All posts in “Hardware”

Smart home makers hoard your data, but won’t say if the police come for it

A decade ago, it was almost inconceivable that nearly every household item could be hooked up to the internet. These days, it’s near impossible to avoid a non-smart home gadget, and they’re vacuuming up a ton of new data that we’d never normally think about.

Thermostats know the temperature of your house, and smart cameras and sensors know when someone’s walking around your home. Smart assistants know what you’re asking for, and smart doorbells know who’s coming and going. And thanks to the cloud, that data is available to you from anywhere – you can check in on your pets from your phone or make sure your robot vacuum cleaned the house.

Because the data is stored or accessible by the smart home tech makers, law enforcement and government agencies have increasingly sought out data from the companies to solve crimes.

And device makers won’t say if your smart home gadgets have been used to spy on you.

For years, tech companies have published transparency reports — a semi-regular disclosure of the number of demands or requests a company gets from the government for user data. Google was first in 2010. Other tech companies followed in the wake of Edward Snowden’s revelations that the government had enlisted tech companies’ aid in spying on their users. Even telcos, implicated in wiretapping and turning over Americans’ phone records, began to publish their figures to try to rebuild their reputations.

As the smart home revolution began to thrive, police saw new opportunities to obtain data where they hadn’t before. Police sought Echo data from Amazon to help solve a murder. Fitbit data was used to charge a 90-year old man with the murder of his stepdaughter. And recently, Nest was compelled to turn over surveillance footage that led to gang members pleading guilty to identity theft.

Yet, Nest — a division of Google — is the only major smart home device maker that has published how many data demands they receive.

As first noted by Forbes last week, Nest’s little-known transparency report doesn’t reveal much — only that it’s turned over user data about 300 times since mid-2015 on over 500 Nest users. Nest also said it hasn’t to date received a secret order for user data on national security grounds, such as in cases of investigating terrorism or espionage. Nest’s transparency report is woefully vague compared to some of the more detailed reports by Apple, Google and Microsoft, which break out their data requests by lawful request, by region, and often by the kind of data that the government demands.

As Forbes said, “a smart home is a surveilled home.” But at what scale?

We asked some of the most well known smart home makers on the market if they plan on releasing a transparency report, or disclose the number of demands they receive for their smart home tech.

For the most part, we received fairly dismal responses.

What the big four tech giants said:

Amazon did not respond to requests for comment when asked if it will break out the number of demands it receives for Echo data, but a spokesperson told me last year that while its reports include Echo data, it would not break out those figures.

Facebook said that its transparency report section will include “any requests related to Portal,” its new hardware screen with a camera and a microphone. Although the device is new, a spokesperson did not comment on if the company will break out the hardware figures separately.

Google pointed us to Nest’s transparency report but did not comment on its own efforts in the hardware space — notably its Google Home products.

And Apple said that there’s no need to break out its smart home figures — such as its HomePod — because there would be nothing to report. The company said user requests made to HomePod are given a random identifier that cannot be tied to a person.

What the smaller but notable smart home players said:

August, a smart lock maker, said it “does not currently have a transparency report and we have never received any National Security Letters or orders for user content or non-content information under the Foreign Intelligence Surveillance Act (FISA),” but did not comment on the number of subpoenas, warrants and court orders it receives. “August does comply with all laws and when faced with a court order or warrant, we always analyze the request before responding,” a spokesperson said.

Roomba maker iRobot said it “has not received any demands from governments for customer data,” but wouldn’t say if it planned to issue a transparency report in the future.

Both Arlo, the former Netgear smart home division, and Signify, formerly Philips Lighting, said that they do not have transparency reports. Arlo didn’t comment on its future plans, and Signify said it has no plans to publish one. 

Ring, a smart doorbell and security device maker, did not answer our questions on why it doesn’t have a transparency report, but said it “will not release user information without a valid and binding legal demand properly served on us” and that Ring “objects to overbroad or otherwise inappropriate demands as a matter of course.” When pressed, a spokesperson said it plans to release a transparency report in the future, but did not say when.

Neither spokespeople for Honeywell or Canary — both of which have smart home security products — did not comment by our deadline.

And, Samsung, a maker of smart sensors, trackers and internet-connected televisions and other appliances, did not respond to a request for comment.

Only Ecobee, a maker of smart switches and sensors, said it plans to publish its first transparency report “at the end of 2018.” A spokesperson confirmed that, “prior to 2018, Ecobee had not been requested nor required to disclose any data to government entities.”

