Your Smart Devices Are Surveillance Infrastructure. Here's the Proof.
8 min read
PrivacyIoTSecurity
“Set your heart upon your work, but never on its reward.”
Bhagavad Gita
“Set your heart upon your work, but never on its reward.”
Bhagavad Gita
In January 2026, a security researcher discovered that a popular smart sleep mask — a device marketed for improving sleep quality — was broadcasting raw EEG brainwave data to an unsecured MQTT broker on the public internet. No encryption. No authentication. Anyone with the broker's address could subscribe to a topic and receive a real-time stream of a stranger's neural activity.
The story hit Hacker News and collected 582 points. The comments ranged from horrified to unsurprised.
A week later, a separate investigation revealed that Amazon Ring and Google Nest cameras collectively form what researchers described as a de facto surveillance network covering most American residential neighborhoods. The cameras are privately owned, but the data flows through corporate servers that respond to law enforcement requests — often without the camera owner's knowledge or consent. That post got 611 points and 434 comments.
These aren't isolated incidents. They're data points on a trend line that's been building for a decade: consumer IoT devices are surveillance infrastructure, and the gap between "smart home" and "monitored home" has closed.
Most people have a vague sense that their devices "collect data." The specifics are worse than the vague sense.
I spent a weekend auditing the network traffic from common smart home devices using mitmproxy and Wireshark. Here's what I found:
Beyond the well-known "wake word" audio capture, smart speakers transmit:
Modern smart TVs implement Automatic Content Recognition (ACR) — a system that captures screenshots of what's on screen at regular intervals and matches them against a database to identify what you're watching:
// Simplified representation of ACR data payload
// captured from a major TV brand's outbound traffic
{
"device_id": "STVX-...",
"timestamp": "2026-01-15T22:34:17Z",
"acr_match": {
"content_type": "streaming",
"provider": "netflix",
"title": "...",
"season": 3,
"episode": 7,
"playback_position": "00:23:41"
},
"input_source": "HDMI-2",
"volume_level": 34,
"ambient_light": "dim",
"viewers_detected": 2 // Yes, some TVs estimate viewer count
}
This data is transmitted regardless of whether you're using the TV's built-in apps. Plug in a gaming console via HDMI, and the TV still captures and identifies what's on screen.
Ring and Nest cameras are the most visible pieces of the surveillance puzzle:
The sleep mask incident is extreme but not unique. Biometric IoT devices — sleep trackers, smart watches, fitness bands, health monitors — routinely transmit:
The sleep mask's sin wasn't that it transmitted brainwave data — it's that it did so over unencrypted MQTT, making the surveillance visible. Encrypted transmission of the same data to a cloud server would have attracted no attention.
MQTT (Message Queuing Telemetry Transport) deserves specific attention because it's the backbone of IoT communication and it's routinely misconfigured.
MQTT is a pub/sub messaging protocol designed for low-bandwidth, high-latency environments. It's perfect for IoT: lightweight, efficient, and simple to implement. It's also, by default, completely insecure:
# (the wildcard topic) and you receive every message on the broker.# This is all it takes to listen to an unsecured MQTT broker
# Replace with the broker address found in device traffic
mosquitto_sub -h broker.example.com -t '#' -vThe sleep mask manufacturer used a cloud-hosted MQTT broker with default settings. No auth, no TLS, public IP. Every sleep mask they sold published brainwave data to topics named after the device's serial number. Anyone who found the broker address — trivially discoverable from the device's network traffic — could subscribe.
This isn't a sophisticated attack. It's walking through an open door.
If you want to see what your IoT devices are transmitting:
Step 1: Set up a monitoring network
Create a separate Wi-Fi network for IoT devices and route all traffic through a machine running mitmproxy:
# Start mitmproxy in transparent mode
mitmproxy --mode transparent --showhost
# Or for non-interactive logging
mitmdump --mode transparent -w iot-traffic.flowStep 2: Install the mitmproxy CA certificate on devices that support it (some IoT devices don't, which means you'll only see metadata for encrypted traffic, not content).
