Smart devices, such as light bulbs, TVs, fridges, etc., equipped with computing capabilities and wireless communication, are part of everyday life in many households. Previous work has already shown that a passive eavesdropper can derive private information, household routines, etc., from the network traffic of smart devices. However, existing attacks rely on capable adversaries with specialized machine learning expertise, labeled training data and reference devices, leaving it unclear how vulnerable ordinary households are to less sophisticated attackers. In this paper, we investigate the extent to which a ,,casual attacker'' with straightforward IT skills and no specialized cybersecurity or ML tooling can reproduce such privacy attacks. Operating from an adjacent room in a real-world apartment building, we constrain our adversary to use only three off-the-shelf Raspberry Pis, Wireshark, and basic Python scripts. Through a three-week study, we demonstrate that this casual attacker can manually identify devices, recognize user states, track smartphone movements through walls via RSSI triangulation, and successfully extract detailed daily routines, including sleep patterns of guests. Our findings show that smart-home privacy leakage is a threat even from low-resourced, straightforward adversaries, e.g., neighbors.

翻译：智能设备（如灯泡、电视、冰箱等）具备计算能力和无线通信功能，已成为许多家庭日常生活的一部分。现有研究表明，被动窃听者能够从智能设备的网络流量中推断出隐私信息、家庭作息等内容。然而，现有攻击依赖具备专业机器学习知识、标注训练数据及参考设备的高能力攻击者，这使得普通家庭面对技术能力较低的入侵者时的脆弱性尚未得到充分评估。本文旨在探讨具备基础IT技能但无专业网络安全或机器学习工具的“普通攻击者”能在多大程度上复现此类隐私攻击。我们在真实公寓楼中，通过相邻房间实施攻击，仅使用三台现成的Raspberry Pi设备、Wireshark和基础Python脚本。经过三周研究证明：该普通攻击者能够手动识别设备、判断用户状态、通过RSSI三角定位追踪智能手机在墙后的移动轨迹，并成功提取包括客人睡眠模式在内的详细日常作息信息。研究结果表明，即使面对资源有限、技术简单的攻击者（例如邻居），智能家居隐私泄露仍构成现实威胁。