Regulating the IoT

Nest_Diamond_ThermostatThe FCC has joined other government agencies and private organizations that are concerned about the lack of security with the Internet of Things. The agency issued a 50-page research paper that discussed the issue and came to some troubling conclusions.

From the report: The large and diverse number of IoT vendors, who are driven by competition to keep prices low, hinders coordinated efforts to build security by design into the IoT on a voluntary basis. Left unchecked, the growing IoT widens the gap between the ideal investment from the commercial point of view and from society’s view.

That’s not nearly as strident as the sentiment expressed by most industry experts who understand that most IoT device makers look at security only as an afterthought. It’s been demonstrated repeatedly that almost every IoT device on the market can be hacked, often quite easily. There are exceptions, but a large percentage of devices have little or no defense against hacking.

The Department of Homeland Security is also looking at IoT and issued a set of guidelines they want to the industry to adopt. DHS believes that unprotected IoT devices are a national security threat. We now saw good evidence of this last month after massive denial of service attacks were launched from security cameras and home appliances. The DHS guidelines suggest some common sense requirements like allowing devices to have unique passwords and allowing IoT devices to receive needed software updates.

The Federal Trade Commission is also looking at IoT security issues. The agency recently announced a $25,000 prize to anybody who could offer a security solution for dealing with outdated software in IoT devices.

The Department of Commerce also recently issued IoT guidelines, but the guidelines seem to be aimed internally at the agency and not at the wider world.

This all raises the question of who should be regulating IoT? Right now the answer is nobody – there is no agency that has clear jurisdiction to impose any requirements on the IoT industry. And that is because such authority can only be granted by Congress. We’ve seen this same thing happen many times in the last fifty years as new technologies spring into existence that don’t fit neatly into any existing jurisdictional bucket.

The closest process we have to what is needed to regulate at least part of the IoT today is the way the FCC certifies new wireless and other telecom devices. Most people don’t realize it, but all phones and many other kinds of telecom gear undergo vigorous testing at the FCC to make the sure the devices do what they say they do and to make sure that they won’t interfere with the rest of the world. We need a similar process to tst and certify IoT devices because we can’t ever just take the IoT manufacturers’ words that their devices meet and standards that are developed.

But the FCC today has zero authority to regulate the IoT. For now they have created the ability to regulate ISPs through Title II regulations – but that is expected to be reversed or watered down soon. But even that authority doesn’t give them any jurisdiction over the IoT. Like many technologies, the IoT is something new that doesn’t fit into any existing regulatory framework.

It’s not really comforting, but there are a bunch of other new industries with the same situation. There is no agency that has any clear regulatory authority over driverless cars. Nobody has any real authority to regulate artificial intelligence. There are only very minimal regulations for gene-splicing.

I think most of us believe that some level of regulation is good for these big society-changing technologies. Certainly if nobody regulates the IoT we will have disaster after disaster from misuse of the technology. I hope we don’t wait too long to tackle this until it’s too late and there are billions of poorly manufactured IoT devices in the world that can’t be fixed.

What’s the Case for Home IoT?

Goneywell LyricSome of the biggest names in tech have invested heavily into the Internet of Things for the home. But when I look around the marketplace and among people I know, almost nobody is yet using any of this technology. In fact, several recent polls have shown that over half of the people in the country haven’t yet even heard of IoT. This leads me to ask if there is yet a business case for home IoT.

The initial promise of home IoT is that it will make our life easier. The picture painted by the industry is one of having scores of smart devices in the home that all act in harmony to make daily life easier. I’m a huge fan of Star Trek and I look at their future with automatic doors and lights, background music, holodecks, and food replicators and I get it – and I want it.

But the IoT devices on the market today are still a long way away from that Star Trek future. The reality of the situation is that this is an industry that so far only caters to geeks and hobbyists. Today the technology involves buying some sort of central console and then connecting all of your devices to the hub. That alone looks like a lot of work. There are also no standards in the industry and each of the many hubs is proprietary, so you have to worry if a new device you buy will even work with the hub you selected.

Samsung has taken perhaps the first step to pull this all together. They bought a startup called SmartThings that has developed a hub that is controlled entirely by smartphone. Samsung is then developing their whole suite of products to work with this hub.

