Withings
Show Hide image

This £160 "smart hairbrush" symbolises the big problem with the Internet of Things

Is it worth the risk of hacking - and the potential invasion of privacy - to find out if you're brushing your hair wrong?

Who wants a hairbrush that's connected to the internet? Well, its manufacturers - Kérastase, Withings and L’Oréal - seem pretty excited about it. They unveiled the gadget at the CES technology show in Las Vegas to great fanfare.

The £160 Hair Coach is part of the "internet of things" - devices that promise to be smarter and cooler because they are connected to the web. It contains a microphone that promises to record the sound of breaking hair, and multiple sensors that will send data about your brushing technique to an app on your phone. 

In the last year, the Internet of Things industry has boomed, with everything from smart kettles to smart dolls entering our homes. Unfortunately, many of these devices have been shown to be prone to security breaches. Recently, security researchers found that a connected cooking pot could be hacked to gain access to your phone.

“Any Internet of Things (IoT) device, if security hasn’t been considered properly during development, can be hacked,” says Ken Munro, a security entrepreneur from PenTest Partners, a company which carries out security tests on IoT devices. 

Munro hasn’t yet looked at the Hair Coach, but he speculates about the security of any IoT device with a microphone and internet connection. “Listening to hair breakage requires a microphone, so can it hear more than just breaks? It’s clearly very sensitive, so could it detect human voice and potentially become a spy bug?”

A spokesperson for Withings explained that the microphones are activated only when the user starts brushing their hair. The brush detects when it is being used and begins data collection automatically. The company then store 3-5 second audio recordings. Withings claim the microphone is not able to pick up conversations "unless the user is speaking really closely to the brush". The spokesman added that: "Furthermore, we will apply some filters to not record voice frequencies."

Ken Munro is sceptical that this is technically possible, however. “The manufacturer may counter that the microphone has been configured solely to listen to particular frequencies, but that’s often achieved in software rather than hardware. Hence, there may be potential to modify what it can hear and create that bug,” he says. Withings emphasises that all of its data is secure. "Even if someone achieves to hack the device, all our datas are encrypted," the spokesman said over email.

The brush might well be secure. But its price and its function make it a vivid symbol of the debate over the Internet of Things as a whole. Does every gadget need to be digital? Or is something else going on?

"This just smacks of a marketing team panicking about how to keep their product relevant in the digital age, but some products simply don't need to be digital to be relevant," says Renate Samson, the chief executive of privacy campaign group Big Brother Watch. "It's one thing to bung a sensor and microphone into a device and think your marketing solutions are solved, but what security protections are being installed?"

The rush to digitise has lead to mulliple security and privacy failures in other IoT products. Just last week, a Twitter user shared his experience of his new smart television being infected by ransomware, with hackers demanding $500 (£406) for him to get use of his TV back. In 2015, Munro managed to hack a connected children's doll and make it say swear words, and more recently, he discovered a flaw in the security of a WiFi enabled vibrator that meant anyone could discover which individuals used the device by discovering the location and name of their WiFi connection. "That’s probably not a feature that owners realised or would like!" he says. 

Concerns go beyond spying, however, as IoT devices can be used to carry out Distributed Denial of Service (DDoS) attacks. (Essentially, this is when a website's server is brought down by being hit with so many simultaneous requests for data that it cannot cope.) Last October, sites including Netflix, Twitter, and Spotify temporarily went down after hackers infected unsecured IoT devices with malware, then used them to make server requests. "There's this renewed urgency to talk about what happens when we connect all these things through the Wi-Fi without giving much thought to their security," said NPR technology reporter Alina Selyukh at the time.

But what can you do to keep yourself safe? Ken Munro advises that if you are purchasing an IoT device, you should check whether it needs a pairing PIN to connect to Bluetooth. Without a PIN or passcode, anyone nearby would be able to access the device. It's also important to investigate whether the product is properly encrypted between the app and the company's cloud servers. If not, your personal information about how you use the device could be open to hackers. Although it might not concern you to have data about your usage of your kettle, bin, or hair brush being disclosed, Munro emphasises that such flaws can also lead to your home network and phone being hacked. 

