Since this week’s theme so far is data, let’s keep it going with a profile on Petasense, a startup that offers predictive analytics to industrial clients. Petasense was formed in 2014 with a plan to stop downtime at factories by improving plant owners’ ability to understand when their machines would fail. It built a Wi-Fi-connected vibration sensor that collects data from each machine and sends it up to the cloud for analysis.
The resulting data gets sent back in the form of a health score to plant operators. What Petasense founders discovered was that downtime isn’t why companies were interested in the service. Instead, they wanted to use it to avoid scheduled maintenance on equipment that didn’t actually need it. Now plant operators have the ability to set a customized maintenance schedule for each machine, avoiding the downtime and cost that comes with servicing a machine that doesn’t yet need it.
What Petasense is doing isn’t new. GE has been touting its ability to take in data to predict failures for the last five or six years. Startups such as Augury also offer similar services, albeit by analyzing the sounds that machines make as opposed to their direct vibration. Really, the sense is that anyone with a fancy algorithm and access to data can come up with some way to predict the health of a given machine.
But Abhinav Khushraj, one of Petasense’s cofounders, begs to differ. He says that Petasense is different because fancy algorithms are one thing, but access to data is the essential thing. Petasense built its own vibration sensor so it could get clean data to populate its analytics efforts. Controlling the sensor gives Petasense the competitive edge, says Khushraj.
I want to believe this. I can see the value in having clean data and the ability to understand the specifics of the hardware collecting that data. However, I also know that new ways of getting data come along all the time with different incentives to use them. Petasense does make it incredibly easy to buy and deploy its vibration sensor, which goes a long way to assuaging my doubts about its customers finding a new source of vibration data.
The sensor costs between $ 400 and $ 600 and gets glued onto the equipment with industrial epoxy. The battery lasts two years and transmits data every three hours. If it’s as simple as getting someone to walk around sticking a sensor onto every piece of equipment, then that’s not a difficult ask. This assumes it’s easy to put the device on a corporate network. Because it uses Wi-Fi, things could get tricky.
Once the sensor is transmitting data, companies pay about $ 10 per month, per device, for the analytics. The whole service replaces what was typically one person, who would come around and collect vibration data from gear every month or so, and the specialist that person sent the data to, who would then use that reading to see if there was a problem.
Obviously the sensor replaces those two people, but it also collects a lot more information than was previously possible, which presumably leads to better results. Petasense has customers in the utilities industry and customers who use it to monitor HVAC equipment in buildings.
This week’s big news had to do with a heat map published back in November by a fitness tracking application called Strava. A 20-year-old in Australian noticed that the running data from U.S. military personnel indicated where clandestine bases were in Syria. His insights percolated through security analysts on Twitter, and then to the U.S. Department of Defense.
Now the DOD is re-evaluating its policies around wearables and mobile phones, and will likely look at the social media habits of its soldiers as well. What happened with Strava is nothing new, exactly. On a smaller scale, hackers and spies have used public social media profiles to get all kinds of information on targets.
But there are two things that are different about the Strava case—and worth noting. The first is the scale of it. The second is how two types of data were combined to create new insights. Strava helpfully showed data from more than a billion activities which, when combined with the map, created a clear picture for those who knew what they were looking for, and disclosed more than Strava intended.
Inadvertently disclosing new information will be the new challenge of our age as we connect ourselves and our things to the internet. Each of us will leave ever-larger digital footprints, which can be combined in various ways to provide new information, all of which will be searchable to anyone with an internet connection and an interest.
Short of hiding in a bunker, wrapping your phone in foil, and ditching social media, what is a person — or a concerned employer — to do? The short answer is we don’t know. Even fully grasping the problem is tough. There are several aspects to it.
Most importantly, there’s an increasing amount of data about individuals online that’s fairly easy to get. Then there’s an increasing amount of data about that data, so-called metadata, that’s also easy to find (or subpoena). For example, if your tweets are data, then the location data attached to them are metadata. And this data can now be combined in new ways. In this week’s podcast, privacy analyst Chiara Rustici called this a “toxic combination.”
