Showing all posts tagged iot:

The Internet of Unwelcome Gifts

It’s that time of year when many of us are out buying gifts for ourselves or others – or if you’re tight like me, waiting for the sales in the New Year to buy those big-ticket items. Ahem. Regardless, please do not buy IoT / "smart" devices as gifts for people you care about.

Here’s the thing: at this point in time, most people who want a dedicated assistant-in-a-can device already have one. If they don’t own one already, it may be because they realise they will hardly use it – most of these things are only ever used to play music and maybe set a timer. The first many of us knew about Amazon’s efforts to sell Alexa skills for actual cash money was when they missed their revenue forecast… badly. How badly did they miss? Well, against what I would have thought was a pretty conservative target by Amazon’s standards of $5M, they achieved… $1.4M. That’s 28% attainment, also known in sales circles as "pack up your desk and get out – and be quick about it, I already called Security". In other words, very few people are using Skills at all, and basically none are using for-pay skills.

Of course there are any number of surreptitiously "smart" devices. For instance, these days it is pretty much impossible to buy a consumer TV without an operating system powerful enough to connect to the Internet over wifi and run streaming-video apps. This also means they are powerful enough to snoop on user’s behaviour. You might think this is not too bad – after all, YouTube already knows exactly which cute cat videos you watched – but these days, the state of the art is capturing whatever is displayed on screen, and trying to run analytics on that. If you watch home videos or display your photos, well, the privacy policy you clicked through when you set up the TV says it’s okay for the company to own those now. This is why even staid Consumer Reports is offering advice to turn off snooping features in smart TVs — and yes, they called it "snooping", not me.

If you think TVs are bad, other categories are even worse; see this IEEE report that calls out security risks of drones, vibrators, and children’s toys.

All of this means that there is a good chance that your possible gift recipient, especially if they are technically inclined, considered and rejected smart devices for security reasons. In case you think I’m just a lone crank over here in my tinfoil hat, it’s worth noting that the FBI issued notices about securing smart TVs around Black Friday, while the French government just sent out this warning about internet-connected food processor.

At least someone with some technical skills might have a chance of heading off the snooping at the network edge with something like a Pi-Hole. Definitely don’t buy anything with an Internet connection for your Muggle friends and relatives!

This is the sort of thing that Mozilla’s excellent Privacy Not Included project is designed to highlight. Note that this is not a blanket anti-tech position; if you browse over to the Privacy Not Included site, there are a ton of "smart" devices that are not creepy. But then there are the others, such as the infamous Ring camera, which manages a hat trick of terrible security, accommodation with a surveillance-driven police state, and enablement and reinforcement of racist tendencies.

In this context, Apple’s announcement that they are joining forces with Amazon, Google, and Zigbee to establish a new, more secure and interoperable IoT standard may be a hopeful sign that the Wild West era of ill-considered experimentation in IoT is coming to an end – or it may be a well-intentioned standard that simply ends up gathering dust on a shelf in Cupertino.

Turn up the heating, I’m freezing!
I’m sorry Dave, I can’t let you do that.

Regardless, don’t buy any devices that are too smart for their own good – or more importantly, yours. If there is no good reason for a thing to be "smart", then stick to the dumb version: it no doubt works better today, and won’t be obsolete tomorrow when the vendor goes out of business or simply terminates support for that product line.

Be Smart, Use Dumb Devices

The latest news in the world of Things Which Are Too "Smart" For Their Users’ Good is that Facebook have released a new device in their Portal range: a video camera that sits on your TV and lets you make video calls via Facebook Messenger and WhatsApp (which is also owned by Facebook).

This is both a great idea and a terrible one. I am on the record as wanting a webcam for my AppleTV so that I could make FaceTime calls from there:

In fact, I already do the hacky version of this by mirroring my phone’s screen with AirPlay and then propping it up so the camera has an appropriate view.

Why would I do this? One-word answer: kids. The big screen has a better chance of holding their attention, and a camera with a nice wide field of view would be good too, to capture all the action. Getting everyone to sit on the couch or rug in front of the TV is easier than getting everyone to look into a phone (or even iPad). I’m not sure about the feature where the camera tries to follow the speaker; in these sorts of calls, several people are speaking most of the time, so I can see it getting very confused. It works well in boardroom setups where there is a single conversational thread, but even then, most of the good systems I’ve seen use two cameras, so that the view can switch in software rather than waiting for mechanical rotation.