Step 3: Monitor DNS queries — even for encrypted traffic, DNS queries reveal which servers your devices communicate with:
# Capture DNS queries from IoT network
tcpdump -i eth0 port 53 -l | grep -E 'A\?' | \
awk '{print $NF}' | sort -uStep 4: Check for MQTT traffic specifically:
# MQTT uses port 1883 (unencrypted) or 8883 (TLS)
tcpdump -i eth0 port 1883 -AIf you see plaintext MQTT on port 1883, your device is transmitting data without encryption.
Here's where it gets worse. Consumer IoT data isn't just used for the stated purpose (improving your sleep, securing your home). It feeds a data pipeline that ends in AI training:
The privacy policy you agreed to when setting up the device almost certainly includes language that permits this pipeline. "We may use data collected from your device to improve our products and services, including through the use of machine learning and artificial intelligence."
The sleep mask's brainwave data wasn't just being transmitted insecurely — it was being collected at all because the manufacturer intended to build AI models from it. Neural data from thousands of users is valuable training data for sleep analysis models, mental health detection, and neurological research.
Your biometric data is a training set.
Complete abstinence from smart devices is impractical for most people. Here's what's realistic:
Isolate IoT devices on a separate VLAN or network. Most modern routers support guest networks or VLANs. Put every IoT device on a network that can't reach your primary devices (computers, phones) and monitor its outbound traffic.
Block unnecessary destinations. Once you've identified what servers your devices talk to, block connections to telemetry and analytics endpoints. Many devices continue to function without their cloud analytics — they just lose the "smart" features you probably don't use.
Use DNS-level blocking. Pi-hole or AdGuard Home running on your network can block telemetry domains across all devices:
# Common IoT telemetry domains to block
device-metrics-us.amazon.com
fireoscaptiveportal.com
connectivity-check.allawnos.com
data.mistat.xiaomi.com
tracking.miui.com
Prefer local-only devices. Some IoT devices work entirely locally. Zigbee and Z-Wave devices controlled by Home Assistant don't require cloud connectivity. The functionality is identical; the data stays on your network.
Disable microphones and cameras when not in use. Physical switches are better than software toggles. Some devices (like certain smart displays) have hardware switches that physically disconnect the microphone circuit.
Read the privacy policy. Specifically, search for: "machine learning," "artificial intelligence," "third parties," "partners," "improve our services." If the policy permits sharing data with unnamed third parties for AI training, that's a red flag.
GDPR Article 17 (Right to Erasure) gives EU residents the right to demand deletion of their data. This includes IoT telemetry data. Some manufacturers make this easy; others make it deliberately difficult.
CCPA/CPRA provides similar rights for California residents, including the right to opt out of the sale of personal information — which includes sharing data with AI training partners.
Sector-specific regulations for healthcare data (HIPAA), children's data (COPPA), and biometric data (BIPA in Illinois) provide additional protections that IoT manufacturers frequently violate.
None of the individual fixes address the structural problem: the business model of consumer IoT is surveillance.
Devices are sold at or below cost. The manufacturer's revenue comes from the data: selling insights to advertisers, licensing training data to AI companies, or building AI products from the collected data. A $30 smart plug that costs $25 to manufacture doesn't make money from hardware margins. It makes money from the continuous stream of data about your electrical usage patterns.
Until the business model changes — through regulation, market pressure, or alternative revenue models — the incentive to collect maximal data from every device will remain. The sleep mask incident wasn't a failure of one manufacturer. It was the visible edge of an industry practice.
The devices in your home are infrastructure. The question is: whose infrastructure are they serving? The answer, for most IoT devices today, is not yours.
Developers spent decades wishing for tools that write code. Now they have them. Why does freedom feel like loss?
Shadow IT on steroids, MCP tools nobody asked for, LLMs playing architect, vibe-coded open source, and text-to-SQL fantasies. The antipatterns everyone's falling into — and how to stop.
From Duolingo streaks to GitHub contribution graphs, gamification is everywhere — and most of it is invisible. A deep dive into the psychology, mechanics, and ethics of making everything feel like a game.