This isn’t a tinfoil hat article designed to make the reader disconnect every device they have and hide under the bed. Nor am I of the opinion that the government is out to monitor everything we do every day of our lives. This is, however, an article aimed at educating some of the consumers out there what is technically possible in the IOT world.
Did you just Google IOT? If not, you probably are waiting on me to explain it. Therein lies the issue. Most people don’t even realize how fast a new breed of technology has gone from cool idea to semi-global adoption in homes in the blink of an eye. While it has been evolving for the last ten years out in the open, recent technologies have been created to allow the cross-functionality of devices to the point that they’re becoming more proliferate than ever, and they’re everywhere!
On top of the IOT issue, comes the nationwide argument lately about digital privacy and that follows directly on the heels of the Department of Homeland Security and White House both speaking out on hacking, their methods for obtaining data, and how relatively unimportant user encryption is in the long run.
Yes, I know this sounds complicated, but I’m going to make it simple before long. Bear with me.
If you read the news you might remember the articles over recent months about consumer encryption concerns. Following that media cycle was a brief period of anti-government/pro-government arguments about consumer privacy rights weighed against the governments desire to be able to prevent terrorism. Directly following that, in a manner reminiscent of a parent talking to a petulant child came the government’s nonchalant final say on the matter. It was along the lines of “People can have encryption. We’re not really that concerned about hacking user encryption. It’s pretty easy for the government to do. Besides, now we have the IOT out there and that’s giving us access to more and more information every day.”
For those that don’t understand the ramification of that sentiment, is should be a resounding “Whooooaaa there buddy!”
So, what is the IOT and do you have it? Is there a pill you can take for it? Maybe a topical ointment to get rid of it?
What is the IOT
IOT stands for “internet of things” and it’s a general term we’ve collectively coined in the last few years to describe the hundreds of new devices that can connect to the internet to do things for you.
Some examples of IOT devices would be:
- Home security cameras that can be accessed over the net: Dropcam, Nest Cam, etc.
- Amazon Echo – yes, Alexa too is IOT.
- Microsoft Xbox One with Kinect.
- ANY smart TV, but specifically those with voice command features.
- Sleep Number Beds with Sleep IQ
- Fitbits or other activity trackers.
- Any smartphone/tablet of course.
- Any computer running Windows 10 that runs Cortana.
- Any smart home apppliance: thermostat, window controls, zone sensors, motion sensors, door sensors, window sensors, refrigerators, etc.
- And thanks to IFTTT, lots of other things too. (I’ll get to IFTTT later if you care specifically about knowing more about it.)
So, the internet of things can basically be described as things in your home that have sensors of some kind that report some kind of data back to the internet. It’s usually done over wifi or hard line internet connection, but could also be via bluetooth or RF. After all, even if it’s bluetooth, chances are it’s talking to another bluetooth device that’s connected to the internet, right?
I could probably go on from here scare you enough without inolving IFTTT but I’ll go ahead and explain that a little too so it can be worked into the more broad sense of the next part of this conversation.
So, what is IFTTT and how does it increasingly make the IOT more fun, more usable to consumers, and ultimately more at-risk of being hacked or spied upon?
Let’s agree first off that technology in today’s world is a two way street. If YOU can do something cool with something, and it doesn’t directly involve you being present do to it, then it most often involves the Internet to accomplish it. If YOU can do it, someone else can do it. And if it’s someone that’s smarter than you, can do it to YOUR stuff. You can apply this to the government, hackers, or even teenagers playing pranks. So keep in mind that anything you bring into your home or your life that’s internet connected has a certain amount of security risk in it.
Moreover, it’s also important to understand that all these technologies run agreed-upon channels of communication. If you buy Iris brand smart lightbulbs, they operate on the same technology as most other brands, allowing you to control a Lowe’s brand smart bulb from your Home Depot or Google brand smart hub. Make sense?
Finally, you have to accept that bringing these kinds of things into your home means you sacrifice more control than with traditional devices you’re used to. For example, you can set rules and policies on your computer, or buy software to protect it from viruses, or setup your router at home to prevent your kids from watching porn. Computers are something YOU can modify to your needs. Smart devices are not. The consumer has no control over how they talk, the frequencies they use to talk, and how secure they are. You can’t install antivirus software on your Dropcam. It’s controlled by Google’s software. Make sense? You have control over your phone, your iPad/tablet, your computers, and devices like that. You don’t have control over IOT devices beyond simply being able to unplug them and render them useless, both to you and to someone else. Got it?
