Smart home makers hoard your data, but won’t say if the police come for it

A decade ago, it was almost inconceivable that nearly every household item could be hooked up to the internet. These days, it’s near impossible to avoid a non-smart home gadget, and they’re vacuuming up a ton of new data that we’d never normally think about.

Thermostats know the temperature of your house, and smart cameras and sensors know when someone’s walking around your home. Smart assistants know what you’re asking for, and smart doorbells know who’s coming and going. And thanks to the cloud, that data is available to you from anywhere — you can check in on your pets from your phone or make sure your robot vacuum cleaned the house.

Because the data is stored or accessible by the smart home tech makers, law enforcement and government agencies have increasingly sought data from the companies to solve crimes.

And device makers won’t say if your smart home gadgets have been used to spy on you.

For years, tech companies have published transparency reports — a semi-regular disclosure of the number of demands or requests a company gets from the government for user data. Google was first in 2010. Other tech companies followed in the wake of Edward Snowden’s revelations that the government had enlisted tech companies’ aid in spying on their users. Even telcos, implicated in wiretapping and turning over Americans’ phone records, began to publish their figures to try to rebuild their reputations.

As the smart home revolution began to thrive, police saw new opportunities to obtain data where they hadn’t before. Police sought Echo data from Amazon to help solve a murder. Fitbit data was used to charge a 90-year old man with the murder of his stepdaughter. And recently, Nest was compelled to turn over surveillance footage that led to gang members pleading guilty to identity theft.

Yet, Nest — a division of Google — is the only major smart home device maker that has published how many data demands it receives.

As first noted by Forbes last week, Nest’s little-known transparency report doesn’t reveal much — only that it’s turned over user data about 300 times since mid-2015 on over 500 Nest users. Nest also said it hasn’t to date received a secret order for user data on national security grounds, such as in cases of investigating terrorism or espionage. Nest’s transparency report is woefully vague compared to some of the more detailed reports by Apple, Google and Microsoft, which break out their data requests by lawful request, by region and often by the kind of data the government demands.

As Forbes said, “a smart home is a surveilled home.” But at what scale?

We asked some of the most well-known smart home makers on the market if they plan to release a transparency report, or disclose the number of demands they receive for data from their smart home devices.

For the most part, we received fairly dismal responses.

What the big four tech giants said

Amazon did not respond to requests for comment when asked if it will break out the number of demands it receives for Echo data, but a spokesperson told me last year that while its reports include Echo data, it would not break out those figures.

Facebook said that its transparency report section will include “any requests related to Portal,” its new hardware screen with a camera and a microphone. Although the device is new, a spokesperson did not comment on if the company will break out the hardware figures separately.

Google pointed us to Nest’s transparency report but did not comment on its own efforts in the hardware space — notably its Google Home products.

And Apple said that there’s no need to break out its smart home figures — such as its HomePod — because there would be nothing to report. The company said user requests made to HomePod are given a random identifier that cannot be tied to a person.

What the smaller but notable smart home players said

August, a smart lock maker, said it “does not currently have a transparency report and we have never received any National Security Letters or orders for user content or non-content information under the Foreign Intelligence Surveillance Act (FISA),” but did not comment on the number of subpoenas, warrants and court orders it receives. “August does comply with all laws and when faced with a court order or warrant, we always analyze the request before responding,” a spokesperson said.

Roomba maker iRobot said it “has not received any demands from governments for customer data,” but wouldn’t say if it planned to issue a transparency report in the future.

Both Arlo, the former Netgear smart home division, and Signify, formerly Philips Lighting, said they do not have transparency reports. Arlo didn’t comment on its future plans, and Signify said it has no plans to publish one. 

Ring, a smart doorbell and security device maker, did not answer our questions on why it doesn’t have a transparency report, but said it “will not release user information without a valid and binding legal demand properly served on us” and that Ring “objects to overbroad or otherwise inappropriate demands as a matter of course.” When pressed, a spokesperson said it plans to release a transparency report in the future, but did not say when.

Spokespeople for Honeywell and Canary — both of which have smart home security products — did not comment by our deadline.

And, Samsung, a maker of smart sensors, trackers and internet-connected televisions and other appliances, did not respond to a request for comment.

