Hippo: IoT-based paradigm shift from passive to active insurance companies

I’m a big advocate of incremental IoT strategies (check out my recent webinar with Mendix on this approach), for existing companies that want to test the waters first. However, I’m enough of a rabble-rouser to also applaud those who jump right in with paradigm-busting IoT (and big data) startups.

Enter, stage left, a nimble (LOL) new home insurance company: Hippo!

IMHO, Hippo’s important both in its own right and also as a harbinger of other startups that will exploit the IoT and big data to break with years of tradition in the insurance industry as a whole, no longer sitting passively to pay out claims when something bad happens, but seizing the initiative to reduce risk, which is what insurance started out to do.

After all, when a Mr. B. Franklin (I’ll tell you: plunk that guy down in 2017 and he’d create a start-up addressing an unmet need within a week!) and his fellow firefighters launched the Philadelphia Contributionship in 1752, one of the first things they did was to send out appraisers to determine the risk of a house burning and suggest ways to make it safer.

Left to right: Eyal Navon, CTO and cofounder; Assaf Wand, CEO cofounder of Hippo

In fact, there’s actually a term for this kind of web-based insurance, coined by McKinsey: insuretec” (practicing what he preached, one of Hippo’s founders had been at McKinsey, and what intrigued the founders about insurance as a target was that it’s a huge industry, hasn’t really innovate for years, and didn’t focus on the customer experience.).

I talked recently to two key staffers, Head of Product Aviad Pinkovezky and Head of Marketing, Growth and Product Innovation Jason White.  They outlined a radically new strategy “with focused attention on loss reduction”:

  • sell directly to consumers instead of using agents
  • cut out legacy coverage leftovers, such as fur coats, silverware & stock certificates in a home safe) and instead cover laptops, water leaks, etc.
  • Leverage data to inform customers about appliances they own that might be more likely to cause problems, and communicate with them on a continuous basis about steps such as cleaning gutters that could reduce problems.

According to Pinkovezky, the current companies “are reactive, responding to something that takes place. Consumer-to-company interaction is non-continuous, with almost nothing between paying premiums and filing a claim.  Hippo wants to build must more of a continuous relationship, providing value added,” such as an IoT-based water-leak detection device that new customers receive.

At the same time, White said that the company is still somewhat limited in what if can do to reduce risk because so much of it isn’t really from factors such as theft (data speaks: he said thefts actually constitute little of claims) but from one, measured by frequency and amount of damage (according to their analysis) that’s beyond their control: weather. As I pointed out, that’s probably going to constitute more of a risk in the foreseeable future due to global warming.

Hippo also plans a high-tech, high-touch strategy, that would couple technnology with a human aspect that’s needed in a stressful situation such as a house fire or flood. According to Forbes:

The company acknowledges that its customers rely on Hippo to protect their largest assets, and that insurance claims often derive from stressful experiences. In light of this, Hippo offers comprehensive, compassionate concierge services to help home owners find hotels when a home becomes unlivable, and to supervise repair contractors when damage occurs.”

While offering new services, the company has firm roots in the non-insuretech world, because its policies are owned and covered by Topa, which was founded more than 30 years ago.

Bottom line: if you’re casting about for an IoT-based startup opportunity, you’d do well to use the lens McKinsey applied to insurance: look for an industry that’s tradition-bound, and tends to react to change rather than initiate it (REMEMBER: a key element of the IoT paradigm shift is that, for the first time, we can piece “universal blindness” and really see inside things to gauge how they are working [or not] — the challenge is to capitalize on that new-found data). 

Amazon Echo Silver: bringing a little laughter (& the IoT) to aging

Some of you may remember that I’ve blogged several times about my enthusiasm for Amazon’s Alexa as a cornerstore of what I call SmartAging, the combination of IoT health-monitoring devices to keep you healthier and smart home devices to make it easier to manage your home and avoid institutionalization.

However, I’m in awe of how the crackerjack gerontology researchers at SNL (don’t forget, kiddies, we were your age when the show began in 1975. Sobering, eh?) in “partnership” with AARP, LOL, have custom crafted a special edition Echo for the “Greatest Generation”: Amazon Echo Silver!

My particular favorite feature is the random “uh huh” to punctuation seniors’ rambling stories, but Kate McKinnon’s bit about turning up the thermostat when it’s already 100 is also priceless, and all the other vignettes are pretty over-the top as well (thank goodness I can ping my iPhone with my Apple Watch — I find increasingly creative places to put the phone down). I’ve never been that great on names, so the range of acceptable variations on “Alexa” would be welcomed (BTW: I could swear that one day recently when I was talking to Alexa Siri responded. Why can’t those gals get along?).

I could point out that the “uh huh” might really be a first step toward a really interactive device that could help seniors overcome social isolation, but why weigh down with social significance something that’s an absolute riot?

Aging: if you can’t laugh about it, you’re in serious, serious trouble.

 

 

comments: 0 » tags: , , ,

Updating my “SmartAging” device design criteria

Could seniors be the ideal test group for user-friendly consumer IoT devices?

Two years ago I created a series of criteria by which to evaluate IoT devices that seniors might use (N.B., I didn’t really focus on ones specifically designed for seniors, because I have an admitted bias against devices with huge buttons or that look like mid-century period tube radios — it’s been my experience that seniors aren’t crying out to be labeled as “different.”) to improve their quality of life.