But I don’t think even the Samsung solution is going to make much of a difference. Just consider smart lights as an example. My house easily has fifty light bulbs, maybe more. Upgrading them all to smart lights sounds extravagantly expensive. And then I am imagining trying to use the smartphone to control my lights. In the time I could fish through a menu and find the right lights to adjust I could have just changed them manually and gone on to do what I was doing. The smartphone idea certainly provides a central way to control everything, but has it really made life easier than today? Unless this works a whole lot easier than I imagine it, what I’ve done is to create a new chore for myself whenever I want to do something simple like dim a light. Unless I’m bedridden, the manual way still requires less effort than a smartphone.

And that is the big catch right now for the industry. They are coming out with devices that do all sorts of neat things, but they have not made life easier. Consider energy management. Programmable thermostats have been around for years and it’s been relatively easy to lower the heat while you sleep or to tone back the air conditioning when you are away at work. The newer smart thermostats go a step farther and help you understand your electric usage in detail so that you can save even more money than with a programmable thermostat. But in doing so they have not made life easier, they have instead created a new monthly chore, which is to interpret the data coming out of the energy monitoring system and then make changes in the way you use electricity. My electric bill is pretty affordable, and so I might be doing all of this new effort to save $20–40 dollars per month. That is certainly a good thing, and it’s probably the right social thing to do, but it is not compelling enough for me to add a new task into my already busy life.

I am guessing that home IoT isn’t going to really go very far until the whole system is smart, like in Star Trek. When I can sit in a room and say, “Dim lights” and it happens, then we are starting to get somewhere. When I can tell my house to play a certain piece of music and then have that music follow me around from room to room, then we are getting somewhere. That sounds like something that almost everybody is going to want, assuming it’s affordable, and assuming it doesn’t take too much effort to set it up and to make work.

That day will come. It’s going to require both better language interfaces that always understand me (something that is improving rapidly) as well as a computer assistant that is smart enough to know what I want and to be able to turn my wishes into real world events. And that is going to take smarter and more powerful computers, something that is also coming soon.

But until then I can’t make a case for home IoT in my own home. I’ve considered a smart security system and video monitoring, and that is likely to be the first thing I might buy. But most of the other things on the market seem to be more work than the satisfaction they will produce. Until that equation flips I am not yet sold, and I don’t think I am unusual in this.

The FTC to Monitor the Internet of Things

federal-trade-commission-ftc-logo_jpgLast week the Federal Trade Commission Chairwoman Edith Ramirez announced that the FTC’s latest initiative was to watch the Internet of things for privacy violations. They are already concerned that IoT devices are subject to easy hacking, and also that they are being used to gather data on us.

In a report issued last week the FTC Staff, and approved by 4 to 1 by the Commissioners, the FTC made specific recommendations in the areas of privacy, data collection and customer notification and choice. They also discussed the need for federal legislation to give them more power to police the IoT.

The FTC broadly defined the Internet of Things to include any device, other than computers and smartphones, which transmits information about the owner of the device over an internet connection.

The report makes specific recommendations about security and recommended that manufacturers of IoT devices should:

  • Assess the security risk for every device they make;
  • Minimize the data they collect and retain;
  • Test security before they ship product;
  • Implement measures to keep unauthorized users from accessing a device or data stored on their own networks;
  • Monitor devices throughout the product life cycle and provide patches to cover known risks;
  • Develop a defense to be ready to react to security breaches.

It’s good to see the government espousing these kinds of concerns. You might recall that HP tested ten popular IoT devices last year and found an average of ten security flaws on each device. My fear is that if the industry doesn’t self-police itself (or get prodded by regulators to do so) then someday we are headed for a perfect storm where hackers will do something terrible, like hack and kill hundreds of people with pacemakers. If something really dreadful happens because the industry doesn’t care about security then the world could quickly turn against the IoT. The IoT industry has the potential for huge growth, but one really terrible security breach on devices could badly sour people on the devices.

The report also made recommendations about storing and misusing customer data. The FTC has already been engaged in monitoring company’s use of data. For example, late last year the FTC reached an agreement with SnapChat to stop misrepresenting that data on their network was completely private. SnapChat has changed their advertising and also agreed to hire an independent privacy monitor for the next twenty years.