Now, let’s introduce IFTTT into the mix.
IFTTT might sound complicated, but only for about the first thirty seconds. After you get over the initial shock of it, you’re likely to say “How freakin cool is that!!” The acronym stands for “If This Then That.” It’s a modern equivalent of the most basic college level logic programming I took back in the 90’s. It’s both really complicated and really easy at the same time. You can check out IFTTT if you’d like, to learn more about what’s possible. If you’re even the slightest bit tech-savvy, you might find some really interesting things you’d want to play with.
The first thing about IFTTT to understand is that it makes things do things.
The second thing to understand is that it acts like a translator for things that don’t speak the same language.
Here’s an example:
Amazon Echo is speaks ASK.. an Amazon language.
Iris smart thermostats from Lowes speak one language.
Staples smart home devices speak another.
The Sleep Number Bed system speaks another.
IFTTT speaks them all, and a TON of others. It allows you to make one device from one manufacturer talk to another device from another manufacturer. Using IFTTT a user can make the Amazon Echo go out on the internet, contact an entirely different company to initiate a program, have that program contact my cell phone and make it ring. Wait, so it can make a phone call? That’s the big deal? Your Amazon echo can make a phone call? Big deal!
You’re right… it’s not a big deal… unless you happen to know that Alexa has neither buttons, nor ANY phone features whatsoever. Using IFTTT I can make a home speaker call my phone. That’s two totally different technologies doing something that has nothing to do with each other.
I have an IFTTT action I created just for fun. Here’s how it works.
- I write this blog post and save it.
- The moment I save it, IFTTT reads my blog and contacts Facebook (using permission I gave it).
- Facebook makes this post for me automatically, which is where most of you are reading this. (using permissions I gave it to talk to my domain)
- You see it on your wall…. (Ok, that part isn’t ifttt.. it’s just Facebook)
- Now IFTTT monitors my wall 24×7 and sees that I made a new post. It then contacts Evernote, using my login credentials.
- It copies the entire facebook post, images and all, and writes a new post in Evernote.
- Then it contacts my computer and downloads the post to all my connected devices. Now I have a copy of all my Facebook posts completely separate from Facebook.
Sounds innocuous enough but you have to appreciate what just happened there. Four different companies with products that have nothing to do with each other each performed scripted actions on internet servers across the globe and all I did was press one key marked “publish.” Five different times during that transaction my login credentials were exchanged with these companies without me doing anything. It’s actually a pretty awesome thing to be able to do and it less than scratches the surface of day to day uses for IFTTT.
I have a script that take EVERY song I ever play on Spotify, Amazon, Iheart Radio, and others and then note the song name, band, time I played it, and what service I used to play it, and put all that in an excel spreadsheet that is stored online for me. I don’t have to make the spreadsheet, don’t have to login to ANY of the services to do it, and don’t have to touch a computer to make it happen.
In another realm that’s used more often, I could easily perform the following scenario by using products from half a dozen different vendors, spending less than $1,000, and NOT having to buy expensive crap all from the same company when one company might not make everything I want to use.
I pull in my driveway.
My internet connected phone, using it’s GPS, notifies IFTTT that I’m in the vicinity and approaching the house. This “wakes up” the systems in case I pull into the driveway. It sees I am after all pulling into the driveway. It then uses the internet to pull the local time at my location based on my phone’s GPS. I’m in Albemarle, NC. What time of year is it? It’s February. It then cross references sunrise/moonrise data from NOAA to determine if it’s dark yet. (Alternatively it can contact my smart home’s light sensors to see if the porch lights have been turned on yet automatically, which they can do when it gets dark.) Either way, it determines that it is indeed dark this time of year at this hour in this GPS coordinate.. so it automatically opens my garage door for me to pull in, automatically turns on the garage overhead lights so I can see, adjusts my home thermostat to the at-home setting, raising it a few degrees to my comfort level, turns on my TV, turns on my DVR, changes the channel to CNN news, wakes my smart coffee pot, and starts brewing a cup of coffee.
I can do all that with IFTTT and some basic smart home devices.
Want another idea? Some of these are really neat… ok, here goes.