The particular emphasis was on what I called “SmartAging,” which synthesizes two aspects of the IoT:

  • Quantified Self health devices to keep seniors healthier longer and to become partners with their doctors rather than passive recipients of care, and
  • smart home devices to make it easier to run their homes, so that seniors could remain on their own as long as possible rather than entering some drab, sterile assisted-living facility (again, my bias showing…).

A lot has happened since I compiled the list. The changes have solidified my conviction that seniors, especially the less technologically minded, might be the acid test of consumer IoT user friendliness because they can’t be expected to work as hard at mastering devices, they don’t have the automatic openness of digital natives, and encounter differing degrees of reduced agility, etc. 

Also, given the current political climate, it makes sense to try to improve seniors’ lives as much as possible without requiring costly public services that are in jeopardy (I am trying to be civil here, OK?).

The most dramatic of these developments is the amazing success of Amazon’s voice-activated Echo.  I’ve praised it before as an ideal device for seniors, partially because voice is such a natural input for anyone, and particularly because it means that the tech-averse don’t have to learn about interfaces or programs, just speak! Even better, as the variety of “skills” increases, the Echo really is becoming a unified SmartAging hub: I can now control my Sensi smart thermostats and the “Ask My Buddy” skill can even call for assistance, so it works for both halves of SmartAging.  Although I haven’t tested it, I assume much of this also holds true for the Google Home.

There’s an increasing variety of other new Quantified Self devices, some of which are specifically focused on seniors, such as the GreatCall Jitterbug Smart phone, which comes with a simplified, over-size home page featuring “brain games” a la Lumosity, and an Urgent Response system (all of these features are available on an iPhone and, I assume, on Android, but must be set in Settings rather than being the default settings).

In addition, on the personal level, I convinced my Apple Store (disclaimer: I’m at the bottom of the food chain with Apple, not privy to any policies or devices under consideration, so this is just my opinion) to let me start bi-weekly classes at the local senior center on how to use Apple devices, especially the iPad. I continue to work with a lot of seniors who come into the store who are often leery of tech products.

Silver Medal!

Most directly, last month’s companywide Apple Wellness Challenge was life-changing for me.  This year the friendly competition focused on the Apple Watch (important, since a watch is a familiar form-factor to geezers). After wasting three days trying to find the app, I really got into the event because we could share results with friends to encourage (or shame, LOL) them — that really motivated me.  Bottom line: I managed to win a Silver Medal, Apple featured my experience on the event website, and, most important, I made lasting changes to my fitness regimen that I’ve sustained since then, now exercising almost an entire hour a day. I couldn’t help think afterward that the program really did show that user-friendly technology can improve seniors’ lives.

Sooo, with a few more years to think about them and more progress in devices themselves, (as well as increased sensitivity to issues such as privacy and security) here are my amended criteria for evaluating products and services for seniors. As I mentioned the first time, Erich Jacobs of OnKöl assisted with the specs):

Ease of Use

  1. Does it give you a choice of ways to interact, such as voice, text or email? Voice in particular is good for seniors who don’t want to learn about technology, just use it.
  2. Is it easy for you to program, or — if you them give your permission — does it allow someone else to do it remotely?
  3. Does it have either a large display and controls or the option to configure them through settings?
  4. Is it intuitive?
  5. Does it require hard-wired, professional installation?
  6. Is it flexible: can it be adjusted? Is it single purpose, or does it allow other devices to plug in and create synergies? Can it be a true hub for all your IoT devices?
  7. Does it complicate your life, or simplify it?
  8. Do any components require regular charging, or battery replacement?

Privacy, Security, and Control

  1. Is storage local vs. cloud or company’s servers? Is data encrypted? Anonymized?
  2. Do you feel creepy using it?
  3. Is it password-protected?
  4. Is security “baked in” or an afterthought?
  5. Can you control how, when, and where information is shared?
  6. If it is designed to allow remote monitoring by family or caregivers, can you control access by them?
  7. Will it work when the power goes out?

Affordability

  1. Are there monthly fees? If so, low or high? Long term contract required?
  2. Is there major upfront cost? If so, is that offset by its versatility and/or the contrast to getting the same services from a company?
  3. Does full functioning require accessories?

Design/UX

  1. Is it stylish, or does the design” shout” that it’s for seniors? Is it “Medical” looking?
  2. Is the operation or design babyish?
  3. Would younger people use it?
  4. Is it sturdy?
  5. Does it have “loveability” (i.e., connect with the user emotionally)? (This term was coined by David Rose in Enchanted Objects, and refers to products that are adorable or otherwise bond with the user.)

Architecture

  1. Inbound
    1. Does it support multiple protocols (eg. Bluetooth, BluetoothLE, WiFi, etc)
    2. Is the architecture open or closed?
  2. Outbound
    1. Does it support multiple protocols (eg. WiFi, Ethernet, CDMA, GSM, etc)
    2. Data path (cloud, direct, etc)
  3. Remote configuration capability (i.e., by adult child)? If so, can the user control amount of outside access?