So much for the "good idea" part. The reason it’s a terrible idea in this case is that it’s from Facebook. Nobody in their right mind would want an always-on device from Facebook in their living room, with a camera pointed at their couch, and listening in on the video calls they make. Facebook have shown time and time and time again that they simply cannot be trusted.

An example of why the problem is Facebook itself, rather than any one product or service, is the hardware switch for turning the device’s camera off. The highlight shows if the switch is in the off position, and a LED illuminates… to show that the camera and microphone are off.

Many people have commented that this setup looks like a classic dark pattern in UX, just implemented in hardware. My personal opinion is that the switch is more interesting as an indicator of Facebook’s corporate attitude to internet services: they are always on, and it’s an anomaly if they are off. In fact, they may even consider the design of this switch to be a positive move towards privacy, by highlighting when the device is in "privacy mode". The worrying aspect is that this design makes privacy an anomaly, a mode that is entered briefly for whatever reason, a bit like Private or Incognito mode in a web browser. If you’re wondering why a reasonable person might be concerned about Facebook’s attitude to user privacy, a quick read of just the "Privacy issues" section of the Wikipedia article on Facebook criticism will probably have you checking your permissions. At a bare minimum, I assume that entering "privacy mode" is itself a tracked event, subject to later analysis…

Trust, But Verify

IoT devices need a high degree of trust anyway because of all the information that they are inherently privy to. Facebook have proven that they will go to any lengths to gather information, including information that was deliberately not shared by users, process it for their own (and their advertising customers’) purposes, and do an utterly inadequate job of protecting it.

Uh oh, it looks like your embed code is broken.

The idea of a smart home is attractive, no question – but why do the individual devices need to be smart in their own right? Unnecessary capabilities increase the vulnerability surface for abuse, either by a vendor/operator or by a malicious attacker. Instead, better to focus on devices which have the minimum required functionality to do their job, and no more.

A perfect example of this latter approach is IKEA’s collaboration with Sonos. The Symfonisk speakers are not "smart" in the sense that they have Alexa, Siri, or Google Assistant on board. They also do not connect directly to the Internet or to any one particular service. Instead, they rely on the owner’s smartphone to do all the hard work, whether that is running Spotify or interrogating Alexa. The speaker just plays music.

I would love a simple camera that perched on top of the TV, either as a peripheral to the AppleTV, or extending AirPlay to be able to use video sources as well. However, as long as doing this requires a full device from Facebook1 – or worse, plugging directly into a smart TV2 – I’ll keep on propping my phone up awkwardly and sharing the view to the TV.


  1. Or Google or Amazon – they’re not much better. 

  2. Sure, let my TV watch everything that is displayed and upload it for creepy "analysis".3 

  3. To be clear, I’m not wearing a tinfoil hat over here. I have no problem simply adding a "+1" to the viewer count for The Expanse or whatever, but there’s a lot more that goes on my TV screen: photos of my kids, the content of my video calls, and so on and so forth. I would not be okay with sharing the entire video buffer with unknown third parties. This sort of nonsense is why my TV has never been connected to the WiFi. It went online once, using an Ethernet cable, to get a firmware update – and then I unplugged the cable. 

The Internet of (Insecure) Things

Back in 2014, I wrote an article entitled Why the Blinking Twelves is an Internet of Things problem in the making. If you’re not familiar with the idiom of the "blinking twelves", allow me to enlighten you:

Back in the last century, digital clocks with seven-segment displays became ubiquitous, including as part of other items of home electronics such as VCRs. When first plugged in, these would blink "12:00" until the time was set by the user.
Technically-minded people soon noticed that when they visited less technical friends or relatives, all the appliances in the house would still be showing the "blinking twelves" instead of the correct time. The "blinking twelves" rapidly became short-hand for "civilians" not being able to – or not caring to – keep up with the demands of ubiquitous technology.
One of the most frustrating things for techies about the "blinking twelves" was that nobody else seemed to care or even notice the problem that was driving them nuts. How could people not see the blinking twelves all around them, and do something about them?
It took Windows for the problem to become obvious. Windows computers, brought a much higher level of technological complexity, the computer needed regular maintenance and people rapidly realised that updates and patches were required at regular intervals if their computers were to remain functional and secure.
The problem that we are facing is that technology has already begun to spread beyond the desktop. Even the most technophobic now carry a phone that is "smart" to a greater or lesser degree and many people treat these devices much like their old VCRs, installing them once and then forgetting about them. However, all of these devices are running 24/7, connected to the public Internet, with little to no management or updates.

In the three years since I wrote that article, the number of Internet-enabled devices has simply exploded.

I know, it’s from Business Insider, take it with a large grain of salt - but the trend is unarguable.

Here’s the problem: all of those Internet-enabled Things are cheap, and therefore based on existing components, including software. Most software, at least below the level of the specialised RTOSen found in nuclear power plants and the like, is built around the assumption of regular maintenance and updates provided by knowledgeable operators. However, once these Things are deployed in the field, where "in the field" often means the home or office of people who are not IT professionals, it is a given that they will not receive that level of care.

When something like Krack hits, the odds are good that manufacturers for many devices will already have disappeared without providing patches. Even for devices from more stable vendors who do provide ongoing support, maybe the device is obsolete and replaced by newer versions with incompatible architectures. But even supposing that all the stars align and the patch is available, it will still not be deployed widely - because of the "blinking twelves" problem. Non-specialist owners will not know or care to update their devices, and so the cycle continues.

Our only hope is that we are saved by our devices' obsolescence, as the lack of updates eventually prevents them from functioning at all. Maybe this won’t be the final straw, but soon enough the figleaf in every click-through agreement about the software being "provided as is" and "no warranty of merchantability or fitness for purpose" will be ripped away, in favour of the sorts of consumer protection regulations that these same devices would be subject to if they were not Internet-enabled.

The alternative is that in the Smart Home of the Future that we keep being promised, troubleshooting steps really will require us to close all the windows, exit, and start what we were doing all over again.

Me, I’ll move to a cabin in the woods.


Photo by Heather Zabriskie on Unsplash

Incentives Drive Behaviour - Security Is No Exception

Why is security so hard?

Since I no longer work in security, I don’t have to worry about looking like an ambulance-chasing sales person, and I can opine freely about the state of the world.

The main problem with security is the intersection of complexity and openness. In the early days of computers there was a philosophical debate about the appropriate level of security to include in system design. The apex of openness was probably MIT’s Incompatible Time-Sharing System, which did not even oblige users to log on - although it was considered polite to do so.

I will just pause here to imagine that ethos of openness in the context of today’s social media, where the situation is so bad that Twitter felt obliged to change its default user icon because the "egg" had become synonymous with bad behaviour online.

By definition, security and openness are always in opposition. Gene "Spaf" Spafford, who knows a thing or two about security, famously opined that:

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

Obviously, such a highly-secure system is not very usable, so people come up with various compromises based on their personal trade-off between security and usability. The problem is that this attempt to mediate between two opposite impulses adds complexity to the system, which brings its own security vulnerabilities.

Ultimately, IT security is a constant Red Queen’s Race, with operators of IT systems rushing to patch the latest flaws, knowing all the while that more flaws are lurking behind those, or being introduced with new functionality.

Every so often, maintainers of a system will just throw up their hands, declare a system officially unmaintainable, and move to something else. This process is called "End of Life", and is supposed to coincide with users also moving to the new supported platform.

Unfortunately this mass upgrade does not always take place. Many will cite compatibility as a justification, and certainly any IT technician worth their salt knows better than to mess with a running system without a good reason. More often, though, the reason is cost. In a spreadsheet used to calculate the return on different proposed investments, "security" falls under the heading of "risk avoidance"; a nebulous event in the future, that may become less probable if the investment is made.

For those who have not dealt with many finance people, as a rule, they hate this sort of thing. Unless you have good figures for both the probability of the future event and its impact, they are going to be very unhappy with any proposed investment on that basis.