I have a sleep number bed. It was a Christmas present for my wife two years ago because we can’t either one sleep comfortably on the same firmness mattress as the other. The sleep number bed allows us both to set our desired firmness and then it monitors our sleep patterns. I have my bed set on 75 hardness because that’s how I think it’s most comfortable. After a few days, the bed automatically senses my resting breathing rate as 16 beats per minute. It also knows I laid still 3.4 hours out of 8 last night, so I tossed and turned a little. The next night it can automatically adjust the bed to a different setting, comparing my breathing and movement activity patterns each night until it determines what is medically the “most comfortable” for me. When it sees I lie still longest and my resting breathing rate drops to it’s lowest, it knows I’m comfortable and maintains that setting.
Now, I also have a smart coffee pot. Ok. It’s on wi-fi. I can adjust it’s brew strength to whatever I want, ok? Cool huh.
Now let’s use IFTTT here.
My sleep number bed is storing all this data on the internet so I can access my sleep patterns from my phone. So does my coffee pot. Hmm. OK!
I can write an action that tells my coffee pot to turn on when I start to rouse. My bed knows this based on historical data. I’m starting to move around, and there you go..I’m out of the bed now. How long did I sleep? According to my bed I was only in it for 3.2 hours. I went to bed late because I was up half the night working. Tommy is VERY tired. Hey coffee pot, adjust brew strength to 9 instead of the usual 6.5 and make Tommy a stronger cup of coffee. He’s going to appreciate the extra caffeine this morning. My bed just contacted the internet, spoke to my coffee pot, adjusted it’s programming, and changed my brew without me doing ANYTHING except opening my eyes and moving. You gotta admit.. that’s pretty cool.. not to mention incredibly efficient.
All these things are IOT devices, relying on the internet to receive information. They’re also programmed using various modifications to IFTTT. Is that cool? Sure. But it’s also scary as hell!
Let’s go back to the initial conversation points mentioned above. You have no control of the security of the IOT devices in your home. The federal government (and sure, hackers) are blatantly admitting they can hack IOT all day every day with no problem. Using only the smart home technology in my house, what could I tell about Tommy and his life if I needed to/wanted to, and how could I use it? I’m just going to use “they” to describe whomever you want to use.. FBI, CIA, Anonymous, uber-savvy ex-wife, etc. It all starts with hacking email. Hacking email is child’s play if you’ve got the standard freemail services like Google, Yahoo, or something similar.
Using my bed’s internet connection, they can tell when I sleep, if I’m sleeping at the moment, and how many people are sleeping in my bed at any given moment as well as relative weights of each person. That tells them if it’s me, or someone else and if I’m asleep or not.
Using my dropcam they can monitor audio and video in two zones of the house. They hear, speak to, and get feedback from anything moving in my house… maybe to check to see if I have dogs, how many of them, and where they are. If they say “Boo” on the camera and no one responds, its safe to breach.
Is Tommy home today? Well, hacking his email revealed a Whistle account for one of his dogs account. Hacking that revealed it’s some dog named Ghost, a german shepherd. Ok, he has a German Shepherd. According to his dogs tracker the dog is on the move and is moving at a high rate of speed, so we can safely assume he’s on the road and his dog is with him. Cross reference that against his cell phone GPS signal.
Confirmed. Both Tommy’s phone signal and his dog’s collar are moving, not at home, and are together. The house is safe to infiltrate/rob/etc.
Tommy is a suspected terrorist, or relation of one. Let’s get a FISA warrant and tap his devices. Oh crap, he’s savvy. He’s got a phone we can’t hack (not!, but let’s say I do). Ok, plan B. Hit him from IOT and setup surveillance.
They simply hack my Xbox one Kinect and gain immediate video and audio access to my entire living room. Every word spoken can be recorded and every face can be scanned for facial recognition. The Xbox one Kinect does that by itself anyway! (Yes, it watches you 24×7 and listens to you 24×7. EVERY MOVEMENT and EVERY WORD.) Since they’re in my Xbox, they can get to my router (which they didn’t actually have to have access to if they have an Xbox exploit. They could backdoor into the network from inside the network, rather than outside using standard Xbox communications ports.) Ok, now we’ve got his router’s IP address. Boom… we’re in his Asus router. He’s got it secured with an Asus cloud account ( they check my email again). Ok, got the credentials. This doesnt have two-factor authentication because that’s not offered, so now we can brute force his router. Bam. We’re in.