Features and Functions

  1. Reminders
    1. Passive, acknowledge only
    2. Active dispensing (of meds)
  2. Home Monitoring
    1. Motion/Passive Activity Monitoring
    2. Environmental Alarms (Smoke, CO, Water, Temp)
    3. Intrusion Alarms (Window etc)
    4. Facilities/Infrastructure (Thermostat)
  3. Health Monitoring
    1. Vitals Collection
    2. Wearables Activity Monitoring
    3. Behavioral/Status Polling (How are you feeling today?)
    4. Behavioral Self-improvement
  4. Communications Monitoring
    1. Landline/Caller ID
      1. Identify scammers
    2. eMail and computer use
      1. Identify scammers
    3. Mobile phone use
  5. Fixed Personal Emergency Response System (PERS)
  6. Mobile Personal Emergency Response System (PERS)
  7. Fixed Fall Detection/Prediction
  8. Mobile Fall Detection/Prediction
  9. Telehealth (Video)
  10. New and Innovative Features

If you’re thinking about developing an IoT product and/or service for seniors I hope you’ll consider the SmartAging concept, and that these criteria will be helpful. If you’re looking for consulting services on design and/or implementation, get in touch!

IoT Intangibles: Increased Customer Loyalty

There are so many direct, quantifiable benefits of the IoT, such as increased quality (that 99.9988% quality rate at Siemens’s Amberg plant!) and precision, that we may forget there are also potential intangible benefits.

Most important of those is customer loyalty, brought about by dramatic shifts both in product designs and how they are marketed.

Much of this results from the IoT lifting the veil of Collective Blindness to which I’ve referred before: in particular, our prior inability to document how products were actually used once they left the loading dock. As I’ve speculated, that probably meant that manufacturers got deceptive information about how customers actually used products and their degree of satisfaction. The difficulty of getting feedback logically meant that those who most liked and most hated a product were over-represented: those who kinda liked it weren’t sufficiently motivated to take the extra steps to be heard.

Now, by contrast, product designers, marketers, and maintenance staffs can share (that critical verb from my Circular Company vision!) real-time data about how a product is actually operating in the field, often from a “digital twin” they can access right at their desks.

Why’s that important?

It can give them easy insights (especially if those different departments do access and discuss the data at the same time, each offering its own unique perspectives, on issues that will build customer loyalty:

  • what new features can we add that will keep them happy?
  • can we offer upgrades such as new operating software (such as the Tesla software that was automatically installed in every single car and avoided a recall) that will provide better customer experiences and keep the product fresh?
  • what possible maintenance problems can we spot in their earliest stages, so we can put “predictive maintenance” services into play at minimal cost and bother to the customer?

I got interested in this issue of product design and customer loyalty while consulting for IBM in the 9o’s, when it introduced the IBM PS 2E (for Energy & Environmental), a CES best-of-show winner in part because of its snap-together modular design. While today’s thin-profile-at-all-costs PC and laptop designs have made user-friendly upgrades a distant memory, one of the things that appealed to me about this design was the realization that if you could keep users satisfied that they were on top of  new developments by incremental substitution of new modules, they’d be more loyal and less likely to explore other providers.

In the same vein, as GE has found, the rapid feedback can dramatically speed upgrades and new features. That’s important for loyalty: if you maintain a continuing interaction with the customer and anticipate their demands for new features, they’ll have less reason to go on the open market and evaluate all of your competitors’ products when they do want to move up.

 

Equally important for customer loyalty is the new marketing options that the continuous flow of real-time operating data offer you. For a growing number of companies, that means they’re no longer selling products, but leasing them, with the price based on actual customer usage: if it ain’t bein’ used, it ain’t costing them anything and it ain’t bringing you any revenue!

Examples include:

  • jet turbines which, because of the real-time data flow, can be marketed on the basis of thrust generated: if it’s sitting on the ground, the leasee doesn’t pay.  The same real-time data flow allows the manufacturer to schedule predictive maintenance at the earliest sign of a problem, reducing both its cost and the impact on the customer.
  • Siemens’s Mobility Services, which add in features such as 3-D manufactured spare parts that speed maintenance and reduced costs, keeping the trains running.
  • Philips’s lighting services, which are billed on the basis of use, not sold.
  • SAP’s prototype smart vending machine, which (if you opt in) may offer you a special discount based on your past purchasing habits.

At its most extreme is Caterpillar’s Reman process, where the company takes back and remanufactures old products, giving them a new life — and creating new revenues — when competitors’ products are in the landfill.

Loyalty can also be a benefit of IoT strategies for manufacturers’ own operations as well. Remember that the technological obstacles to instant sharing of real-time data have been eliminted for the supply chain as well. If you choose to share it, your resupply programs can also be automatically triggered on a M2M basis, giving an inherent advantage to the domestic supplier who can get the needed part there in a few hours, versua the low-cost supplier abroad who may take weeks to reach your loading dock.

It may be harder to quantify than quality improvements or streamlined production through the IoT, but that doesn’t mean that dependable revenue streams from loyal customers aren’t an important potential benefit as well.

Amazon Echo: great tech present for your tech-averse parents!

Never let it be said that I get serious about my Christmas shopping until about this date!

This year, my major suggestion is about a product that it took me a full year to buy after my mother-in-law of a certain age sent last Christmas’s check: never let it be said that I rush into purchases of any kind (I should explain that I’m like the Beacon Hill Brahmin lady who explained to a New York counterpart asking where she bought her hat: “We don’t buy hats. We have hats.” Similarly, I try to avoid buying absolutely anything: I just have what I absolutely need. A strange and complex bird, I am …).

The item in question? An Amazon Echo, which, characteristically, I bought refurbished for $50 off!