Only Ecobee, a maker of smart switches and sensors, said it plans to publish its first transparency report “at the end of 2018.” A spokesperson confirmed that, “prior to 2018, Ecobee had not been requested nor required to disclose any data to government entities.”

All in all, that paints a fairly dire picture for anyone thinking that when the gadgets in your home aren’t working for you, they could be helping the government.

As helpful and useful as smart home gadgets can be, few fully understand the breadth of data that the devices collect — even when we’re not using them. Your smart TV may not have a camera to spy on you, but it knows what you’ve watched and when — which police used to secure a conviction of a sex offender. Even data from when a murder suspect pushed the button on his home alarm key fob was enough to help convict someone of murder.

Two years ago, former U.S. director of national intelligence James Clapper said the government was looking at smart home devices as a new foothold for intelligence agencies to conduct surveillance. And it’s only going to become more common as the number of internet-connected devices spread. Gartner said more than 20 billion devices will be connected to the internet by 2020.

As much as the chances are that the government is spying on you through your internet-connected camera in your living room or your thermostat are slim — it’s naive to think that it can’t.

But the smart home makers wouldn’t want you to know that. At least, most of them.

Buggy software in popular connected storage drives can let hackers read private data

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user’s private and sensitive data.

The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested — NetGear Stora, Seagate Home and Medion LifeCloud — can allow an attacker to remotely read, change and delete data without requiring a password.

Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies — including PHP — to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as “root” — the built-in user account with the highest level of access — making the data on the device vulnerable to prying eyes or destruction.

We contacted Axentra for comment on Thursday but did not hear back by the time of writing.

Neither Netgear nor Seagate commented by our deadline, but we’ll update if that changes. Lenovo, which now owns Medion, did not respond to a request for comment.

The researchers also reported a separate bug affecting WD My Book Live drives, which can allow an attacker to remotely gain root access.

A spokesperson for WD said that the vulnerability report affects devices originally introduced in 2010 and discontinued in 2014, and “no longer covered under our device software support lifecycle.” WD added: “We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”

In all four vulnerabilities, the researchers said that an attacker only needs to know the IP address of an affected drive. That isn’t so difficult in this day and age, thanks to sites like Shodan, a search engine for publicly available devices and databases, and similar search and indexing services.

Depending on where you look, the number of affected devices varies. Shodan puts the number at 311,705, but ZoomEye puts the figure at closer to 1.8 million devices.

Although the researchers described the bugs in moderate detail, they said they have no plans to release any exploit code to prevent attackers taking advantage of the flaws.

Their advice: If you’re running a cloud drive, “make sure to remove your device from the internet.”

Researchers discover a new way to identify 3D printed guns

Researchers at the University at Buffalo have found that 3D printers have fingerprints, essentially slight differences in design that can be used to identify prints. This means investigators can examine the layers of a 3D printed object and pinpoint exactly which machine produced the parts.

“3D printing has many wonderful uses, but it’s also a counterfeiter’s dream. Even more concerning, it has the potential to make firearms more readily available to people who are not allowed to possess them,” said Wenyao Xu, lead author of the study.

The researchers found that tiny wrinkles in each layer of plastic can be used to identify a “printer’s model type, filament, nozzle size and other factors cause slight imperfections in the patterns.” They call their technology PrinTracker.

“Like a fingerprint to a person, these patterns are unique and repeatable. As a result, they can be traced back to the 3D printer,” wrote the researchers.

This process works primarily with FDM printers like the Makerbot which use long spools of filament to deposit layers of plastic onto a build plate. Because the printers used in 3D printed guns are usually more complex and more expensive there could be less variation in the individual layers and, more importantly, the layers might be harder to discern. However, for some simpler plastic parts could exhibit variations.

“3D printers are built to be the same. But there are slight variations in their hardware created during the manufacturing process that lead to unique, inevitable and unchangeable patterns in every object they print,” said Xu.

The space pen became the space pen 50 years ago

Everyone knows about the space pen. NASA spent millions on R&D to create the ultimate pen that would work in zero gravity and the result was this incredible machine. Well, no. In fact it was made by a pen manufacturer in 1966 — but it wasn’t until October of 1968 that it went into orbit and fulfilled its space pen destiny.

