• United States



Devil in the details: Dirty little secrets of the Internet of Things

Apr 10, 20166 mins
Data and Information SecurityInternet of ThingsSecurity

Is harvesting your data and turning it into a revenue stream the only sustainable business model for IoT device makers?

internet of things control touch user
Credit: Thinkstock

Where is IoT going in the long run?

To cash in on the treasure trove of “everything it knows about you,” data collected over the long term. So says a post on Medium about the “dirty little secret” of the Internet of Things.

A company can sell only so many devices, but it still needs to make money, so the article suggests the “sinister” reason why companies “want to internet-connect your entire house” is to collect every little bit of data about you and turn it into profit. Although the post was likely inspired in part by the continued fallout of Nest’s decision to brick Revolv hubs, there could be an IoT company eventually looking for a way to monetize on “if you listen to music while having sex.”

The post is by the same guy running the “Internet of Sh*t” Twitter account; he works as a developer for a software company in Europe. You’ve surely seen IoT gadgets that seem like a joke, that make you wonder why in the world anyone thought it was a good enough idea to make it. While not every product tweeted by Internet of Sh*t is a real thing, the tweets are funny and have the scary potential to be real. Here are a couple of my favorites:

A smart device which alerts you to water your plants could also be considered to now give your plants an attack vector. Another would be an IoT gadget in your “smart home” that could lead to in-app purchase blackmail such as the tweeted joke about paying to delete footage of something an app “saw.”

On Medium, “Internet of Sh*t” explains that there are indeed plenty of IoT devices that you would use over the very long term such as “household appliances you won’t replace for a decade. We’re talking about a thermostat, fridge, washing machine, kettle, TV or light — long term, there’s just no other way to be sustainable for the creators of these devices.” Those devices present “delicious” opportunities “for bloated internet companies.”

“The problem with the Internet of Things is that the hardware is only one aspect,” he points out. “The makers need to keep servers running to support them, keep APIs up to date, keep security up to date and, well, pay employees.” Over time, those costs will be more than what you paid for the device, so the “sustainable” model is to keep collecting every little piece of data about you and then finding a way to profit from it.

For example, he quotes Nest CEO Tony Fadell who previously said, “We’ll get more and more services revenue because the hardware sits on the wall for a decade.”

If Nest wanted to increase profits, it could sell your home’s environment data to advertisers. Too cold? Amazon ads for blankets. Too hot? A banner ad for an air conditioner. Too humid? Dehumidifiers up in your Facebook.

Nest may not be doing that right now, but “the future of your most intimate data being sold to the highest bidder isn’t dystopian. It’s happening now.” One example included Bud Light’s “Bud-E Fridge.” Makers call the real-time data about how much beer is stocked “a wealth of knowledge” that will pay off in a couple years even if the fridge doesn’t make a ton of money. Brands are going to look at the data collected by their IoT devices as a new source of revenue stream.

If you think it is unlikely that your IoT devices will start cashing in on data they collect about you, then you might also believe it is a conspiracy theory that apps that request permission to access your microphone are “listening in” to serve up relevant ads. In some cases, it might be a coincidence if you suddenly start seeing ads about a topic that you recently discussed, but not always.

For example, your phone can be “listening” for what you watch on TV. Last month, the FTC sent a warning letter (pdf) to unnamed app developers using Silverpush code that “can monitor a device’s microphone to listen for audio signals that are embedded in television advertisements.” Basically the apps can secretly listen to everything that happens in the background. Forbes explained how Silverpush uses a unique inaudible sound in TV commercials that you might not notice, but an app on your phone could. Once it hears that sound, the app knows what you are watching.

It’s important to note that Silverpush claims ads in the U.S. don’t currently use audio beacons, but the FTC still said app developers need to notify users why their apps ask to use a phone’s mic. The FTC’s letter adds that “nowhere do the apps in question provide notice that the app could monitor television-viewing habits, even if the app is not in use.”

For the curious, here’s a list of Android apps that use SilverPush.

While some privacy advocates may care, sadly there are a plethora of people who don’t know or care what their apps or IoT devices are monitoring and collecting. How else do you explain the success of major TV brand makers even after smart TVs were labeled the “perfect target” for spying on you? Since then, smart TVs were caught “eavesdropping,” tracking viewing habits and snarfing up personal files such as those connected via a USB.

The post on Medium advises you to ponder what data you are giving away, where it goes and if you even own the IoT device at all before you buy smart devices. A different post on Medium by Stephanie Rieger advises you to consider similar topics before you rent a house or apartment that comes equipped with “smart” features.

“Rarely does this process currently involve discussions about hardware versions, operating systems, apps, firmware, connection ports [barring cable/TV/phone] and who has the right or indeed responsibility and sufficient access privileges to install updates, pay monthly or annual subscriptions, or introduce new software into the system,” Rieger writes.

Since some of those smart devices can be collecting your data, be vulnerable to attack or end up costing you a subscription to a service you don’t want, then those are important answers you should demand.

We should demand answers about our collected data from the makers of our IoT devices as well, but as Internet of Sh*t points out, “Nobody really knows the answer because they don’t want to tell you.” The manufacturers probably believe “it’s better if you don’t know.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.