For now the report recommends that companies limit the data they collect, and absent legislation that is probably as strong of a warning as the FTC can issue. The report is specifically very concerned about customers not knowing what data is being collected about them from an IoT device. They think it is fundamental that customers be informed about the data they are giving up in order to make an informed decision about using any specific device. While any IoT device will have this concern, the sharing of data from things like health monitors is more troubling than the data gathered from a smart refrigerator or smart washing machine.

The report also voice a concern that the IoT device manufacturers would become the target of hackers and that the kind of information that could be stolen, such as detailed health records, are more troubling than stealing things like credit card numbers.

There is some industry concern, echoed by the dissenting Commissioner in adopting the report that the FTC needs to balance the desires to monitor the industry against too much regulation that might stifle innovation and investment in the field. But as a customer I would already vote in favor of what the FTC has started here. The risks to the industry are far greater from allowing companies to be lax with security and play free with customer data. I am going to be a lot more likely to use a device from a company that I think is being truthful with me and careful on both counts.

Who Will Own the Internet of Things?

Tribrid_CarYesterday’s blog talked about the current Internet that is falling under the control of a handful of large corporations – Apple, Amazon, Facebook, Google and Microsoft. This leads me to ask if the upcoming Internet of Things is also going to be owned by a handful of companies

This is not an idle question because it has become clear lately that you don’t necessarily own a connected device even though you might pay for it. As an example, there was recently an article in the New York Times that reported that a car company was able to disable cars for which the owners were late in making payments. The idea of Ford or General Motors still having access to the brains of your vehicle even after you buy it is unsettling. It’s even more unsettling to think access is in the hands of somebody at your local car dealer. Imagine them turning off your car when you are far away from home or when you have a car full of kids. But even far worse to me is that if somebody can turn off your car then somebody else can hack it

The car companies are able to do this because they maintain access to the root directory of your car’s computer system. Whether you financed the car with them or paid cash, they still maintain a backdoor that lets them get remotely into your car’s computer. They might use this backdoor to disable the vehicle as in this example or to download software upgrades. But the fact is, as long as they have that ability, then to some degree they still have some control over your car and you. You have to ask if you truly own your own car. As an aside, most people don’t realize that almost all cars today also contain a black box, much like the recorder in airplanes that records a lot of data about your car and your specific driving habits. It records data on how fast you drive or if you are wearing your seatbelt – and this data is available to the car companies

Perhaps the car is an extreme example because car is probably the most complicated device that you own. But it’s likely that every IoT device is going to have the same backdoor access to the root directory. This means that the company that made an IoT device is going to have a way to gain access. This means every smartphone, appliance, thermostat, door lock, burglar alarm and security camera can be controlled to some degree by somebody else. It makes you seriously ask the question if you entirely own any smart device

Over time it is likely that the IoT industry will consolidate and that there will be a handful of companies that control the vast majority of IoT devices just like the big five companies control a lot of the Internet. And it might even be the same companies. Certainly Apple, Google and Microsoft are all making a big play for the IoT

I’ve written before about the lack of security in a most IoT devices. My prediction is that it’s going to take a few spectacular failures and security breaches of IoT devices before the companies that make them pay real attention to security. But even should they tighten up every security breach, if Google or Apple maintains backdoor access to your devices, then they are not truly secure

I think that eventually there will be a market for devices that a buyer con control and that don’t keep backdoor access. It certainly would be possible to set up an IoT network that doesn’t communicate outside the home but where devices all report to a master controller within the home. But it’s going to take people asking for such devices to create the market for them

If people are happy to have Apple or Google spy on them in their homes then those companies will be glad to do it. One of the first things that crossed my mind when Google bought Nest was that Google was going to be able to start tracking a lot of behavior about people inside their homes. They will know when you wake and sleep and how you move around the home. That may not sound important to you, but every smart device you add to your house will report something else about you. With the way that the big companies mine big data, the more they know about you the better they can profile you and the easier it is for them to sell to you. I don’t really want Google to know my sleep habits and when I go to the bathroom. To be truthful, it sounds creepy.

Latest on the Internet of Things – Part 2, The Market

Goneywell LyricYesterday I wrote about the security issues that are present in the first generation of devices that can be classified as part of the Internet of Things. Clearly the manufacturers of such devices need to address security issues before some widespread hacking disaster sets the whole industry on its ear.