The pen was created by pen maker (naturally) Paul Fisher, who used $1 million of his own money to create the AG-7 anti-gravity pen. As you may or may not know, the innovation was a pressurized ink cartridge and gel ink that would deploy reliably regardless of orientation, temperature or indeed the presence of gravity.

He sent it to NASA, which was of course the only organization reliably worried about making things work in microgravity, and they loved it. In fact, the Russians started using it shortly afterwards, as well.

Walt Cunningham, Wally Schirra and Donn Eisele took the pens aboard with them for the Apollo 7 mission, which launched on October 11, 1968, and they served them well over the next 11 days in orbit.

A 50th anniversary edition of the pen is now available to people who have a lot of money and love gold stuff. It’s $500, a limited edition of 500, and made of “gold titanium nitride plated brass,” and it comes with a case and commemorative plaque with a quote from Cunningham:

“Fifty years ago, I flew with the first flown Space Pen on Apollo 7. I relied on it then, and it’s still the only pen I rely on here on Earth.”

Okay, that’s pretty cool. Presumably astronauts get a lifetime supply of these things, though.

Here’s to the Fisher space pen, an example of American ingenuity and simple, reliable good design that’s persisted in use and pop culture for half a century.

Researchers create virtual smells by electrocuting your nose

The IEEE has showcased one of the coolest research projects I’ve seen this month: virtual smells. By stimulating your olfactory nerve with a system that looks like one of those old-fashioned kids electronics kits, they’ve been able to simulate smells.

The project is pretty gross. To simulate a smell, the researchers are sticking leads far up into the nose and connecting them directly to the nerves. Senior research fellow at the Imagineering Institute in Malaysia, Kasun Karunanayaka, wanted to create a “multisensory Internet” with his Ph.D. student, Adrian Cheok. Cheok is Internet famous for sending electronic hugs to chickens and creating the first digital kisses.

The researchers brought in dozens of subjects and stuck long tubes up their noses in an effort to stimulate the olfactory bulb. By changing the intensity and frequency of the signals, they got some interesting results.

The subjects most often perceived odors they described as fragrant or chemical. Some people also reported smells that they described as fruity, sweet, toasted minty, or woody.

The biggest question, however, is whether he can find a way to produce these ghostly aromas without sticking a tube up people’s noses. The experiments were very uncomfortable for most of the volunteers, Karunanayaka admits: “A lot of people wanted to participate, but after one trial they left, because they couldn’t bear it.”

While I doubt we’ll all be wearing smell-o-vision tubes up our noses any time soon, this idea is fascinating. It could, for example, help people with paralyzed senses smell again, a proposition that definitely doesn’t stink.

Proxxi saves workers from getting electrocuted

There are some gadgets that are nice to have – iPhones, sous vide wands – and some gadgets that you must have. Proxxi fits in the latter camp.

Proxxi is an always-on sensor that buzzes when it gets too close to high voltage electricity. Its worn by mechanics and electricians and warns them when they get too close to something dangerous. The Vancouver-based company just sold out of its initial commercial evaluation units and they’re building a huge business supplying these clever little bracelets to GE, Con Edison, Exelon, Baker Hughes, Schneider Electric and ABB.

The bracelet connects to an app that lets workers silence warnings if they’re working on something that is energized and it also tracks the number of potentially harmful interactions wirelessly. This lets management know exactly where the trouble spots are before they happen. If, for example, it senses many close brushes with highly charged gear it lets management investigate and take care of the problem.

Founded by Richard Sim and Campbell Macdonald, the company has orders for thousands of units, a testament to the must-have nature of their product. They raised $700,000 in angel funding.

“All of this is critical to enterprises looking to mitigate risk from catastrophic injuries: operational disruption, PR nightmare, stock analyst markdowns and insurance premiums,” said Macdonald. “This represents a whole new class of hardware protection for industrial workers who are used to protection being process driven or protective gear like gloves and masks.”

The company began when British Columbia Hydro tasked Sim to research a product that would protect workers from electricity. Macdonald, whose background is in hardware and programming, instead built a prototype and showed it around.

“We initially found that all utilities and electricians wanted this,” he said. “The most exciting thing we have discovered in the last year is that the opportunity is much larger covering manufacturing, oil and gas, and construction.”