Amazon Echo

Amazon Echo

That leads me to a last-minute suggestion for an unlikely use of said Echo: introducing your tech-averse parent to the benefits of smart home and Quantified Self technology (AKA my “SmartAging” paradigm to keep seniors healthy and in their own homes instead of an institution).

 As I wrote a year ago, I think the neatest thing about the Echo in that regard (and, to a lesser extent, other voice-controlled IoT devices, although they’re handicapped because they just don’t have Alexa’s quick response time and already huge and constantly growing list of “skills) is that you don’t need to know any technology to use it: you just say “Alexa:….” and she does it!

While I knew the Echo had gone far beyond its original use to stream music, I had no idea until I bought it how robust and rapidly-growing it’s “skills” have become, and that it’s really a full-fledged smart home hub (why buy a dedicated hub that just sits there and doesn’t provide any of the Echo’s other benefits? Got me..).  It’s hard to keep up, but a recent Turbo Future article, “Amazon Echo: 15 Best New Features,” gives a pretty good overview, and it seems to me that most of them involve various services that can make it a lot easier, and definitely more enjoyable, for aging parents to continue to live in and manage their homes (although some judicious Christmas morning set-up by adult children may be in order for those seniors who avoid technology like the plague), because all you have to do is talk and listen! They’ll appreciate Alexa even more if their hands are full, which is often the case in the kitchen.

Here are a few of my favorites:

  • shopping lists: my wife doesn’t share my love of gadgetry, but we both love this simple service.  Say “Alexa, add flour to my shopping list,” and it’s instantly on the Alexa app on your phone, to pull out at the supermarket. As someone who dutifully makes shopping lists and then always forgets them, that’s worth the service alone.  I won’t buy my household staples from Amazon because, despite the savings, I don’t like the ecological impact that specialized service causes, but if that’s not an issue for you, you can order products directly from Amazon using Alexa.
  • ordering services: you can hail an Uber or order a Domino’s Pizza. For a senior who doesn’t have a car, that can be great!
  • music: obviously the prime market for Amazon’s and other streaming music services such as Pandora is millennials, but, guess what, you can even get Guy Lombardo (the soundtrack of my earliest years because of my parents’ 78’s) simply by asking Alexa.  The ultimate time machine!
  • books: if you parent has vision problems, audible books may be a boon, and since Amazon now owns Audible, this is also possible.
  • news: I’ve been trying to wean myself from the news since Something Bad Happened Last Month, but I’m still drawn like a moth to the flame, so I can get NPR instantly. A growing variety of other sources are also available.
  • smart home: I just installed two Sensi thermostats as I get deeper into smart home technology on the home front. Even though they have a great app that lets me adjust the temp when I’m away from home, it’s neat to just say “Alexa, turn down the heat two degrees” and have her do the work, not me! Next up? Adding my WeMo lights.
  • cooking: even though you can now get Echo’s little brothers (Dot and Tap) for use elsewhere in the home — or even outdoors — most Echos are found in the kitchen, and nothing is worse than flour-covered hands on a cookbook.  Now you can even ask Alexa for a great recipe for a certain dish, use it to make your shopping list, and follow the steps for making the dish, all just by asking her. Neato.
  • calendar: they may not be working anymore, but seniors have got a lot of appointments — the doctor, or my wife’s 95-year old aunt’s tango lessons (I kid you not!), so if you link your Google Calendar, Alexa will make sure you’re not late.

Equally important (and I suspect this will become more of a feature in the near future) the Echo can even help you stay on top of the other part of my SmartAging vision: improving your health, because you can access your Fitbit data.  There’s already a skill to help parents with kiddies’ ailments, from our Children’s Hospital, so why not one for geriatrics as well??

That’s just for now, and independent developers are adding new “skills” for Alexa at a dizzying pace.  So, if you still don’t have a present for Grannie? Get her an Echo, and since it’s from Amazon, she’ll still get it by the 25th!

 

Libelium: flexibility a key strategy for IoT startups

I’ve been fixated recently on venerable manufacturing firms such as 169-yr. old Siemens making the IoT switch.  Time to switch focus, and look at one of my fav pure-play IoT firms, Libelium.  I think Libelium proves that smart IoT firms must, above all, remain nimble and flexible,  by three interdependent strategies:

  • avoiding picking winners among communications protocols and other standards.
  • avoiding over-specialization.
  • partnering instead of going it alone.
Libelium CEO Alicia Asin

Libelium CEO Alicia Asin

If you aren’t familiar with Libelium, it’s a Spanish company that recently turned 10 (my, how time flies!) in a category littered with failures that had interesting concepts but didn’t survive. Bright, young, CEO Alicia Asin, one of my favorite IoT thought leaders (and do-ers!) was recently named best manager of the year in the Aragón region in Spain.  I sat down with her for a wide-ranging discussion when she recently visited the Hub of the Universe.

I’ve loved the company since its inception, particularly because it is active in so many sectors of the IoT, including logistics, industrial control, smart meters, home automation and a couple of my most favorite, agriculture (I have a weak spot for anything that combines “IoT” AND “precision”!) and smart cities.  I asked Asin why the company hadn’t picked one of those verticals as its sole focus: “it was too risky to choose one market. That’s still the same: the IoT is still so fragmented in various verticals.”