Today I want to talk about the public’s perception of the IoT. Last week eMarketer released the results of a survey that looked at how the public perceives the Internet of Things. Here are some of the key results:

  • Only 15% of homes currently own a smart home device.
  • And half of those who don’t own a smart device say they are not interested in doing so.
  • 73% of respondents were not familiar with the phrase “Internet of Things”.
  • 19% of households are very interested in smart devices and 28% are somewhat interested.
  • There were only a handful of types of devices that were of interest to more than 20% of households: smart cars – 39%; smart home appliances – 34%; heart monitors – 23%; pet monitors – 22%; fitness devices – 22%; and child monitors 20%.

The survey highlights the short-term issues for any carrier that thinks they are going to make a fortune with the IoT. Like many new technology trends, this one is likely to take a while to take hold in the average house. Industry experts think the long-term trend of the IOT has great promise. In a Pew Research Center survey that I discussed a few weeks ago, 83% of industry technology experts thought that the IoT would have “widespread and beneficial effects on the everyday lives of the public by 2025”.

I know that carriers are all hoping for that one new great product that will sweep through their customer base and get the same kind of penetrations that they enjoyed with the triple play services. But this survey result, and the early forays by cable companies and others into the home automation and related product lines show that IoT is not going to be that product, at least not for now.

This is not to say that carriers shouldn’t consider getting into the IoT business. Let’s face it, the average homeowner is going to be totally intimidated by having more than a couple of smart devices in their home. What they will want is for them to all work together seamlessly so that they don’t have to log in and out of different systems just to make the house ready when they want to take a trip. And eMarketer warned that one thing that concerned households was the prospect of having to ‘reboot’ their entire home when things aren’t working right, or of getting a virus that would goof up their home.

And as I mentioned yesterday, households are going to want to feel safe with smart devices, so if you are going to get into the business it is mandatory for you to find smart products that don’t have the kinds of security flaws that I discussed yesterday.

The eMarketer report predicts that more homes will embrace IoT as more name brand vendors like “Apple, Google . . . The Home Depot, Best Buy and Staples” get into the business. And this may be so, but one is going to expect most such platforms to be somewhat generic by definition. If a carrier wants to find a permanent niche in the IoT market they are going to need to distinguish themselves from the pack by providing integration and customization to give each customer what they most want from the IoT experience. Anybody will be able to buy a box full of monitors from one of those big companies, but a lot of people are going to want somebody they trust to come to their home and make it all work.

But the cautionary tale from this survey is that IoT as a product line is going to grow slowly over time. It’s a product today where getting a 10% customer penetration would be a huge success. So I caution carriers to have realistic expectations. There is going to be a lot of market competition from those big companies named above and to be successful you are going to have to stress service and security as reasons to use you instead of the big names.

Latest on the Internet of Things – Part 1, Security

Monitor_padlockThere has been some negative press recently about the Internet of Things. There was both recent news about IoT security and also some consumer research that is of interest. Today’s blog will discuss the latest issues having to do with security and tomorrow I will look at issues having to do with marketing and the public perception of IoT.

Recently, Fortify, the security division of Hewlett-Packard analyzed the ten most popular consumer devices that are currently considered as part of the IoT. They didn’t name any specific manufacturer but did say that they looked at one each of “TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers”. According to Fortify there was an average of 25 security weaknesses found in each device they analyzed.

All of the devices included a smartphone application to control them. The weaknesses are pretty glaring. 8 of the 10 devices had very week passwords. 9 of the 10 devices gathered some personal information about the owner such as an email address, home address or user name. 7 of 10 devices had no encryption and sent out data in a raw format. 6 of the devices didn’t encrypt updates, meaning that a hacker could fake an update and take over the device.

This is not much of a shock and the lack of IoT security has been reported before. It’s been clear that most manufacturers of these kinds of devices are not providing the same kind of security for these devices that is done for computers and smartphones. But this is the first time that anybody has looked at the most popular devices in such detail and has documented all of the kinds of weaknesses they found.

It’s fairly obvious that before the IoT becomes an everyday thing in households that these kinds of weaknesses have to be fixed. Otherwise, a day will come when there will be some spectacular security failure of an IoT device that will affect many households, and the whole industry will be set back a step.