Finally, once data is out there, it can be reused, repurposed, and reformulated to help draw new conclusions and meanings that were never intended. Imagine if that permanent record your teachers threatened you with back in school were real. In this new era it effectively is.
That’s just the data challenge. There’s also an economic challenge. Data is incredibly cheap. Which means getting data and metadata and creating these toxic combinations is also incredibly cheap. It’s also seen as incredibly valuable to corporations, which is why everything from your toothbrush maker to your coffeepot is trying to snag as much information as it can.
Data may be cheap to get and hold economic value, but it’s also expensive and difficult to secure, which means bad actors can get a hold of your social security number and credit cards with what feels like relative ease. And yet, when data breaches happen the individual is left to pay the inevitable costs as they try to restore their credit, deal with financial fallout, or recover embarrassing secrets.
There’s a link from Strava’s disclosure of military secrets to revenge porn, and it runs through the internet and its ability to make getting information easier than ever. And it relies on our increasing ability to digitize anything from our running routes to our photos.
We’re intellectually aware of all this, but whenever it comes time to do something about it, we throw up our collective hands and keep snapping our naked pics. There are few existing weapons to solve this problem, so let’s take a look at what they are and where they fall short.
Opt-ins and transparency: Many of our apps and devices come with a variety of privacy settings that can range from simple — share or do not share — to byzantine. Strava’s were apparently byzantine, which didn’t help folks that wanted to stay off the heat map. But good privacy settings can only go so far. They don’t stop hackers from accessing data and they also don’t stop toxic combinations of data.
Differential Privacy: Apple made this privacy concept famous. Essentially all data collected gets anonymized and injected with random noise to make it hard to recombine it and determine to whom the data refers. This is good for individuals, but it requires technical overhead and that the company do it correctly. Apple’s talked a good game, but researchers looking at its implementation say it left a lot to be desired. The other challenge is that you can still glean a lot of information from anonymized data. Note that none of the Strava folks were identified.
Collect only what you need: This idea is simple. If you are making a device or app, don’t collect more data than you need. For example, the Skybell doorbell doesn’t keep a user’s Wi-Fi credentials after getting set up on the network because it’s not information the company needs. Most other connected devices don’t share that view, however, which led to LIFX bulbs leaking a bunch of Wi-Fi credentials a few years back. Whoops.
This is a tough issue because in many cases companies collect all this extra data in case they might need it someday. And thanks to improvements in machine learning, they may not be wrong. Applying machine learning to random data sets can yield new insights that could improve the service.
Regulations: All of the above are voluntary things that companies can do as a step toward protecting user privacy, or letting users have more say in how their data is used. But the strongest tools to protect privacy will come from regulatory pressure. This year, the world is about to get a massive amount of regulatory pressure in the form of the General Data Protection Regulation. This regulation was passed by the EU in 2016 and goes into effect in May. It acts as a safeguard for data. It enshrines some of the above items, such as needing a reason to collect a piece of data and providing transparency, but it also goes a lot further.
For example, it allows an individual to ask what a company knows about them, forces the company to correct wrong information, and requires the company to dump the user’s data upon request. It also prohibits profiling on the basis of data. These are only some of the regulation’s provisions, but in my conversation with Rustici, it became clear that the GDPR is so forward-looking that from a technical standpoint, we don’t have ways to actually implement some of these provisions yet.
For example, the ability to retract your permission to use data sounds good, but once that data is sold to a third party or combined to create new insights, how can that data be controlled? How can the new knowledge go away?
So while privacy is a huge challenge and one that we’re still wrapping our arms around, we also need to build tools to track each piece of data about us. Maybe even each piece of metadata. Then we need ways to claw that data back. All of this has to be scalable, which leads me to look to something like the blockchain as a way to track data.
We also need to develop a far more sophisticated understanding of what is known about us and how that knowledge can be applied. Which means that companies creating fun blog posts or heat maps based on a wide array of anonymized data should carefully consider how that information could be used.
We keep saying that data is the new oil, but oil is not a wholly harmless substance. We need to accept that data isn’t, either.