The result is that old software sticks around long after it should have been retired.

As recently as November 2015, it emerged that Paris’ Orly airport was still operating on Windows 3.1 - an operating system that has not been supported since 2001.

The US military still uses 8" floppy disks for its ICBMs:

"This system remains in use because, in short, it still works," Pentagon spokeswoman Lt Col Valerie Henderson told the AFP news agency.

And of course we are still dealing with the fallout from the recent WannaCry ransomware worm, targeting Windows XP - an operating system that has not been supported since 2014. Despite that, it is still the fourth most popular version of Windows (behind Windows 7, Windows 10, and Windows 8.1), with 5.26% share.

Get to the Point!

It’s easy to mock people still using Windows XP, and to say that they got no more than they deserved - but look at that quote from the Pentagon again:

"This system remains in use because, in short, it still works"

Windows XP still works fine for its users. It is still fit for purpose. The IT industry has failed to give those people a meaningful reason to upgrade - and so many don’t, or wait until they buy new hardware and accept whatever comes with the new machine.

Those upgrades do not come nearly as frequently as they used to, though. In the late Nineties and early Oughts, I upgraded my PC every eighteen months or so (as funds permitted), because every upgrade brought huge, meaningful differences. Windows 95 really was a big step up from Windows 3.1. On the Mac side, System 7 really was much better than System 6. Moving from a 486 to a Pentium, or from 68k to PowerPC, was a massive leap. Adding a 3dfx card to your system made an enormous difference.

Vice-versa, a three-year-old computer was an unusable pile of junk. Nerds like me installed Linux on them and ran them side by side with our main computers, but most people had no interest in doing such things.

These days, that’s no longer the case. For everyday web browsing, light email, and word processing, a decade-old computer might well still cut it.

That’s not even to mention institutional use of XP; Britain’s NHS, for instance, was hit quite hard by WannaCry due to their use of Windows XP. For large organisations like the NHS, the direct financial cost of upgrading to a newer version of Windows is a relatively small portion of the overall cost of performing the upgrades, ensuring compatibility of all the required software, and retraining literally hundreds of thousands of staff.

So, users have weak incentives to upgrade to new, presumably more secure, versions of software; got it. Should vendors then be obliged to ship them security patches in perpetuity?

Zeynep Tufekci has argued as much in a piece for the New York Times:

First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects.

Unfortunately, it’s not that simple, as Steven Bellovin explains:

There are two costs, a development cost $d and an annual support cost $s for n years after the "warranty" period. Obviously, the company pays $d and recoups it by charging for the product. Who should pay $n·s?

The trouble is that n can be large; the support costs could thus be unbounded.

Can we bound n? Two things are very clear. First, in complex software no one will ever find the last bug. As Fred Brooks noted many years ago, in a complex program patches introduce their own, new bugs. Second, achieving a significant improvement in a product's security generally requires a new architecture and a lot of changed code. It's not a patch, it's a new release. In other words, the most secure current version of Windows XP is better known as Windows 10. You cannot patch your way to security.

Incentives matter, on the vendor side as well as on the user side. Microsoft is not incentivised to do further work on Windows XP, because it has already gathered all the revenue it is ever going to get from that product. From a narrowly financial perspective, Microsoft would prefer that everyone purchase a new license for Windows 10, either standalone or bundled with the purchase of new hardware, and migrate to that platform.

Note that, as Steven Bellovin points out above, this is not just price-gouging; there are legitimate technical reasons to want users to move to the latest version of your product. However, financial incentives do matter, a lot.

This is why if you care about security, you should prefer services that come with a subscription.

If you’re not Paying, you’re the Product

Subscription licensing means that users pay a recurring fee, and in return, vendors provide regular updates, including both new features and fixes such as security patches.

As usual, Ben Thompson has a good primer on the difference between one-off and subscription pricing. His point is that subscriptions are better for both users and vendors because they align incentives correctly.

From a vendor’s perspective, one-off purchases give a hit of revenue up front, but do not really incentivise long-term engagement. It is true that in the professional and enterprise software world, there is also an ongoing maintenance charge, typically on the order of 18-20% per year. However, that is generally accounted for differently from sales revenue, and so does not drive behaviour to nearly the same extent. In this model, individual sales people have to behave like sharks, always in motion, always looking for new customers. Support for existing customers is a much lower priority.