It’s obvious that security really matters for some of these devices. If things like door locks, garage door openers and security systems can be easily hacked due to poor device security then the whole reason for buying such devices has been negated. I read last week that hackers have figured out how to hack into smart car locks and push-button car starters and that a car using those devices is no longer safe from being stolen. For a few years these devices gave some added protection against theft, but now they are perhaps easier to steal than a traditional vehicle and certainly easier to steal than a car using a physical anti-theft device like the Club.

I know that I am not going to be very quick to adopt IoT devices that might allow entry into my home. I don’t really need the convenience that might come from having my front door unlock as I pull into the driveway if this same feature means that a smart thief can achieve easy entry to my home.

So aside from home security devices, what’s the danger of having less secure devices like smart lights, or a smart stove or a smart sprinkler system? There is always the prank sort of hacking like disabling your lights or making your oven heat all day at high heat. But the real danger is that access to such devices might give a hacker access to everything else in your house.

Most of us use pretty good virus protection and other tools to lower the risk of somebody hacking into our computer systems to get access to personal information and banking and monetary systems. But what if a hacker can gain access to your computers through the backdoor of a smart light bulb or a smart refrigerator? This is not a far-fetched scenario. It was reported that the hack of Target that stole millions of credit card numbers was initiated by entry to the company’s heating and ventilation systems.

It’s obvious that these manufacturers are taking the fast path to market rather than taking the time to implement good security systems. But they must realize that they will not be forgiven if their device is the cause of multiple data breaches and that in the worst case their whole product line could dry up overnight. One would hope that efforts like the one just taken by HP will wake up the device makers. With that said, they face a formidable tasks since fixing an average of 25 security flaws is a big order.

 

The Early Battle for the Internet of Things

Goneywell LyricThere are already a number of players aiming to become the primary player in the residential market for the Internet of Things. I think all of them see that this as a numbers game and that whoever can gain customers the fastest has the opportunity to become the largest. And so we are going to start seeing fierce battles in the marketplace. As you would imagine, every competitor is going about this in a different way.

Google is probably making the most news in the area, because with their billions they are buying themselves into the business. Google paid $3.2 billion for Nest, a maker of smoke detectors and thermostats. Last week they announced the purchase of video camera maker DropCam for $555 million. Google also acquired Boston Dynamics and DeepMind, two firms whose robotics research is aimed at developing artificial intelligence. And one can expect Google to continue to buy the piece parts needed to put together a fully integrated suite of IoT products.

This week Google also announced their primary strategy which is to open up their IoT platform to outside developers. They envision a world where the apps have as much or more value than the hardware. Google wants to sell hardware and control the base platform over which others develop apps to provide customization for customers.

Apple is taking a very different approach and wants to become the software platform that makes everything work together. Apple believes there will be numerous manufacturers of smart devices (in fact, most of the things in our homes will become smart over time) and they don’t believe consumers are going to want to be tied to one propriety package of devices, but will want anything they buy work with everything else. So Apple is trying to put together that platform, which they call HomeKit that will connect your garage door opener, your door locks, your thermostat and everything else together to give homeowners a customized suite of products that suit them. Apple is also an open platform that allows outside developers to create apps.

Honeywell just announced that it plans to offer significant competition to Google. Honeywell is the largest manufacturer today of thermostats and they announced a slick mobile-controlled thermostat they called Lyric. But Lyric is not just a thermostat and is going to be the base of a full suite of home automation products – all DIY and all controlled by smartphones. Honeywell is not only building their own platform, but they are also hedging their bets by working with the Apple HomeKit Program.

There are also smaller companies trying to crack into the market and who are hoping that by being early they can gain market share. For example, Lutron is the largest manufacturer of lighting control systems and they are expanding that platform to become the hub for integration to other devices. They think they have an edge since they already having lighting platforms in millions of homes.

And there are a number of start-ups chasing the market. Revolv has introduced a slick box that does a pretty good job today of integrating different devices into a coherent package. ALYT is a crowd-sourced start-up that plans to provide a full suite of communications technologies from Bluetooth through cellular making it easier to communicate with any device or the outside world.