Will the new FTC be less into privacy? The new members of the Federal Trade Commission are more experienced with antitrust than with privacy enforcement, which is making attorneys who monitor the agency concerned that those members will be less focused on enforcing privacy regulations. This is somewhat dismaying, considering that the FTC back in 2013 saw the deluge of freely available consumer data from connected devices and proposed in 2015 that Congress write new laws about it. It has also been proactive in enforcing some basic IoT security practices, suing companies that advertised secure devices even if they did not follow basic practices like forcing a password change after a user has set up the product. As more connected devices come online and suck up consumer data, a less vigilant FTC would be a shame. (Law360)
Do we need our own digital twin? The digital twin concept comes from NASA’s space program in which the idea was to create a digital simulacrum of the shuttle for testing purposes. Other industries, from Formula One racing to industrial manufacturing, have followed suit, building digital models of their highly specialized and sensitive equipment. But does that mean we should — or could — build a digital twin of our own human bodies? This article asks if we could use it to show the effects of our life choices or diagnose illness. My contention is that while the idea is interesting, we’re only discovering the complexities associated with our bodies. For example, it’s becoming clear that any medically useful version would need to account for our highly individual, complex, and changing microbiomes. So maybe the question isn’t yet should we create a digital twin, but can we create a digital twin? (IoT for All)
Four industrial sensors to consider: This is pretty nerdy, but I’m obsessed with sensors because when applied in new ways they can open up new experiences or insights. These four range from a high-temperature accelerometer to an ultrasonic sensor that can be used to measure liquids and powders. When they become interesting is when you take them out of their industrial context and apply them in a home. For example, an ultrasonic sensor might be put into a plastic container to sense how much flour or liquid is left inside. As it gets closer to empty, maybe it’s time to signal for a restock. (Embedded Computing Design)
Microsoft Azure boosted earnings! Amazon’s Web Services is still the cloud of choice for startups and many IoT platform companies, but you can’t ignore the pull of Microsoft Azure when it comes to attracting big enterprise clients. Among the enterprise and industrial IoT companies I talk to, most have their operations and data on Microsoft Azure. With the company’s second quarter financials (for fiscal 2018) reported this week, that becomes very clear; Microsoft saw a 98% leap in its cloud revenue from Azure from the previous quarter. How much is that, exactly, in hard dollars? We don’t know, because Microsoft doesn’t break out its Azure sales. However, it’s clearly doing something right. CEO Satya Nadella even gave a shout-out to the intelligent edge in the company’s earnings call. (MarketWatch)
More IoT for the construction business: At CES, Nate Williams, an EIR at Kleiner, told me he was interested in how the IoT can improve the construction sector. Well, here’s a cool startup that uses LIDAR and robots to monitor progress at a construction site each day and makes sure things are built to spec. Doxel monitors sites to ensure the humans building the project are following the plan and sticking to the timeline. As someone who has personally dealt with delays on home construction, I can only imagine how behind things can get on larger projects. Doxel will scan the site each day and let you know when, for example, someone just installed a beam in the wrong place to support the cantilevered deck you planned to add later. Finding out sooner is better than later. (IEEE Spectrum)
Should we worry about Satori? After the Mirai botnet exposed the dangers of having hard-coded passwords and a zombie horde of connected Linux-based boxes that could be harnessed to take down websites with denial-of-service attacks, security researchers have been down on IoT devices. But in most cases, IoT devices don’t have enough processing power to interest botnet creators because they aren’t that smart, or have limited access to the internet. So when I read about Satori, a botnet that’s attacked ARC-based devices that can include thermostats, I wondered if this was really the second coming of Mirai. It looks like its ability to infect set-top boxes and other devices that have more processing power might make it troublesome, although it is still only at about 40,000 devices. It takes advantage of devices still using default passwords, so change yours today. (MIT Technology Review)
Connect at your own risk: How often do you link your phone to your rental car while traveling? If you do, then you’re at risk for the maps data you request, your phone’s identity, and other elements to become part of the car’s stored record of user data. That’s because most rental agencies don’t have a way to clear previous drivers’ records from their cars. This may seem small, but think about all the times you put in your Netflix credentials at an AirBnB or any number of other times you make bits of your digital persona available. (Privacy International)