Vice versa, with a subscription there is a strong incentive for vendors to persuade customers to renew their subscription - including by continuing to provide new features and patches. Subscription renewal rates are scrutinised carefully by management (and investors), as any failure to renew may well be symptomatic of problems.

Users are also incentivised to take advantage of the new features, since they have already paid for them. When upgrades are freely available, they are far more likely to be adopted - compare the adoption rate for new MacOS or iOS versions to the rate for Windows (where upgrades cost money) or Android (where upgrades might not be available, short of purchasing new hardware).

This is why Gartner expects that by 2020, more than 80 percent of software vendors will change their business model from traditional license and maintenance to subscription.

At Work - and at Home, Too

One final point: this is not just an abstract discussion for multi-million-euro enterprise license agreements. The exact same incentives apply at home.

A few years ago, I bought a cordless phone that also communicated with Skype. From the phone handset, I could make or answer either a POTS call, or a Skype voice call. This was great - for a while. Unfortunately the hardware vendor never upgraded the phone’s drivers for a new operating system version, which I had upgraded to for various reasons, including improved security.

For a while I soldiered on, using various hacks to keep my Skype phone working, but when the rechargeable batteries died, I threw the whole thing in the recycling bin and got a new, simpler cordless phone that did not depend on complicated software support.

A cordless phone is simple and inexpensive to replace. Imagine that had been my entire Home of the Future IoT setup, with doorbells, locks, alarms, thermostats, fridges, ovens, and who knows what else. "Sorry, your home is no longer supported."1

With a subscription, there is a reasonable expectation that vendors will continue to provide support for the reasonable lifetime of their products (and if they don’t, there is a contract with the force of law behind it).

Whether it’s for your home or your business, if you rely on it, make sure that you pay for a subscription, so that you can be assured of support from the vendor.


  1. Smart home support: "Have you tried closing all the windows and then reopening them one by one?" 

Smart Swatch

Remember Swatch? The must-have colourful plastic watches of the 80s and 90s? They are back in the news, with their new plan to produce their own smartwatch operating system.

Swatch plans to develop its own operating system as the Swiss watchmaker seeks to combine smart technology with the country’s expertise in making timepieces and miniaturisation, chief executive Nick Hayek has said.

Mr Hayek added that he wanted to avoid relying on Apple’s iOS and Google’s Android and provide a "Swiss" alternative offering stronger data protection and ultra-low energy consumption.

This new plan has caused all sorts of consternation around the Internet, but I was disposed to ignore it - until now. I just received this week's Monday Note, by the usually reliable Jean-Louis Gassée.

M. Gassée makes some initially good points about the complexity of operating systems, the immaturity of the smartwatch market, and the short timescales involved. Swatch intends to ship actual products by the end of 2018, which is barely any time at all when it comes to developing and shipping an entirely new physical product at mass-market scale. However, I do wonder whether he is falling into the same trap that he accuses Hayek and Swatch of falling into.

… in 2013, Hayek fils publicly pooh-poohed smart watches:
"Personally, I don’t believe it’s the next revolution… Replacing an iPhone with an interactive terminal on your wrist is difficult. You can’t have an immense display."

I tend to agree with Hayek, as it happens; the "terminal on the wrist" is pretty much a side show. The one stand-out use case for smart watches1 right now appears to be sensors and fitness. If that's not compelling, then there is very little else to attract you to smartwatches, even if you are a committed technophile like me. For myself, after wearing a Jawbone Up! for a year or two, I determined that I was not making use of the data that were gathered. The activity co-processor in my iPhone is ample for my limited needs.

What Is A Smartwatch?

The key point, however, is that Swatch have not announced an actual smart watch, but rather "an ecosystem for connected objects". M. Gassée even calls out some previous IoT form within CSEM, Swatch's partner in this venture, which recently produced the world's smallest Bluetooth chip.