This is going to be an interesting battle to watch. Each of these firms has taken a different approach. I certainly don’t have a crystal ball, but I am going to bet that the one that makes all of this work the easiest is going to have the best chance of winning the battle. But one can also suspect that for decades that multiple companies will own a decent segment of the market as they appeal to different groups of customers. But it’s hard to bet against Apple and Google not being two of the largest players. Each is creating an open platform for developers to create apps, and those apps are likely to give them an edge over any proprietary systems.

Making Money With Home Automation

Nest_Diamond_ThermostatAt CCG we are always telling carriers that they need to find products to replace cable TV and voice, both which are slowly losing customers. One of the products worth considering for carriers that have a sizable residential base is home automation.

What we hear is that once homeowners learn what home automation can do for them they want this product. But there are a lot of moving parts to the product. There are hardware costs to cover along with numerous home visits needed, so it’s not a product that is automatically going to make money unless you do it right. Here are things to think about when considering the product:

  • You must be willing to cross the threshold. This product requires you to routinely go into customer homes. As an industry we have spent a decade looking for ways to reduce truck rolls and this product increases truck rolls as a routine part of the product. Your pricing must embrace that concept so that you are recovering a lot of your technician time.
  • One way to look at this product is that it gives you the opportunity to cross-sell other telecom products. We are told by some clients that the cross-sales are worth far more than the margin on home automation.
  • There are not likely to be any industry standards for a long time, if ever. This means that you need to decide what devices you will and will not support. We think the right strategy is to define the list of things that you will automate, and even then that you only deal with monitoring units that are part of your suite of products. Otherwise customers will always be buying crazy off-the-shelf things (like an egg tray that tells you how many eggs are left) and expect you to somehow tie them into your system.
  • You must recover equipment costs. You need to have an initial installation fee plus some portion of monthly fee on a term contract that is aimed at recovering the cost of the equipment. Base hub units for home automation are going to cost you from $150 to $200 and there is a wide array of monitors that can be added to the system to automate things like watering systems, thermostats, fire detectors, music systems, lighting, etc.
  • This industry and the product are always going to be changing. Home automation is the first small step into the Internet of Things and by becoming the trusted vendor today you have a foot up on that market when it gets more mature. The downside to this is that the technology will be changing quickly and so you are going to have to always be looking at different and newer monitors and devices to support with the product. But your customers will want many of the new things that will be coming along, and so you will have a continuous opportunity to upgrade and add on to customer systems.
  • You must manage customer expectations. There are three components to pricing the product – installation, equipment and ongoing maintenance. We think customers are going to get excited about this product. Once it’s installed and you have automated their sprinkler system and window shades they are going to want you to keep coming back to update more things over time. So your pricing needs to make it very clear about what is included with your base fee, and what costs extra. We suggest that you offer pricing plans that include some set number of visits. For instance, a base plan might mean that all future visits to the home are for a fee. But you might then also sell plans that include two, four or six visits a year where the customers pay for these visits as part of their monthly fees. That kind of pricing will stop customers from calling you to visit every time they think of a new home automation device to add or a refinement to make with the existing equipment. Without managing expectations in this manner you will find yourself making a lot of unpaid trips to customers.
  • Bundle the product. It’s a natural to bundle home automation with home security, but you could bundle it with anything else your customers want. The whole point of this product is to use it as a platform to get your customers to buy multiple products from you.

Where Will We Draw the Privacy Line?

Monitor_padlockThe efficiencies, convenience and societal cost savings that will be realized from the IoT are so enormous that it is inevitable that the future will eventually become just what the IoT developers imagine – a seamlessly networked world that brings a lot of Star Trek into our lives. But we are not just going to magically pop to that great future and my gut tells me that there is going to be some gigantic growing pains for the technology and some major setbacks on the way to the inevitable future.

One only has to peek behind the curtain at some of the early attempts at developing IoT devices to understand where some of the snafus and problems are going to come from. One area where I foresee the possibility for a lot of backlash is privacy. In order for the IoT to work people are going to have to sacrifice some privacy. The question that I don’t see being asked is how much privacy the average person is going to be willing to give up to gain the convenience of using numerous IoT devices.