“It’s a $40 billion problem,” he said.

The goal is to create something that can be used all day. Unlike other sensors that are used only in dangerous situations, Proxxi is designed to be put on in the morning and taken off at night, after work.

“There are other induction sensors out there, but they are focused on high risk scenarios, ie, people use them when they think they are at risk. The trouble is you can’t tell when you are at risk. You can’t sense that you have made a mistake in the safety process,” said Macdonald. The goal, he said, is to prevent human error and, ultimately, death. Not bad for a wearable.

Banksy’s rigged art frame was supposed to shred the whole thing

In the connected future will anyone truly own any thing? Banksy’s artworld shocker performance piece, earlier this month, when a canvas of his went under the hammer at Sothebys in London, suggests not.

Immediately the Girl with Balloon canvas sold — for a cool ~$1.1M (£860,000) — it proceeded to self-destruct, via a shredder built into the frame, leaving a roomful of designer glasses paired with a lot of shock and awe, before facial muscles twisted afresh as new calculations kicked in.

As we reported at the time, the anonymous artist had spent years planning this particular prank. Yet the stunt immediately inflated the value of the canvas — some suggested by as much as 50% — despite the work itself being half shredded, with just a heart-shaped balloon left in clear view.

The damaged canvas even instantly got a new title: Love Is in the Bin.

Thereby undermining what might otherwise be interpreted as a grand Banksy gesture critiquing the acquisitive, money-loving bent of the art world. After all, street art is his big thing.

However it turns out that the shredder malfunctioned. And had in fact been intended to send the whole canvas into the bin the second after it sold.

Or, at least, so the prankster says — via a ‘director’s cut’ video posted to his YouTube channel yesterday (and given the title: ‘Shred the love’, which is presumably what he wanted the resulting frame-sans-canvas to be called).

“In rehearsals it worked every time…” runs a caption towards the end of the video, before footage of a complete shredding is shown…

The video also appears shows how the canvas was triggered to get to work cutting.

After the hammer goes down the video cuts to a close-up shot of a pair of man’s hands pressing a button on a box with a blinking red LED — presumably sending a wireless signal to shreddy to get to work…

The suggestion, also from the video (which appears to show close up shots of some of the reactions of people in the room watching the shredding taking place in real time), is that the man — possibly Banksy himself — attended the auction in person and waited for the exact moment to manually trigger the self-destruct mechanism.

There are certainly lots of low power, short range radio technologies that could have been used for such a trigger scenario. Although the artwork itself was apparently gifted to its previous owner by Banksy all the way back in 2006. So the built-in shredder, batteries and radio seemingly had to sit waiting for their one-time public use for 12 years. Unless, well, Banksy snuck into the friend’s house to swap out batteries periodically.

Whatever the exact workings of the mechanism underpinning the stunt, the act is of course the point.

It’s almost as if Banksy is trying to warn us that technology is eroding ownership, concentrating power and shifting agents of control.

Timex builds its first automatic watch in decades

Leave your smartwatch on the counter because Timex is back with its first automatic watch in decades. Called the Marlin, this 21-jewel timepiece that hearkens back to the days of “Takes a licking, keeps on ticking.”

The Marlins cost $249 and come in multiple styles. This particular model, in a rich burgundy, looks like something that you’d wear to a Madison Avenue cocktail party after work. Timex has also released manual wind watches for $199 featuring a truly retro design and numerals.

Timex has long been a drug store brand – a brand sold in those cases at big drug stores and aimed at impulse shoppers who needed a watch… any kind of watch. While their Indiglo line of bright, light-up quartz watches was a long-time hit, they really didn’t do much beyond making a few very basic pieces for a non-discerning audience.

Now, however, the company clearly looked at its history and liked what it saw. Timex was one of the first American watch brands to expand on a mass scale and they suffered greatly during the 1980 quartz crisis, a moment when the watch industry went from mechanical movements to electronic. Many watchmakers never recovered or are now a husk of their former glory – Hamilton, for example – but Timex kept at it.

Now that they’ve given automatics and manual winds a try I’m excited to see where they go next. Many watchmakers have noticed that men and women are buying more and more retro watches to offset the creeping smartwatch flood. I’m glad to see the team at Timex is ready to take on this fascinating new world.