The case against the wisdom of the Swatch project - the complexity of OS development and maintenance, the need for a developer ecosystem, and so on - assumes that Swatch are contemplating a direct rival for Apple's watchOS and Google Gear. What if that's not what's going on at all?

What if Swatch is going back to its roots, and making something simple and undemanding, but with the potential to be ubiquitous? The ecosystem for a smartwatch is now widespread: everyone has a smartphone, NFC is everywhere, from payment terminals to subway turnstiles. What if Swatch just intends to piggyback on that by embedding a few small and cheap sensors in its watches, without even having a screen at all?

Now that would be a Swatch move. In fact, it's such a Swatch move that they've done it before, with their Snow Pass line:

Its ski watch stores ski pass information and has an antenna that communicates with a scanner at the fast-track ski lift entrance. One swipe of the wrist and you're through.

That description sounds a lot like ApplePay to me - or really any NFC system. Add some pretty basic sensors, and you've got 80% of the smartwatch functionality that people actually use for 20% of the price.

Seen through this lens, the focus on privacy and security makes sense. It has been said that "the S in IoT stands for 'security'", and we could certainly all use an IoT player that focuses on that missing S. If the sensors themselves are small and simple enough, they would not need frequent updates and patches, as there would be nothing to exploit. The companion smartphone app would be the brains of the operation and gateway to all the data gathered, and could be updated as frequently as necessary, without needing to touch the sensors on the watch.

So What Is Swatch Really Up To?

As to why Swatch would even be interested in entering into such a project, remember that these days Swatch is part of a group that sprawls across 70 different brands, most far more up-scale (albeit less profitable) than lowly Swatch with its plastic watches. Think Omega, Breguet, Glashütte, Longines, or Blancpain. The major threat to those kinds of watches is not any single other watch; most watch lovers own several different mechanical watches, and choose one or another to wear for each day, activity, or occasion. In my own small way, I own three mechanical watches (and two quartz), for instance.

For a while now, and accelerating since the release of the iPhone, the competition for watches was - no watch at all. Why bother to wear a watch, the thinking went, when your smartphone can tell the time much more accurately? But now, insidiously, the competition is a watch again - but it is the last watch its owners will ever wear. Once you start really using an Apple Watch, you don't want to take it off, lest you miss out on all those activities being measured. Circles will go unfilled if you wear your Rolex to dinner.

But what if every watch you buy, at least from The Swatch Group, gives you the same measurements and can maintain continuity through the app on your phone? What if all of your watches can also let you on the subway, pay for your groceries, and so on? Other players such as Breitling and Montblanc have also been looking into this, but I think Swatch has a better chance, if only because they start from scale.

Now we are back to the comfortable (and profitable) status quo ante for the Swiss watch industry, in which watch aficionados own several different watches which they mix and match, but with each one part of the same connected experience.

Analogies are dangerous things. The last few years have conditioned us to watch out for the "PC guys are not just going to figure this out"-type statements from incumbents about to be disrupted. What if this time, the arrow points the other way? What if Swatch has finally figured out a way for the traditional watch industry to fight back against the ugly, unclassy interloper?


  1. In a further sign of the fact that this is still a developing market, even auto-correct appears to get confused between "smartwatch" and "smart watch". 

IoT Future: Saved by Obsolescence?

It’s that most magical time of year… no, not Christmas, that’s all over now until next December. No, I mean CES, the annual Consumer Electronics Show in Las Vegas. Where better than Vegas for a million ridiculous dreams to enjoy brief moments of fame, only to fade soon after?

It used to be that the worst thing that could come out of CES was a drawer full of obsolete gadgets. These days, things can get a bit more serious. Pretty much every gadget on display is now wifi-enabled and internet-connected - yes, even the pillows and hairbrushes.

The reason this proliferation of connectivity is a problem is the "blinking twelves" factor, that I have written about before:

Back in the last century, digital clocks with seven-segment displays became ubiquitous, including as part of other items of home electronics such as VCRs. When first plugged in, these would blink "12:00" until the time was set by the user.

Technically-minded people soon noticed that when they visited less technical friends or relatives, all the appliances in the house would still be blinking "12:00" instead of the correct time. The "blinking twelves" rapidly became short-hand for "civilians" not being able to – or not caring to – keep up with the demands of ubiquitous technology.