Suvie stores and then cooks your food on demand: I have a soft spot for kitchen gadgets and this one has me intrigued. The Suvie, which will go live next week on Kickstarter, offers a steam oven, broiler, sous vide functionality, and pasta/rice cooker. It can also keep food cool until it’s time to start cooking. It’s the food itself that gives me pause. The Suvie comes with meals that are optimized for the device, which means it’s closer to the Tovala oven than my beloved June oven. (The Spoon)
We can’t automate without people (and compassion): This story does a deep dive into what happened after Australia let an AI spot fraud and waste in its benefits program. The goal was to claw back misspent money, and the government threw algorithms at the problem of discovering waste and fraud. It then sent those who were flagged into an automated system with too few humans, making life a misery for folks already down on their luck. Bureaucracy is already tough to navigate. Adding an AI black box to the mix isn’t going to help. (Logic)
Are you using your smartphone less? Over at our web site, Kevin writes about how he’s using his smartphone less because he’s using his watch and voice more. Plus, he detailed a fun project that he built using a LIFX bulb to track the ups and downs of his favorite cryptocurrency. (StaceyonIoT)
Over the past few years in various conversations, Stacey has told me she doesn’t carry her phone around at home. Ludicrous, I say! At least that’s what I used to say. It turns out that the smart home and IoT now has me doing the same thing: As I add more smart things to my home and digital assistants have moved beyond phones, I’ve been slowly shifting activities away from my phone.
What got me thinking about this was a Twitter question I received earlier this week. I had mentioned my new “hearable”, the Nuheara IQBuds, and someone asked if I’d consider getting a similar product with a built in assistant. I probably would, provided I had a choice of assistants.
In fact, the IQBuds do work with Siri today. One tap on the capacitive earbuds brings Siri into my ears as long as my Bluetooth-connected iPhone is within range. And my Apple Watch 3 with LTE provides Siri pretty much from anywhere as long as my iPhone is powered on at home.
This isn’t to suggest that every activity on a smartphone is suited for use on an alternative device or through a smart speaker. Obviously, I’m not browsing the web on my non-phone devices, nor am I playing games, using highly engaging apps or creating content such as this post.
But think about what we can now do on a non-phone device through smart speakers, digital assistants and the like.
You don’t always need a phone to place a call or send a text, for example. These functions are migrating to Google Home and Amazon Echo speakers; the latter having just gained text messaging if you have an Android phone.
Turning on lights, playing music on a Sonos or closing the garage door? We’ve gone from dedicated on-device buttons to smart home apps on the phone and then extended those functions to voice controls and watches.
Checking weather, querying the web for specific information, looking for upcoming calendar appointments or stock prices are other examples. You don’t need to unlock a phone, find and tap on the right app to get this information. You just ask your digital assistant. Heck, I can get basic crypto coin data from the colored light bulb in my office at a glance now; no phone or mobile app is needed.
The point is this: As our non-phone devices get smarter, there are specific times and places that it simply makes more sense (or is quicker) to use them in place of the phone. And as IoT continues to evolves, we might find the phone won’t be the most used smart device.
Indeed, I find it completely liberating to leave my phone at home for hours at a time and simply wear my LTE-connected smartwatch. I can take or place calls / messages, chat, get turn-by-turn directions, check weather or traffic, control my home devices, and more without worrying about dropping my phone while I’m out and about.
It took me a while to catch up to Stacey on this one, but I’m finally seeing the freedom of not having a phone with me all the time. That’s because, as time goes on, more and more functionality is being pushed away from the handset. And that adds another benefit because when I pick up the phone for one action or bit of information, I find that I end up consuming more time with other on-device distractions.
Let me know if you caught on to this quicker than I did, and if you’re using your phone less thanks to the smart home and IoT.
Security is an ongoing challenge when it comes to connected devices. They have to be physically secure from a hardware perspective; their apps have be secure; and the cloud-based storehouse where they put data has to be secure. Finally, data traveling to or from any of those locations must be encrypted. There are dozens of potential weak links.