The best illustration of the company’s strategy in action is its Waspmote sensor platform, which it calls the “most complete Internet of Things platform in the market with worldwide certifications.” It can monitor up to 120 sensors to cover hundreds of IoT applications in the wide range of markets Libelium serves with this diversified strategy, ranging from the environment to “smart” parking.  The new versions of their sensors include actuators, to not simply report data, but also allow M2M control of devices such as irrigation valves, thermostats, illumination systems, motors and PLC’s. Equally important, because of the potentially high cost of having to replace the sensors, the new ones use extremely little power, so they can last        .

Equally important as the company’s refusal to limit itself to a single vertical market is its commitment to open systems and multiple communications protocols, including LoRaWAN, SIGFOX, ZigBee and 4G — a total of 16 radio technologies. It also provides both open source SDK and APIs.

Why?  As Asin told me:

 

“There is not going to be a standard. This (competiting standards and technology) is the new normal.

“I talk to some cities that want to become involved in smart cities, and they say we want to start working on this but we want to use the protocol that will be the winner.

“No one knows what will be the winner.

“We use things that are resilient. We install all the agents — if you aren’t happy with one, you just open the interface and change it. You don’t have to uninstall anything. What if one of these companies increases their prices to heaven, or you are not happy with the coverage, or the company disappears? We allow you to have all your options open.

“The problem is that this (not picking a standard) is a new message, and people don’t like to listen.  This is how we interpret the future.”

Libelium makes 110 different plug and play sensors (or as they call them, “Plug and Sense,” to detect a wide range of data from sources including gases, events, parking, energy use, agriculture, and water.  They claim the lowest power consumption in the industry, leading to longer life and lower maintenance and operating costs.

Finally, the company doesn’t try to do everything itself: Libelium has a large and growing partner network (or ecosystem, as it calls it — music to the ears of someone who believes in looking to nature for profitable business inspiration). Carrying the collaboration theme even farther, they’ve created an “IoT Marketplace,” where pre-assembled device combinations from Libelium and partners can be purchased to meet the specific needs of niches such as e-health,  vineyards, water quality, smart factories, and smart parking.  As the company says, “the lack of integrated solutions from hardware to application level is a barrier for fast adoption,” and the kits take away that barrier.

I can’t stress it enough: for IoT startups that aren’t totally focused on a single niche (a high-stakes strategy), Libelium offers a great model because of its flexibility, agnostic view of standards, diversification among a variety of niches, and eagerness to collaborate with other vendors.


BTW: Asin is particularly proud of the company’s newest offering, My Signals,which debuted in October and has already won several awards.  She told me that they hope the device will allow delivering Tier 1 medical care to billions of underserved people worldwide who live in rural areas with little access to hospitals.  It combines 15 different sensors measuring the most important body parameters that would ordinarily be measured in a hospital, including ECG, glucose, airflow, pulse, oxygen in

It combines 15 different sensors measuring the most important body parameters that would ordinarily be measured in a hospital, including ECG, glucose, airflow, pulse, blood oxygen, and blood pressure. The data is encrypted and sent to the Libelium Cloud in real-time to be visualized on the user’s private account.

It fits in a small suitcase and costs less than 1/100th the amount of a traditional Emergency Observation Unit.

The kit was created to make it possible for m-health developers to create prototypes cheaply and quickly.

When Philips’s Hue Bulbs Are Attacked, IoT Security Becomes Even Bigger Issue

OK, what will it take to make security (and privacy) job #1 for the IoT industry?

The recent Mirai DDoS attack should have been enough to get IoT device companies to increase their security and privacy efforts.

Now we hear that the Hue bulbs from Philips, a global electronics and IoT leader that DOES emphasize security and doesn’t cut corners, have been the focus of a potentially devastating attack (um, just wonderin’: how does triggering mass epileptic seizures through your light bulbs grab you?).

Since it’s abundantly clear that the US president-elect would rather cut regulations than add needed ones (just announcing that, for every new regulation, two must be cut), the burden of improving IoT security will lie squarely on the shoulders of the industry itself. BTW:kudos in parting to outgoing FTC Chair Edith Ramirez, who has made intelligent, workable IoT regulations in collaboration with self-help efforts by the industry a priority. Will we be up to the security challenge, or, as I’ve warned before, will security and privacy lapses totally undermine the IoT in its adolescence by losing the public and corporate confidence and trust that is so crucial in this particular industry?

Count me among the dubious.

Here’s what happened in this truly scary episode, which, for the first time, presages making the focus of an IoT hack an entire city, by exploiting what might otherwise be a smart city/smart grid virtue: a large installed base of smart bulbs, all within communication distance of each other. The weapons? An off-the-shelf drone and an USB stick (the same team found that a car will also do nicely as an attack vector). Fortunately, the perpetrators in this case were a group of white-hat hackers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada, who reported it to Philips so they could implement additional protections, which the company did.

Here’s what they wrote about their plan of attack:

“In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction (my emphasis), provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform.

“The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack (my emphasis). To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already (my emphasis).

“To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.”

Again, this wasn’t one of those fly-by-night Chinese manufacturers of low-end IoT devices, but Philips, a major, respected, and vigilant corporation.

As for the possible results? It could:

  •  jam WiFi connections
  • disturb the electric grid
  • brick devices making entire critical systems inoperable
  • and, as I mentioned before, cause mass epileptic seizures.

