Security and Privacy Measurement on Chinese Consumer IoT Traffic based on Device Lifecycle

TL;DR

This paper presents the first large-scale analysis of Chinese consumer IoT device traffic, revealing regional differences in service reliance and security practices across device lifecycles.

Contribution

It introduces a comprehensive dataset and traffic collection methodology for Chinese IoT devices, enabling detailed security and privacy analysis.

Findings

Chinese IoT devices rely more on domestic services

Better encryption practices in Chinese IoT devices compared to other regions

Persistent security issues like improper certificate validation and insecure protocols

Abstract

In recent years, consumer Internet of Things (IoT) devices have become widely used in daily life. With the popularity of devices, related security and privacy risks arise at the same time as they collect user-related data and transmit it to various service providers. Although China accounts for a larger share of the consumer IoT industry, current analyses on consumer IoT device traffic primarily focus on regions such as Europe, the United States, and Australia. Research on China, however, is currently relatively rare. This study constructs the first large-scale dataset about consumer IoT device traffic in China. Specifically, we propose a fine-grained traffic collection guidance covering the entire lifecycle of consumer IoT devices, gathering traffic from 77 devices spanning 38 brands and 12 device categories. Based on this dataset, we analyze traffic destinations and encryption practices across different device types during the entire lifecycle and compare the findings with the results of other regions. Compared to other regions, our results show that consumer IoT devices in China rely more on domestic services and overall perform better in terms of encryption practices. However, there are still 23/40 devices improperly conducting certificate validation, and 2/70 devices use insecure encryption protocols. To facilitate future research, we open-source our traffic collection guidance and make our dataset publicly available.