All in all, that paints a fairly dire picture for anyone thinking that when the gadgets in your home aren’t working for you, they could be helping the government.

As helpful and useful smart home gadgets can be, few fully understand the breadth of data that the devices collect — even when we’re not using them. Your smart TV may not have a camera to spy on you, but it knows what you’ve watched and when — which police used to secure a conviction of a sex offender. Even data from when a murder suspect pushed the button on his home alarm key fob can be enough to help convict someone of murder.

Two years ago, former U.S. director of national intelligence James Clapper said that the government was looking at smart home devices as a new foothold for intelligence agencies to conduct surveillance. And it’s only going to become more common as the number of internet-connected devices spread. Gartner said more than 20 billion devices will be connected to the internet by 2020.

As much as the chances are that the government is spying on you through your internet-connected camera in your living room or your thermostat are slim — it’s naive to think that it can’t.

But the smart home makers wouldn’t want you to know that. At least, most of them.

Buggy software in popular connected storage drives can let hackers read private data

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user’s private and sensitive data.

The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested — NetGear Stora, Seagate Home, and Medion LifeCloud — can allow an attacker to remotely read, change and delete data without requiring a password.

Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies — including PHP — to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as “root” — the built-in user account with the highest level of access — making the data on the device vulnerable to prying eyes or destruction.

We contacted Axentra for comment on Thursday but did not hear back by the time of writing.

Neither Netgear nor Seagate commented by our deadline, but we’ll update if that changes. Lenovo, which now owns Medion, did not respond to a request for comment.

The researchers also reported a separate bug affecting WD My Book Live drives, which can allow an attacker to remotely gain root access.

A spokesperson for WD said that the vulnerability report affects devices originally introduced in 2010 and discontinued in 2014, and “no longer covered under our device software support lifecycle.” WD added: “We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”

In all four vulnerabilities, the researchers said that an attacker only needs to know the IP address of an affected drive. That isn’t so difficult in this day and age, thanks to sites like Shodan, a search engine for publicly available devices and databases, and similar search and indexing services.

Depending on where you look, the number of affected devices varies. Shodan puts the number at 311,705, but ZoomEye puts the figure at closer to 1.8 million devices.

Although the researchers described the bugs in moderate detail, they said they have no plans to release any exploit code to prevent attackers taking advantage of the flaws.

Their advice: if you’re running a cloud drive, “make sure to remove your device from the internet.”

TrackR is rebranding to Adero as it looks beyond small devices to track lost items

When TrackR raised $50 million from investors that included Amazon a year ago, the Santa Barbara startup made a big splash in the growing market for small connected dongles that you could attach to “dumb” objects like keys to keep tabs on their location. But times for the company have been challenging since then. It’s weathered layoffs; a succession of natural disasters; and its co-founders stepping away from exec roles as CEO and president. Those events took their toll: we discovered that TrackR quietly closed an additional, small amount of funding earlier this year — but on a valuation of $40 million, a 73 percent drop compared to less than a year before.

Now it looks like the startup is about to enter another new phase. TrackR is launching a new brand, Adero, and sources say it is widening its focus to other uses for its tracking technology, taking TrackR beyond the circular Bluetooth fobs that form the core of its service today.

TechCrunch first learned of the brand change from an anonymous tipster, who said he’d noticed a legal name change for the company on Carta, from TrackR to Adero, “to match their new focus on home solutions.” Another source said that TrackR had been talking to retailers to sell what sounds like a larger connected home solution, although the outcome of those discussions is not clear.

We have also noticed that TrackR has been discounting its existing stock, a sign that it could be trying to clear the decks for whatever is coming next. Contacted for this story, a spokesperson did not comment on whether it would continue to sell products like the TrackR Bravo and Pixel — only that it would continue to support them.

“TrackR will continue to support all products we’ve sold into the market,” he said. “Both the battery replacement program and the Crowd Locate network are both active.”

Christian Smith, who had been the company’s president but quietly left his executive role at the startup at the end of last year, had once described a bigger vision of targeting enterprises in an IoT play, although it’s also not clear if this is part of TrackR’s plan now, or if it ever will be.

Whatever the pivot will entail, it is happening at a critical time. The company quietly raised $10 million in July, at a $40 million valuation according to Pitchbook. It was a clear downround: TrackR was valued at $150 million when it raised $50 million a recently as August 2017. Investors were not disclosed in the most recent funding, but previous backers of the company, in addition to Amazon, include Foundry Group, NTT, and Revolution.