As for the specifics, according to TechHive, the researchers installed Hue bulbs in several offices in an office building in the Israeli city of Beer Sheva. In a nice flair for the ironic, the building housed several computer security firms and the Israeli Computer Emergency Response Team.  They attached the attack kit on the USB stick to a drone, and flew it toward the building from 350 meters away. When they got to the building they took over the bulbs and made them flash the SOS signal in Morse Code.

The researchers”were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible. ‘There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied.’”

Worst of all, the attack was against Zigbee, one of the most robust and widely-used IoT protocols, an IoT favorite because Zigbee networks tend to be cheaper and simpler than WiFi or BlueTooth.

The attack points up one of the critical ambiguities about the IoT. On one hand, the fact that it allows networking of devices leads to “network effects,” where each device becomes more valuable because of the synergies with other IoT devices. On the other hand, that same networking and use of open standards means that penetrating one device can mean ultimately penetrating millions and compounding the damage.


I’m hoping against hope that when Trump’s team tries to implement cyber-warfare protections they’ll extend the scope to include the IoT because of this specific threat. If they do, they’ll realize that you can’t just say yes cyber-security and no, regulations. In the messy world of actually governing, rather than issuing categorical dictums, you sometimes have to embrace the messy world of ambiguity.  

What do you think?

 

2nd day liveblogging, Gartner ITxpo, Barcelona

Accelerating Digital Business Transformation With IoT Saptarshi Routh Angelo Marotta
(arrived late, mea culpa)

  • case study (didn’t mention name, but just moved headquarters to Boston. Hmmmmm).
  • you will be disrupted by IoT.
  • market fragmented now.

Toshiba: How is IoT Redefining Relationships Between Customers and Suppliers, Damien Jaume, president, Toshiba Client Solutions, Europe:

  • time of tremendous transformation
  • by end of ’17, will surpass PC, tabled & phone market combined
  • 30 billion connect  devices by 2020
  • health care IoT will be $117 billion by 2020
  • 38% of indiustry leaders disrupted by digitally-enabled competitors by 2018
  • certainty of customer-supplier relationship disruption will be greatest in manufacturing, but also every other market
    • farming: from product procurement to systems within systems. Smart, connected product will yield to integrated systems of systems.
  • not selling product, but how to feed into whole IoT ecosystem
  • security paramount on every level
  • risk to suppliers from new entrants w/ lean start-up costs.
  • transition from low engagement, low trust to high engagement, high trust.
  • Improving efficiencies
  • ELIMINATE MIDDLEMAN — NO LONGER RELEVANT
  • 4 critical success factors:
    • real-time performance pre-requisite
    • robustness — no downtime
    • scalability
    • security
  • case studies: energy & connected home, insurance & health & social care (Neil Bramley, business unit director for clients solutions
    • increase depth of engagement with customer. Tailored information
    • real-time performance is key, esp. in energy & health
    • 20 million smart homes underway in GB by 2020:
      • digitally empowering consumers
      • engaging consumers
      • Transforming relationships among all players
      • Transforming homes
      • Digital readiness
    • car insurance: real-time telematics.
      • real-time telematics data
      • fleet management: training to reduce accidents. Working  w/ Sompo Japan car insurance:
    • Birmingham NHS Trust for health (Ciaron Hoye, head of digital) :
      • move to health promotion paradigm
      • pro-actively treat patients
      • security first
      • asynchronous communications to “nudge” behavior.
      • avoiding hip fractures
      • changing relationship w/ the patient: making them stakeholders, involving in discussion, strategy
      • use game theory to change relationship

One-on-one w/ Christian Steenstrup, Gartner IoT analyst. ABSOLUTE VISIONARY — I’LL BE INTERVIEWING HIM AT LENGTH IN FUTURE:

  • industrial emphasis
  • applications more ROI driven, tangible benefits
  • case study: mining & heavy industry
    • mining in Australia, automating entire value train. Driverless. Driverless trains. Sensors. Caterpillar. Collateral benefits: 10% increase in productivity. Less payroll.  Lower maintenance. Less damage means less repairs.
    • he downplays AR in industrial setting: walking in industrial setting with lithium battery strapped to your head is dangerous.
    • big benefit: less capital expense when they build next mine. For example, building the town for the operators — so eliminate the town!
  • take existing processes & small improvements, but IoT-centric biz, eliminating people, might eliminate people. Such as a human-less warehouse. No more pumping huge amount of air underground. Huge reduction with new system.  Mine of future: smaller holes. Possibility  of under-sea mining.
  • mining has only had incremental change.
  • BHP mining’s railroad — Western Australia. No one else is involved. “Massive experiment.”
  • Sound sensing can be important in industrial maintenance.  All sorts of real-time info. 
  • Digital twins: must give complete info — 1 thing missing & it doesn’t work.
  • Future: 3rd party data brokers for equipment data.
  • Privacy rights of equipment.
  • “communism model” of info sharing — twist on Lenin.

 

Accelerating Digital Transformation with Microsoft Azure IoT Suite (Charlie Lagervik):

  • value networking approach
  • customer at center of everything: customer conversation
  • 4 imperatives:
    • engage customers
    • transform products
    • empower employees
    • optmize operations
  • their def. of IoT combines things/connectivity/data/analytics/action  Need feedback loop for change
  • they focus on B2B because of efficiency gains.
  • Problems: difficult to maintain security, time-consuming to launch, incompatible with current infrastructure, and hard to scale.
  • Azure built on cloud.
  • InternetofYourThings.com

 

Afternoon panel on “IoT of Moving Things” starts with all sorts of incredible factoids (“since Aug., Singapore residents have had access to self=driving taxis”/ “By 2030, owning a car will be an expensive self-indulgence and will no longer be legal.”