Ah ha! In addition to the Xbox, we see two Dropcameras, and an Amazon Echo, one voice controlled speaker, and some other stuff.
This is freakin great! Ok. Slave his Dropcam feeds to us. Enable audio full time and record everything. Slave the Amazon Echo in the bedroom, so now we can SEE in three rooms of the house, and hear every word spoken in 5 rooms of the house just using Tommy’s Amazon Echo, Xbox, and his off-the-shelf security camera….
He doesn’t have a camera in his office.. damn. Wish we could get that feed too.
Wait, (checks the router), I see a pretty intensive computer setup in the office. Let me check…. YES, it’s running Windows 10.. and…. YES he’s running Cortana. And… oh what a day, he’s got a Logitech HD 930 conferencing camera on his computer. How we have widescreen video of the office, as well as full 24×7 audio recording of that room as well.
It’s not. It’s what the Federal government can do today. None of that is complicated because ALL of those devices require the internet to function. Otherwise you wouldn’t have them. Who actually unplugs their xbox kinect from the wall when they’re not using it? Why? It would invalidate the purpose in having one. I can protect my cameras, but only by unplugging them. I can’t secure the router ports on a firewall because I can’t access them either then. What would be the point of having them? I could disable my Amazon Echo, but that is REALLY useless without Internet. Alexa is literally nothing more than a useless paperweight without an Internet connection. If you have ANY device you can speak to and have it answer you…. then it is already a 24×7 open microphone connected to the internet. That’s a plain and simple fact. No, a human isn’t listening to it, but servers are.
If you have an amazon Echo, they freely admit that they record everything it hears simply so it can learn your speech patterns and learn to answer in a more human-like manner. Otherwise, I’d have to say “Alexa, weather.” Instead, I can say things like “Alexa, is it supposed to snow tomorrow?” or “Alexa, will there be snow this week?” All those variations on speech patters are different individual questions and she can answer them all differently.
You watch a lot of cable TV? Great, then anyone that wanted to monitor it knows your TV schedule, your political affiliation, your views on police. After all, no one that hates cops watches Blue Bloods, NCIS, Chicago PD, and about 4 other police shows. This guy has a militant personality and at least a passing interest in police. Ok. Good to know. You skip through food commercials but you always pause on the Republican campaign ads… therefore you’re interested in the republican primary, therefore you’re probably republican, therefore you have a higher chance to have one or more firearms in the home than a democrat or liberal. Yes, those are statistical analysis that can be carried out in seconds based on your TV-watching habits. With access to your DVR, I can tell you how many people are likely in your home, what time of day each of them tends to watch TV, what kinds of tv they like (which gives me the beginnings of a psychological profile) what time each person goes to bed, what gender they are, what age range they are. (Adults rarely watch Pokemon, but the kids do. Got it. There’s at least one child in the home.)
What does all this mean?
It really means very little or a hell of a lot, depending on the kind of person you are. For me, it doesn’t mean much. I don’t sit at home and work on plans to bomb elementary schools (though because I just wrote that phrase in a blog post, you can bet that either Echelon or Prism one just picked that sentence out to compare it to a criminal profile). But I work with this technology so I’m aware of what I’m getting into.
I can absolutely guarantee with 100% assurance that someone that read this just changed their mind about purchasing something IOT related. They either WILL purchase now because of all the cool things they can do, or they will definitely NOT purchase now and then they’ll go home, unplug everything with a speaker, and start disassembling their toaster looking for hidden microphones. (Don’t forget to check the hemorrhoid cream! That’s where they always put the spy cams!)
In the grand scheme of things it’s a huge goldmine for law enforcement. As it stands now there is very little legislation regarding IOT privacy aside from the 4th amendment, but the Patriot Act and FISA courts mean that you’d never know anyway so you’d not be able to get your panties in a wad over it until it was too late.
Are you being spied on? I don’t know.
Am I being spied on? Oh, I almost hope so. (I’m writing this wearing nothing but a T-shirt and house-shoes.. serves ’em right for hacking my computer’s camera! I wonder if I scratched my naked butt when I walked over to the coffee pot and passed the camera’s view? Hmmm.)
Now.. I’m going to publish this, share it on FB, then go proofread it.
Comment away, but PLEASE try to remember if possible to leave your Facebook comments ON THIS PAGE, not on the FB wall. It’s easier to read and respond to them here.