“As our valuation reflects, at the start of this year, we made a conscious decision with the support of our board to build a new future instead of chasing incremental growth,” a spokesperson said of the reduced valuation. “The future we’re building revolves around helping our users proactively manage the chaos of life. We’re excited to reveal the first chapter of our new story in a few weeks.”

TrackR is expected to make an official announcement of its plans towards the end of November, we understand. It declined to comment on the new brand or direction for this article.

But we found a trail of records connecting TrackR to Adero dating from the middle of this year — an indication that the startup has been working on this strategy for at least six months.

Starting in May 2018, Trackr registered three trademarks for Adero. One filed in May of this year describes Adero in fairly generic terms: “Telecommunications services, namely, electronic transmission of data, messages, graphics, images, audio, video and information among users relating to locating, managing, organizing, and tracking assets, devices, and objects.”

Another trademark application details “cloud based software for tracking, organizing, and managing assets, objects, and devices; providing an interactive website featuring non-downloadable software that allows for the tracking, organizing, and managing of assets, objects, and devices; providing temporary use of non-downloadable cloud-based software for sharing information about, organizing, and managing networked wireless devices; providing temporary use of online non-downloadable software that shares information and data between electronic devices within a community of users; providing an on-line network environment that features technology for sharing, organizing, and managing data between wireless devices.”

A third describes hardware to manage such a service.

Trackr also registered separate trademarks around the same time is for a brand called “Activefield,” which might be one of the components of the Adero solution. (Its descriptions match those of the Adero trademarks.)

In addition to that, a Twitter profile for Adero features a picture of Santa Barbara — the homebase of Trackr. And ownership of the Adero.com domain, meanwhile, was transferred in May 2018, although the owner is not listed publicly (not unusual with domain applications). (An older Adero that some might remember was a telecoms company that had raised nearly $97 million in the first dot-com wave but then — like so many other startups of the time — shut down.)

IoT or bust

Trackr’s shift speaks to some of the challenges that have hung over the market for IoT when it comes to consumer services.

There is a lot of exciting potential in having all of the physical things in your world able to “speak” and for you to be able to control them by way of data, but there are also hurdles.

To name just two, the market is full of competition, not just between lookalike dongles, but also between a wide range of products that are all getting connectivity built into them, removing the need for the dongle to begin with. This all makes for difficult margins.

Second, although we have seen a flood of products hit the market, it’s still early days when it comes to understanding just how strong demand is for these products, and what it is that consumers ultimately will want to invest in. “Issues around interoperability, security and privacy concerns, and the cost of devices will continue to be leading inhibitors to the market’s growth,” IDC analyst Adam Wright noted in a recent report.

As it happens, both TrackR and its closest competitor Tile have reportedly had disappointing sales in key periods like the holidays, and tellingly Tile has also seen a series of recent changes.

In September, the company appointed a new CEO, CJ Prober, as it took on a new strategic investment from Comcast that points to its own efforts to widen its business beyond its square trackers. It also moved into subscription services, with the launch of a new device with a battery that can be replaced by way of a subscription.

For its part, Tile last month said that it has sold more than 15 million of its square devices, accounting for some 95 percent of the market in the US (according to estimates from NPD), while TrackR’s most recent update of 5 million shipped dates from 2017. In the wider game of economies of scale that underpins so much of the hardware business, those figures may have been the writing on the wall for TrackR.

Banksy’s rigged art frame was supposed to shred the whole thing

In the connected future will anyone truly own any thing? Banksy’s artworld shocker performance piece, earlier this month, when a canvas of his went under the hammer at Sothebys in London, suggests not.

Immediately the Girl with Balloon canvas sold — for a cool ~$1.1M (£860,000) — it proceeded to self-destruct, via a shredder built into the frame, leaving a roomful of designer glasses paired with a lot of shock and awe, before facial muscles twisted afresh as new calculations kicked in.

As we reported at the time, the anonymous artist had spent years planning this particular prank. Yet the stunt immediately inflated the value of the canvas — some suggested by as much as 50% — despite the work itself being half shredded, with just a heart-shaped balloon left in clear view.

The damaged canvas even instantly got a new title: Love Is in the Bin.

Thereby undermining what might otherwise be interpreted as a grand Banksy gesture critiquing the acquisitive, money-loving bent of the art world. After all, street art is his big thing.