  • vehicles now have broader range of connectivity now
  • do we really want others to know where we are? — privacy again!
  • who owns the data?
  • what challenges do we need to overcome to turn data into information & valuable insight that will help network and city operators maximize efficiency & drive improvement across our transportation network?
  • think of evolution: now car will be software driven, then will become living room or office.
  • data is still just data, needs context & location gives context.
  • cities have to re-engineer streets to become intelligent streets.
  • must create trust among those who aren’t IT saavy.
  • do we need to invest in physical infrastructure, or will it all be digital?
  • case study: one car company w/ engine failures in 1 of 3 cars gave the consultants data to decide on what was the problem.

Smart Disposables: Could This Be Birth of Internet of Everything?

Could EVERYTHING be “smart?” It may be happening sooner we thought, and with implications that are hard to fathom today.

That’s the potential with new technology pioneered by Shyam Gollakota, an assistant professor at the University of Washington.  For the first time, it would let battery- and cordless-less devices harvest signals from Wi-Fi, radio, or TV to communicate and power themselves.

Astounding!

For a long time, the most “out there” idea about IoT sensors has been Prof. Kris Pister’s “smart dust” concept, which aimed at a complete sensor/communication system in a package only one cubic millimeter in size. Pister argued that such devices would be so small and cheap that they could be installed — or perhaps even scattered — almost everywhere. The benefits could be varied and inconceivable in the past. According to Pister, possible applications could include:

  • “Defense-related sensor networks
    • battlefield surveillance, treaty monitoring, transportation monitoring, scud hunting, …
  • Virtual keyboard
    • Glue a dust mote on each of your fingernails.  Accelerometers will sense the orientation and motion of each of your fingertips, and talk to the computer in your watch.  QWERTY is the first step to proving the concept, but you can imagine much more useful and creative ways to interface to your computer if it knows where your fingers are: sculpt 3D shapes in virtual clay, play  the piano, gesture in sign language and have to computer translate, …
    • Combined with a MEMS augmented-reality heads-up display, your entire computer I/O would be invisible to the people around you.  Couple that with wireless access and you need never be bored in a meeting again!  Surf the web while the boss rambles on and on.
  • Inventory Control
    • The carton talks to the box, the box talks to the palette, the palette talks to the truck, and the truck talks to the warehouse, and the truck and the warehouse talk to the internet.  Know where your products are and what shape they’re in any time, anywhere.  Sort of like FedEx tracking on steroids for all products in your production stream from raw materials to delivered goods.
  • Product quality monitoring
    • temperature, humidity monitoring of meat, produce, dairy products
      • Mom, don’t buy those Frosted Sugar Bombs, they sat in 80% humidity for two days, they won’t be crunchy!
    • impact, vibration, temp monitoring of consumer electronics
      • failure analysis and diagnostic information, e.g. monitoring vibration of bearings for frequency signatures indicating imminent failure (back up that hard drive now!)
  • Smart office spaces
    • The Center for the Built Environment has fabulous plans for the office of the future in which environmental conditions are tailored to the desires of every individual.  Maybe soon we’ll all be wearing temperature, humidity, and environmental comfort sensors sewn into our clothes, continuously talking to our workspaces which will deliver conditions tailored to our needs.  No more fighting with your office mates over the thermostat.
  • Interfaces for the Disabled (courtesy of Bryndis Tobin)
    • Bryndis sent me email with the following idea: put motes “on a quadriplegic’s face, to monitor blinking & facial twitches – and send them as commands to a wheelchair/computer/other device.”  This could be generalized to a whole family of interfaces for the disabled.  Thanks Bryndis!”

Now imagine that a critical component of such a tiny, ubiquitous device was removed. Because it didn’t need a battery it could be even smaller and cheaper (because of cheaper and simpler radio hardware circuitry).

The goal is having billions of disposable devices start communicating,” Gollakota said (my emphasis).

You may remember that I’ve written before about my metaphor of a pre-IoT era of “Collective Blindness,” the universal inability to peer (literally or figuratively) inside things in the past, which forced us to create all sorts of work-arounds to cope with that lack of real-time data. Imagine how precise our knowledge about just about everything will be if Gollakota’s technology becomes commonplace.

.As Technology Review reported, the critical challenge is making it possible for a device lacking a traditional power source to communicate: “Transferring power wirelessly is not a new trick. But getting a device without a conventional power source to communicate is harder, because generating radio signals is very power-intensive and the airwaves harvested from radio, TV, and other telecommunication technologies hold little energy.”

The principle making the innovation possible is “backscattering,” reflecting waves, particles or signals back in the direction they came from, which creates a new signal.

The early results are encouraging. Gollakata has made a contact lens that can connect with a smartphone. Think I’ll pass on that one, but other devices he and his team have created include brain implants and “a flexible skin patch that can sense temperature and respiration, a design that could be used to monitor hospital patients.”  Marketers will love this one: a concert poster broadcasting a bit of the featured band’s music over FM radio!

