VBIT: Towards Enhancing Privacy Control Over IoT Devices

TL;DR

VBIT tackles the lack of transparent privacy controls for IoT ecosystems by analyzing network traffic at the edge router and visualizing it through both Mixed Reality and web interfaces. It enables per-domain blocking of trackers while preserving device functionality, using Pi-hole for DNS-level enforcement and a modular backend for real-time visualization. In a mixed-method study involving 200 survey participants and 18 interviews, VBIT raised awareness of IoT tracking and significantly increased willingness to install an IoT ad/tracker blocker ($p=0.002$), with SUS scores indicating good usability. The work offers a practical, deployable framework for IoT privacy management, provides design insights for MR and web interfaces, and lays groundwork for crowd-sourced IoT blocklists and future enhancements such as decryption and markerless detection.

Abstract

Internet-of-Things (IoT) devices are increasingly deployed at home, at work, and in other shared and public spaces. IoT devices collect and share data with service providers and third parties, which poses privacy concerns. Although privacy enhancing tools are quite advanced in other applications domains (\eg~ advertising and tracker blockers for browsers), users have currently no convenient way to know or manage what and how data is collected and shared by IoT devices. In this paper, we present VBIT, an interactive system combining Mixed Reality (MR) and web-based applications that allows users to: (1) uncover and visualize tracking services by IoT devices in an instrumented space and (2) take action to stop or limit that tracking. We design and implement VBIT to operate at the network traffic level, and we show that it has negligible performance overhead, and offers flexibility and good usability. We perform a mixed-method user study consisting of an online survey and an in-person interview study. We show that VBIT users appreciate VBIT's transparency, control, and customization features, and they become significantly more willing to install an IoT advertising and tracking blocker, after using VBIT. In the process, we obtain design insights that can be used to further iterate and improve the design of VBIT and other systems for IoT transparency and control.

Figures (13)

• Figure 1: VBIT Overview. VBIT consists of the following components: (1)Raspberry Pi (RPi) running as an Access Point (AP) for the IoT devices to connect to; on the RPi, (2)traffic collector collects all network traffic from the IoT devices, records the traffic and its metadata in the database, labels each destination as tracker or non-tracker based on filter lists for tracking, and forwards the traffic; (3)Flask server communicates (i.e., via HTTP requests) with VBIT's (4)MR mobile and (5)web apps, and retrieves information from the database to be displayed on the apps (i.e., destinations contacted in the network traffic and whether each is a tracker or non-tracker), which will also send traffic blocking decisions based on user's interaction with the app; (6)Pi-hole will block certain traffic for tracking destinations (e.g., red colored arrow) depending on the user's decision when using the apps.
• Figure 2: VBIT's Mixed Reality app. We show screenshots of VBIT's MR app for (a) Apple TV, (b) Amazon Echo Dot, and (c) TP-Link smart bulb. For each of the devices we show the following: (i) Recent Information Panel, overlaid in the environment once the marker is detected; (ii) Global Information Panel (appears when Recent Information Panel is clicked on) displaying tracker domains list with the option of blocking domains, with blocked domains highlighted with yellow color and a red block symbol; and (iii) Global Information Panel displaying non-tracker domains list.
• Figure 3: Dashboard of VBIT's Interactive Web App.
• Figure 4: Participants' likelihood to use an ad blocker.
• Figure 5: Change of opinion regarding installing an IoT ad/tracker blocker after seeing the VBIT system.