Privacy is also a concern when it comes to data collected by IoT devices. Many IoT companies will share your data with third parties such as advertisers or law enforcement. Last month, Amazon refused to hand over voice recordings from their “constantly listening” Amazon Echo to the police when asked to in order to aid a murder case, but not all companies will resist such requests.

All of these problems are solvable, but the bigger question is - are the gadgets involved worth the bother? A parody account on Twitter, @InternetofShit, reveals the ways that IoT devices actually make our lives worse, not better. Among their recent posts they have chronicled theromstats that show you adverts, alarms that can't be turned off, and a dollhouse where the doors won't open.

If we continue the trend of connecting everything we own to the internet, it's only a matter of time until we become unable to use every day objects due to unforseen faults and flaws, like the person with a "smart lock" unable to open their own front door. Smart devices are going to have to get, well, a little bit smarter. 

Amelia Tait is a technology and digital culture writer at the New Statesman.

Image: Getty
Show Hide image

Man makes $4bn in two days explaining Facebook to old people

Mark Zuckerberg's supposed blockbuster grilling by Congress was the bust it was always going to be, and he went home victorious largely by default.

On Tuesday a crowd gathered on social media for what promised to be a generation-defining moment, like the moon landing, or the OJ bronco chase. There was an air of tension. Mark Zuckerberg, founder of Facebook, was about to be dragged before the public and made to answer the Questions Of The People.

Many tuned in expecting a spectacle: namely, that of a socially awkward – albeit spectatularly wealthy – geek (like the one portrayed by Jesse Eisenberg in David Fincher’s The Social Network) get absolutely tarred and feathered. Twitter filled with jokes as the crowd grew impatient. Some of them were even good.

They underestimated Zuckerberg. Expectations for his performance before a series of committees of both houses of the US congress started out lower than subterranean. Yet even at the start, the 33-year-old billionaire did look absolutely terrified. Blinking vacantly in the strobe-flashes of the cameras, his expression while he sat listening to the senators’ seemingly-endless introductory remarks was not so much lost as “404 not found”.

But over the course of an often-agonising ten total hours of testimony before a joint sitting of the Senate commerce, science, and transportation committee, and the judiciary committee on Tuesday, and the House energy and commerce committee on Wednesday, Zuckerberg managed to come out not just unscathed but victorious.

In recent years, the Facebook CEO has made an effort to learn to be a more disciplined public speaker and a more responsive interviewee. On top of that, in preparation for this appearance Zuckerberg hired a crack team of outside consultants and lawyers to coach him, and even held mock hearings to hone his answers and manner, the New York Times reported. His investment paid dividends: Zuckerberg spoke with a glossy confidence and gave an effective and assured – though somewhat robotic – performance which left many of the lawmakers visibly charmed. He largely avoided answering questions he didn’t want to, and no lawmaker was able to press him to the point where he became visibly physically uncomfortable, as he has in the past.

It was possible to watch the Zuckerberg charm offensive play out in real time, not just on social media but on the financial markets. As soon as he began to talk, Facebook stock began to rise, and apart from a bit of a dip on Wednesday morning it pretty much never stopped. On Tuesday Zuckerberg’s confidence before the Senate committee gave Facebook shares their best single day of trading in two years, closing 4.5 per cent up. By the time Zuckerberg finished answering questions on Wednesday afternoon the stock price increase meant his own personal net worth had gone up by just under $4bn.

Far from the meltdown that many tuned in expecting to see, viewers were treated to Zuckerberg dealing patiently and even-temperedly with questions that occasionally betrayed a lack of even a basic conception of how the internet works, let alone Facebook. Some of his interrogators, especially in the Senate hearing on Tuesday, barely seemed to understand their own prepared questions even as they read them aloud.

This allowed Zuckerberg to get off considerably more lightly than he appears to have been expecting. A tantalising glimpse into the hearing we could have had was given to us when Zuckerberg accidentally left his sheet of notes open on the table when he left the hearing-room for a break. The notes, which were photographed, show that he was prepared for broader existential questions on subjects like workplace diversity and European privacy regulation which sadly, in the end, went largely unasked.