Jeeva Wireless, Gollakata’s commercial spinoff, is using a variety of the technology, “passive Wi-Fi.” Devices using it can data up to 100 feet and connect through walls.

Tiny passive devices using backscatter could be manufactured for as little as a dollar. “In tomorrow’s smart home, security cameras, temperature sensors, and smoke alarms should never need to have their batteries changed.”

Gollakata sums up the potential impact: “We can get communication for free” (my emphasis).

That’s incredible, but in light of the continuing series of major DDoS attacks made possible by weak or non-existent IoT security measures, I must remind everyone that speed, power, and ubiquity aren’t everything: we also need IoT security, so I hope the low cost and ability to function without a dedicated energy source won’t obscure that need as well.


 

BTW: a MIT profile on Gollakata mentions one of his other, related, inventions, which I think would mesh beautifully with my SmartAging vision to help seniors age in place in better health.

It’s called  WiSee, which uses wireless signals such as Wi-Fi to “enable whole-home sensing and recognition of human gestures. Since wireless signals do not require line-of-sight and can traverse through walls, WiSee can enable whole-home gesture recognition using few wireless sources (e.g., a Wi-Fi router and a few mobile devices in the living room).”

I love the concept for seniors, because (like Echo, which I’m finally getting!!) it doesn’t require technical expertise, which many seniors lack and/or find intimidating, to launch and direct automated devices. In this case, the activation is through sensing and recognition of human gestures. According to Gollakata,“’Gestures enable a whole new set of interaction techniques for always-available computing embedded in the environment. As an example, he suggests that a hand swiping motion in the air could enable a user to control the radio volume while showering – or change the song playing on the stereo in the living room while you are cooking in the kitchen.”

He goes on to explain:

“…. that the approaches offered today to enable gesture recognition – by either installing cameras throughout a home/office or outfitting the human body with sensing devices – are in most cases either too expensive or unfeasible. So he and his group members are skirting these issues by taking advantage of the slight changes in ambient wireless signals that are created by motion. Since wireless signals do not require line-of-sight and can traverse through walls, he and his group have achieved the first gesture recognition system that works in those situations. ‘We showed that this approach can extract accurate information about a rich set of gestures from multiple concurrent users.”

Combine that with speaking to Alexa, and even the most frail seniors could probably control most of the functions in a smart home. Gollakota says that the approaches offered today to enable gesture recognition – by either installing cameras throughout a home/office or outfitting the human body with sensing devices – are in most cases either too expensive or unfeasible. So he and his group members are skirting these issues by taking advantage of the slight changes in ambient wireless signals that are created by motion. Since wireless signals do not require line-of-sight and can traverse through walls, he and his group have achieved the first gesture recognition system that works in those situations. “We showed that this approach can extract accurate information about a rich set of gestures from multiple concurrent users, “he says.

Incredible work, professor!

Don’t Say I Didn’t Warn You: One of Largest Botnet Attacks Ever Due to Lax IoT Security

Don’t say I didn’t warn you about how privacy and security had to be THE highest priority for any IoT device.

On September 19th, Chris Rezendes and I were the guests on a Harvard Business Review webinar on IoT privacy and security. I once again was blunt that:

  • you can’t wait until you’ve designed your cool new IoT device before you begin to add in privacy and security protections. Start on Day 1!
  • sensors are particularly vulnerable, since they’re usually designed for minimum cost, installed, and forgotten.
  • as with the Target hack, hackers will try to exploit the least protected part of the system.
  • privacy and security protections must be iterative, because the threats are constantly changing.
  • responsible companies have as much to lose as the irresponsible, because the result of shortcomings could be held against the IoT in general.

The very next day, all hell broke loose. Hackers used the Mirai malware to launch one of the largest distributed denial-of-service attack ever, on security blogger Brian Krebs (BTW, the bad guys failed, because of valiant work by the good guys here in Cambridge, at Akamai!).

 

The threat was so bad that DHS’s National Cyber Awareness System sent out the first bulletin I ever remember getting from them dealing specifically with IoT devices. As it warned, “IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.”  By way of further explanation, DHS showed how ridiculously simple the attacks were because of inadequate protection:

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices. The purported Mirai author claimed that over 380,000 IoT devices  (my emphasis) were enslaved by the Mirai malware in the attack on Krebs’ website.”

A later attack in France during September using Mirai resulted in the largest DDoS attack ever.

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders. Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

How’d they do it?

By a feature of the malware that detects and attacks consumer IoT devices that only have default, sometimes hardwired, passwords and usernames (or, as Dark Reading put it in an apocalyptic sub-head, “Mirai malware could signal the beginning of new trend in using Internet of Things devices as bots for DDoS attacks.”

To place the blame closer to home (well, more accurately, in the home!) you and I, if we bought cheap smart thermostats or baby monitors with minimal or no privacy protections and didn’t bother to set up custom passwords, may have unwittingly participated in the attack. Got your attention yet?

 

No responsible IoT inventor or company can deny it any longer: the entire industry is at risk unless corporate users and the general public can be confident that privacy and security are baked in and continuously upgraded. Please watch the HBR webinar if you haven’t already, and pledge to make IoT privacy and security Job #1!


 

PS: According to the DHS bulletin:

“In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks. This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million (my emphasis) enslaved IoT devices.”

BTW: thanks for my friend Bob Weisberg for reminding me to give this situation its due!

comments: 6 » tags: , , ,