implications for those using these devices, highlighting possible additional risks for certain user groups.

The research questions for this research are:

• RQ1: What are the privacy practices of camera-enabled smart home devices?
• RQ2: What are the similar and different practices in such an ecosystem in Android vs iOS?
• RQ3: What are the implications of our finding for users of such systems?

Methodology

We perform a range of experiments using static, dynamic, network traffic, and privacy notice analysis methods. We make use of static analysis tools to identify the permissions requested and the possible tracking services communicated with by the companion apps. These experiments are possible on the iOS platform, due to access to an Apple Security Research Devices, which has reduced security protections. Our privacy notice analysis looks at how the privacy policy is displayed to the user when they are creating their account, as well as the options presented to them. We additionally look at how easy it is to alter their privacy settings in the app or revisit the privacy policy, counting the number of clicks necessary to access these features.

We perform a network traffic analysis of the communications made via these apps, as well as the devices themselves. To isolate this network traffic, we set up a wireless access point setup, through which all devices are connected. We make use of Ettercap, which allows for live connection sniffing, to capture all communications to and from the connected device. For this data capture, we perform a range of different actions, such as logging in, editing settings, or viewing the camera feed.

Results

Our findings show inconsistencies across the two platforms, both in terms of permissions requested and third-party communications. The iOS platform is found to have far fewer permission requests from the apps, as well as having generally fewer dangerous permission requests. However, iOS was found to contact far more domains per experiment performed, including over double the number of third parties on average. Across the apps, we found the Amazon-related products to perform worse in terms of privacy, particularly on the Android platform, where their permission requests were far higher. These inconsistencies across platforms and systems will likely make it even harder for those using these devices to fully understand how their data will be handled. Therefore, we call for more rigorous design standards that enable the users to be more equipped in understanding how to protect their privacy.