Already today we can see a little of the how social sharing interfaces with privacy. For example, when running monitors first hit the market my Facebook got filled with maps showing how far and how fast my various runner friends had run each day. But over a few months these all disappeared and I haven’t seen one in a while. This is not because they have ditched the monitors, but rather that after the novelty wore off people realized they didn’t want to share. They didn’t want their friends to notice that they took a day off from running or that they ran slowly or only did a short route on a given day. It turns out that people don’t want to automatically share things that might reflect negatively on them.

And if people quickly edited their sharing over something like a jogging monitor I can’t help but wonder how people are going to react when they realize that one of the biggest aspects of the IoT is that we will be constantly watched and monitored.

I heard this concern when it was announced that Google was buying Nest, the maker of smoke detectors and other security devices. The promise is being made that IoT devices are going to be smart (or at least that the network that controls them will be smart). And this means that our every movement will be tracked. It doesn’t sound particularly threatening if Google finds out what time of day we turn various lights on and off or when we enter certain rooms. But the technology is at the bare beginning and the fact is that eventually our devices will let companies like Google know more about us that we often know about ourselves.

The whole point of big data analytics is to look for patterns. Knowing how and when a certain person moves around the house is data that can be used to see a pattern. Google can compare the way you move to the way other people move and can see that there are 10,000 other people just like you in the US and that you also have a lot of other traits in common.

I know this sounds simplistic and that would be a big stretch to understand you from just being monitored by a few devices in your home. But it’s not going to eventually going to be just a few devices. It’s likely that there will be enough monitors in the average home where an outside company like Google could understand your sleep patterns, your eating habits, what you watch and read, who you talk to, how you exercise – basically everything about you.

And I just wonder if at some point if there will not be a big rebellion against that kind of invasion of privacy. I foresee a huge pushback coming against IoT until they can solve the privacy issue and give control to each person over how their own data is shared with the world. This is contrary to the goals of Google and others and it will be very interesting to see where society draws the line.

Security for the Internet of Things

Monitor_(medical)We are quickly headed towards the Internet of thing where billions of devices will be connected to the Web. The biggest challenge in making this a reality is figuring out how to make the IoT secure. The world today is full of hackers. There are those that hack to find financial gain. There are cyberwars where government-sponsored hackers launch major attacks. And there are just general hackers who do it for the fun of creating mischief.

Today web security is a cat and mouse game between the hackers and security experts. Our PCs need almost daily updates to fight against newly discovered viruses which look to get around the virus checking programs.

The biggest challenge we face is that most of the devices that will be connected are not going to have large computing power like laptops and tablets. Instead we will have thermostats and smoke detectors and security cameras and medical monitors all connected to our home networks. And these devices have very rudimentary computing power, meaning that our current methods of security can’t be used to protect them.

But protect them we must because causing harm to these devices can cause real world damage. Imagine during the latest artic vortex is some hacker had turned off millions of thermostats and furnaces. This could have caused widespread problems, large dollar damages and even deaths. I don’t even want to think what might happen is somebody can hack into people’s medical devices. Perhaps murder by hacking? As we tie more and more of our daily life into devices that are connected to the web need to find solutions for protecting them.

And hackers are already starting to take notice of the weaknesses in our devices. In Brazil over 4.5 million DSL routers were hacked by people looking for credit card and banking information. There is a computer virus called DNS Changer that is attacking home routers in the US. There are already worms that are attacking things like security cameras and other embedded devices.

Security experts are working on the problem and there are several thoughts on the best way to keep our devices safe.

Safer Firmware. Most devices are operated with software called firmware. The security idea is to put this software onto a part of the chip that cannot be addressed from externally. Basically code the chip and throw away the key.

Cloud Security. Another idea is to limit each device to only being able to communicate with one source. This might be a specific cloud. This feels like a big company idea for a fix and it’s a bit scary, because if somebody can break into the cloud they have access to all of the machines that talk to it.

Government Fines. Today there is nearly zero security even considered for companies building IoT devices. They use old versions of open source Linux and out zero effort into making their devices safe. The thought is to impose big fines on manufacturers of IoT devices that get hacked as an incentive for them to do better.

We have to fix this or else there is going to be some really huge examples of hacking into devices that are going to scare the public off IoT. As we tie more and more of our life into our networks we all need to know that we are safe from being hacked by those with malicious intent.