Instead, some lawmakers used their time to throw dozens of redundant questions to which we already knew the answers. Zuckerberg at times looked like he was struggling to suppress his obvious delight at answering questions which contained fundamental errors, causing howls of frustration on Twitter from the watching tech press, who understood the opportunity missed. Other times, lawmakers threw softballs, leading to such scintillating exchanges as the following, between Zuckerberg and Dan Sullivan, a Republican senator from Alaska:

SULLIVAN: Mr Zuckerberg, quite a story, right? Dorm room to the global behemoth that you guys are. Only in America, would you agree with that?

ZUCKERBERG: Senator, mostly in America.

SULLIVAN: You couldn't – you couldn't do this in China, right? Or, what you did in 10 years.

ZUCKERBERG: Well – well, Senator, there are – there are some very strong Chinese Internet companies.

SULLIVAN: Right, but you're supposed to answer “yes” to this question.

The main problem was the format didn't lend itself to a genuine search for insight. That's because any time it got half-way interesting, such as in an early exchange with South Dakota senator John Thune on the technical and linguistic difficulties involved in teaching AI bots how to accurately spot hate-speech, the dialogue would be abruptly cut off as each successive legislator ran up against their four-minute time limit.

Some legislators didn’t even bother trying to ask key questions about privacy and data protection, but instead decided to fawn or grandstand. Ted Cruz took an audaciously pompous line of questioning about how he felt Facebook was biased against the political right – without mentioning, of course that he actually ranked among Cambridge Analytica’s political clients.

The lack of coordination and preparation among his interlocutors allowed Zuckerberg time and again to cast Facebook as a company exists only to make people's lives better now and forever, rather than as a for-profit surveillance organisation. Time was wasted explaining over and over that, no, Facebook does not literally “sell data”, though John Cornyn, a senator from Texas, did pull off probably Tuesday night’s only true zinger with his muttered riposte: “well, you clearly rent it”.

There were some exceptions. California Democratic senator Kamala Harris, a former prosecutor, almost drew blood with a searing, sustained enquiry into whether there had been, when the company learned that user data had been shared with Cambridge Analytica, “a discussion that resulted in a decision not to inform your users”. In one of the few moments of the entire proceeding in which Zuckerberg found himself on the back foot, Harris pressed home the question a brutal seven times before her allotted four minutes were up.

His appearance before the House committee on Wednesday was testier in general but not much more enlightening. Anna Eshoo, a Democratic representative from California, scolded Zuckerberg for the opacity of the site’s terms and conditions, telling him: “you have to make it transparent, clear, in pedestrian language, just once, ‘This is what we will do with your data. Do you want this to happen, or not?’” Others pressed Zuckerberg for action controlling the sale of opioids on the Facebook platform. Zuckerberg nodded, smiled, and made the correct engaging noises at the appropriate times.

Despite his polish, the moments when Zuckerberg came closest to slipping up his mistakes were largely own goals rather than the result of incisive questioning. One particularly embarassing slip-up came during the Senate hearing when he accidentally answered “yes” to the question of whether the special counsel’s investigation into Russian interference in the 2016 election had served Facebook with subpoenas. Scrambling, he hastily muddied the waters a few moments later with: “actually, let me clarify that. I actually am not aware of a subpoena. I believe that there may be, but I know we're working with them.”

Mostly, though, Zuckerberg was poised enough to avoid any question he didn’t want to answer either by promising to “have people look into it and get back to you” or with a robotically careful line like “I am not specifically aware of that.” If faced with a tough question, he could simply run down the clock for four minutes until the questioner's time ran out. And the more he talked, the more Facebook stock soared.

In the end, the most interesting part of the hearing wasn’t what was said in the room itself but in watching it all play out on social media, where commentators from the two different worlds of technology and politics collided at the same real-time event. The conversation was split right down the middle into two distinct groups: those mainly frustrated and confused by Zuckerberg’s jargon-laden technobabble, and those mainly frustrated and confused by the lawmakers’ inability to understand the basic working principles of Facebook or even the internet – though mostly they agreed with each other on their distaste for Ted Cruz.

If nothing else, it was illuminating to see just how wide the gulf between those two worlds was.

Nicky Woolf is a freelance writer based in the US who has formerly worked for the Guardian and the New Statesman. He tweets @NickyWoolf.