The problem that we are facing is that computing has begun to spread beyond the desktop. Even the most technophobic now carry a phone that is "smart" to a greater or lesser degree, and many people treat these devices much like their old VCRs, installing them once and then forgetting about them. However, all of these devices are running 24/7, connected to the public Internet, with little to no management or updates.

Now we are starting to see the impact of that situation. Earlier this year, one of the biggest botnets in history was created from hacked smart CCTV cameras and took down big chunks of the Internet.

That’s just crude weight-of-numbers stuff, though; the situation will get even more… interesting as people figure out how to use all of the data gathered by those Things - and not just the owners of the devices, either. As people introduce always-on internet-connected microphones into their homes, it’s legitimate for police to wonder what evidence those microphones may have overheard. It is no longer totally paranoid to wonder what the eventual impact will be:

Remember that quaint old phrase "in the privacy of your own home". I wonder how often we will be using it in 20 years' time.

What can we do?

Previous scares have shown that there is little point in the digerati getting all excited about these sorts of things. People have enough going on with their lives; it takes laws to force drivers to take care of basic maintenance of their cars, and we are talking about multi-tonne hunks of metal capable of speeds in excess of 100mph. Forget about getting them to update firmware on every single device in their home, several times a year.

Calls for legislation of IoT are in my opinion misguided; previous attempts to apply static legal frameworks to the dynamic environment of the Internet have tended to be ineffective at best, and to backfire at worst.

Ultimately, what will save us is that same blinking twelves nature of consumers. There is a situation right now in San Francisco, where the local public transport system’s display units that should show the time until the next bus or train are giving wildly inaccurate times:

To blame is a glitch that's rendered as many as 40 percent of buses and Muni vehicles "invisible" to the NextMuni system: A bus or light rail train could arrive far sooner than indicated, but the problem, which emerged this week, is not expected to be resolved for several weeks.

Muni management have explained the problem (emphasis mine):

NextMuni data is transmitted via AT&T’s wireless cell phone network. As Muni was the first transit agency to adopt the system, the NextMuni infrastructure installed in 2002 only had the capacity to use a 2G wireless network – a now outdated technology which AT&T is deactivating nationwide.

What took down NextMuni - the obsolescence of the 2G network that it relied on - will also be the fix for all the obsolete and insecure IoT devices out there, next time there is a major upgrade in wifi standards. More expert users may proactively upgrade their wifi access points to get better speed and range, but that will not catch most of the blinking twelves people. However, it’s probably safe to assume that most of the Muggles are relying on devices from their internet provider, and when their provider sends them a new device or they change provider, hey presto - all the insecure Things get disconnected from their botnets.

Problem solved?


Image by Arto Marttinen via Unsplash

Internet of Meh

There was some excitement when it seemed that 100.000 "smart" devices had been corralled into a botnet used for sending spam. While Ars Technica says there’s more (or less) to that story, I think the situation is both worse and better than reported.

Bad first: of course those devices are vulnerable! Think: once we get past the early adopters, these things are going to be in the hands of people running unpatched Windows XP, who want to call the fire brigade if you mention firewalls, and whose oven (or their VCR, heaven help us) has been blinking 12:00 since it was installed.

The manufacturers will also stop updating the things after about two months of shelf life. Most of the apps on my four-year-old "smart" TV no longer work, to the point that I never even bothered connecting it to the net when we moved house. I threw out a Skype phone because it was never updated for Windows 7, never mind any other platform. And I could go on...

Even after we have accounted for incompetence and laziness, there’s always malice. What happens if the low-powered smart devices that are going to be running the Internet of Things are actually hiding out inside other Things?

We’re doomed, then? The Internet of Things will actually be an Internet of (Even More) Spam?

6a00d8358081ff69e2011571fb0e2d970b-800wi.jpg

Well, smeg.1

Well, no. Most of these smart devices will never be connected to the internet in the first place, because the owners won’t be bothered to do it. They will just keep using the TV as a TV and the fridge as a fridge, without worrying about the extra feeping creatures.

Saved by sloth. Result.


  1. Smeg