Remote Monitoring & Access

Leave the Barbie; take the data: the dark side of IoT

Information collected via the Internet of Things gives a competitive advantage, but at what cost?

By Jeremy Pollard, CET

You just can’t make this stuff up. Remember Barbie—that doll that is Wi-Fi-connected and can create an open port on your home network just so she can talk to your kid? That Barbie.

Well, the Internet of Things (IoT) has gone haywire, and I think it deserves some face time. You may not have heard about this Canadian court case, but it involves a personal battery-operated device that can be controlled and monitored from one’s smartphone. The manufacturer of this device is being sued for collecting, without the knowledge of the user, myriad data points using the app called We-Connect. It states that, given the intimate nature of its products, security is of the utmost importance.

Myriad devices are being developed and built using the representational state transfer (REST) architecture, which defines constructs for device development.

Heard that before?

The real issue here is not the fact that Martha used this device three times today for x amount of time, but the fact that very personal data was being collected and disseminated without Martha’s knowledge.

That has never happened before either, I suspect.

Gartner, the U.S. research firm, suggests that there are more than 6 billion devices that are currently sharing information over the Internet right now. IoT will increase that number exponentially in short order.

So why would a personal-device manufacturer want to know about Martha’s activity? While it was not mentioned specifically, the catch phrase in most cases is that the manufacturer wants to know how the product is being used.

Maybe the manufacturer simply thinks it isn’t much different than a phone call, asking how many times, for how long and who was driving the device. I don’t think so.

So, I have been looking at smart home technology, and of course Nest is owned now by Google, which is the elephant in the room regarding data collection from everything. What could a thermostat possibly reveal about me and my home that would be of interest to Google?

In itself, probably nothing, but by correlating data from outside sources, it may be very valuable to marketing types. If my home temperature is 70 °F, and it’s -20 °F outside, it makes sense to think that I like it cooler than warmer. Internet banner ads now pop up with couch blankets or snuggies when I am browsing around.

But I use the Wink app, and it was very bothersome to me that Wink publishes its API. What could go wrong with that?


It is the control aspect, not reporting, that is of concern. Embedded code into a Wink device, or any home automation system, has the capability to cause havoc, if it wants to.

Former Rockwell Automation CEO Keith Nosbusch gave a keynote address at the 2015 Internet of Things World Forum in Dubai and presented the IoT Reference Model. It takes IoT from device to collaboration and points in between.

Edge computing is part of it. Edge computing is defined as a logical extreme of a network, which means the device itself. Knowledge generation can and does occur at the device and does not require any additional processing.

Having said that, I am seeing that myriad devices are being developed and built using the representational state transfer (REST) architecture, which defines constructs for device development. One of these constructs is code on demand.

A server can promote code to the device for execution, which can include scripts of various natures. Hopefully these scripts would not perform any nefarious duties.

We are in a world of competitive advantage. The personal-device manufacturer mentioned at the beginning wants to know everything about how its customers use its device. I’m sure that setting, duration and frequency of use would be of value to create that competitive advantage. By gathering social-engineering information such as age, sex and location may also provide marketing and development data for future products and enhancements to existing ones, and of course it would be push-marketed to you and your IP address.

But it can be controlled by a smartphone. While I’m sure that no one will hack a personal device as such, having some control on a smartphone has already been shown to provide insights into the owner. If a developer tweaked virtual network computing (VNC), for instance, and took control of the user’s phone, it could have devastating effects.

RELATED: Evolving network standards for the Industrial IoT

We in the industrial world really are no different in that we use commercially available things to create our own devices. We need to be very careful in making sure that our devices are not violating our process privacy and our plant security.

It’s about trust. Can we trust the fact that most if not all companies seek competitive advantage?

If the answer is no, then maybe we need an IoT protocol sniffer to be sure we aren’t letting our usage habits leave the building.

Trust with verification—we will need it. Be careful out there.