However it turns out that the shredder malfunctioned. And had in fact been intended to send the whole canvas into the bin the second after it sold.

Or, at least, so the prankster says — via a ‘director’s cut’ video posted to his YouTube channel yesterday (and given the title: ‘Shred the love’, which is presumably what he wanted the resulting frame-sans-canvas to be called).

“In rehearsals it worked every time…” runs a caption towards the end of the video, before footage of a complete shredding is shown…

[embedded content]

The video also appears shows how the canvas was triggered to get to work cutting.

After the hammer goes down the video cuts to a close-up shot of a pair of man’s hands pressing a button on a box with a blinking red LED — presumably sending a wireless signal to shreddy to get to work…

The suggestion, also from the video (which appears to show close up shots of some of the reactions of people in the room watching the shredding taking place in real time), is that the man — possibly Banksy himself — attended the auction in person and waited for the exact moment to manually trigger the self-destruct mechanism.

There are certainly lots of low power, short range radio technologies that could have been used for such a trigger scenario. Although the artwork itself was apparently gifted to its previous owner by Banksy all the way back in 2006. So the built-in shredder, batteries and radio seemingly had to sit waiting for their one-time public use for 12 years. Unless, well, Banksy stuck into the friend’s house to swap out batteries periodically.

Whatever the exact workings of the mechanism underpinning the stunt, the act is of course the point.

It’s almost as if Banksy is trying to warn us that technology is eroding ownership, concentrating power and shifting agents of control.

This 3D-printed prosthetic hand combines speed and strength with simplicity

Prosthetic limbs have come a long way from the heavy, solid hands and legs of yesteryear, but it’s still difficult to pack a range of motion into them without complex or bulky machinery. But new research out of Cornell uses a cleverly designed 3D-printed mechanism to achieve speed and strength with simple construction — and it costs a lot less, too.

“Developing prosthetic limbs requires designers to make difficult trade-offs among size, weight, force, speed, and cost of the actuation system,” the researchers say in their paper. For example, they point out, state of the art mechanical prosthetic hands can cost well over ten thousand dollars, with the high-end motors inside alone costing hundreds each. Cheaper hands use cheaper components, of course, which might mean that the hand can grip hard but not quickly, or vice versa.

This is partly because a mechanical hand needs to be able to adjust the force it’s applying very quickly on the fly, and this usually involves some kind of variable transmission or dynamic gear ratio. But Kevin O’Brien and his colleagues developed a new way to have the motor adjust its speed and force without using hundreds of finely-machined components. In fact, it and the hand it actuates can be almost entirely 3D printed.

It works like this: the fingers of the hand are controlled, like many other such hands and indeed our own, by flexible cords that run along their lengths. These cords can be tightened or slackened to make the fingers take different positions, and that’s often done by having a spool take up the slack or deal it out. It’s this spool that must move precisely and is the end point of the complex gearing mentioned above in other hands.

But in the ADEPT hand (adaptively driven via elastomeric passive transmissions — we’ll stick with the acronym) these spools have in their centers a flexible cylindrical core, the shape of which can be modified by tightening a separate “tendon” around it. When the tendon is loose, the core is wider and spins quickly, producing fast, responsive movement. When the tendon is tightened, the core is reduced in radius and correspondingly increases in torque while decreasing in speed.

There’s no switching of gears, no meshing of teeth — if the hand determines that it needs just a little bit more torque to hold something, it can get it by tightening the tendon just that little bit. And as soon as it needs to quickly release or catch something, the tendon can loosen up and the fingers move quickly and lightly.

This simplicity and the ease of manufacturing make this much cheaper than other options, while it still provides a great deal of versatility and responsiveness.

“The benefits of elastomeric transmission systems are that they can be 3D printed quickly (50 per hour), cheaply (<$1 per part), and in many compact form factors,” the researchers wrote. A whole hand could be built for under $500, they estimate.

Unfortunately the materials aren’t quite up to the task just yet — the part that’s constantly having its shape adjusted tends to degrade, though they managed to get it to the point where it could be adjusted about 25,000 times before failing (not catastrophically, just not doing its job well enough any more). That may sound like a lot, but your fingers move a lot. So there’s still work to do before this is a realistic replacement for other mechanical parts.

Still, it’s a promising approach and general enough that it could also be used in artificial legs, arms, and exo-suits. You can read more at Science Robotics.