All of which assumes that the device maker cared about security in the first place and subsequently built secure features into its product. It also assumes the device makers’ suppliers felt the same. The end user has a role here, too, in that she has to choose a good password and at least try to implement decent network security.
Really, it’s no wonder that we’re in the middle of a growing crisis in cybersecurity wrought by the internet of things. But in the last two weeks I’ve encountered two companies that could change the way we think about IoT security.
The first company is VDOO, which has a silly name, but a bold idea. The founders are trying to solve two problems associated with connected device security. The first thing they want to do is make it accessible to every device maker, no matter how small. The second thing they want to do is make security easy to implement.
Accessibility and ease of use are two distinctly different problems. Today, someone wanting to ensure a secure device has to hire consultants to dig into her code and perform penetration testing. That’s a big hurdle and still leaves vulnerabilities as time passes on the devices in the field. Not everyone has the budget or will to do it. And even if they did, there are not enough security consultants to do it for them.
The second problem rears its head after the consultants are done. That’s when a company has to implement a solution to vulnerabilities, which may be cumbersome and requires engineering effort. Thus security has to become scalable from a cost and an implementation perspective.
VDOO tries to solve this by creating a database of device types, known vulnerabilities, and security best practices associated with each type of device. It has used available firmware from existing IoT products and a natural language processing engine to parse companies’ websites to figure out what a device is and what it does. From there it automatically assigns it a device type and figures out the rules.
The idea is that any device maker can submit their website and firmware to get what is essentially a quick, automatically generated security profile and risk assessment. The challenge for VDOO at this stage is building up trust in the best practices that it will recommend to device makers.
The second stage of VDOO’s business plan is to take what it knows about each device and install a piece of software on one or two of those devices running in a quality assurance lab environment. From there, VDOO plans to monitor that agent for changes in the device that would require a security alert or update, information that it would share with the manufacturer.
The challenge here is ensuring that once a vulnerability is found, the device gets updated and all devices in the field get patched. This can be a tall order in both consumer and industrial settings. Consumers are unfamiliar with the importance of patching, and in many corporate settings IT has to approve patches in order to make sure they don’t muck up some other process.
Still, I like VDOO’s idea of trying to protect devices before they head out in the field in a scalable way.
If VDOO is trying to solve security on the manufacturing side, Armis, another startup, is tackling IoT security from the end-user perspective. Armis offers a subscription-based software that keeps an eye on the devices floating around a corporate campus or factory network to determine what they are and watch how they behave. If those devices get unruly, Armis can send information to other security programs already in use by the enterprise, or it can take action to quarantine or shut down the offending equipment.
Armis CTO Nadir Izrael points out that even if a connected device is secure and hardened it doesn’t obviate the need for a CISO to secure her network. In this context, IoT security is really network security made more challenging by the incalculable number of different devices, which can range from a connected car in the parking lot to the CEO’s Apple Watch.
While the Ford in the parking lot might not try to connect to the network, it’s good to know it’s there. Armis’ software runs on top of existing network software that is used to manage wireless access points. The Armis software can take the signals from all of the devices roaming the halls and shouting out to the wireless access points and figure out what device type they are even if they never connect.
That information is sent to the cloud, where Armis analyzes the data against its own database of more than 3 million device types to determine what it is, how it should behave, and what its capabilities are. Izrael says that not only does the security team use the tool, but IT staff also avail themselves of it to track how many iPhones are in the organization or even how many devices in the building have open microphones.
The thinking here is that in a world of trillions of connected devices an organization needs visibility into the chaos those devices might bring into the network. The advantage Armis has over other companies also tracking network behavior to determine bad actors is that it can also detect devices that never try to get on the corporate network and still tell you what they are doing.
From these two startups, it’s easy to see that securing the IoT isn’t just a one-step process. Many different solutions will have to be cobbled together to build up a sense of security. On the manufacturing side, we’re going to need better implementations from the get-go, and constant watchfulness to address vulnerabilities. For the buyers and users of that equipment, the burden is still high. They’ll have to keep an eye on what these connected devices are doing, no matter how secure they claim to be.