IoT Intangibles: Increased Customer Loyalty

There are so many direct, quantifiable benefits of the IoT, such as increased quality (that 99.9988% quality rate at Siemens’s Amberg plant!) and precision, that we may forget there are also potential intangible benefits.

Most important of those is customer loyalty, brought about by dramatic shifts both in product designs and how they are marketed.

Much of this results from the IoT lifting the veil of Collective Blindness to which I’ve referred before: in particular, our prior inability to document how products were actually used once they left the loading dock. As I’ve speculated, that probably meant that manufacturers got deceptive information about how customers actually used products and their degree of satisfaction. The difficulty of getting feedback logically meant that those who most liked and most hated a product were over-represented: those who kinda liked it weren’t sufficiently motivated to take the extra steps to be heard.

Now, by contrast, product designers, marketers, and maintenance staffs can share (that critical verb from my Circular Company vision!) real-time data about how a product is actually operating in the field, often from a “digital twin” they can access right at their desks.

Why’s that important?

It can give them easy insights (especially if those different departments do access and discuss the data at the same time, each offering its own unique perspectives, on issues that will build customer loyalty:

  • what new features can we add that will keep them happy?
  • can we offer upgrades such as new operating software (such as the Tesla software that was automatically installed in every single car and avoided a recall) that will provide better customer experiences and keep the product fresh?
  • what possible maintenance problems can we spot in their earliest stages, so we can put “predictive maintenance” services into play at minimal cost and bother to the customer?

I got interested in this issue of product design and customer loyalty while consulting for IBM in the 9o’s, when it introduced the IBM PS 2E (for Energy & Environmental), a CES best-of-show winner in part because of its snap-together modular design. While today’s thin-profile-at-all-costs PC and laptop designs have made user-friendly upgrades a distant memory, one of the things that appealed to me about this design was the realization that if you could keep users satisfied that they were on top of  new developments by incremental substitution of new modules, they’d be more loyal and less likely to explore other providers.

In the same vein, as GE has found, the rapid feedback can dramatically speed upgrades and new features. That’s important for loyalty: if you maintain a continuing interaction with the customer and anticipate their demands for new features, they’ll have less reason to go on the open market and evaluate all of your competitors’ products when they do want to move up.

 

Equally important for customer loyalty is the new marketing options that the continuous flow of real-time operating data offer you. For a growing number of companies, that means they’re no longer selling products, but leasing them, with the price based on actual customer usage: if it ain’t bein’ used, it ain’t costing them anything and it ain’t bringing you any revenue!

Examples include:

  • jet turbines which, because of the real-time data flow, can be marketed on the basis of thrust generated: if it’s sitting on the ground, the leasee doesn’t pay.  The same real-time data flow allows the manufacturer to schedule predictive maintenance at the earliest sign of a problem, reducing both its cost and the impact on the customer.
  • Siemens’s Mobility Services, which add in features such as 3-D manufactured spare parts that speed maintenance and reduced costs, keeping the trains running.
  • Philips’s lighting services, which are billed on the basis of use, not sold.
  • SAP’s prototype smart vending machine, which (if you opt in) may offer you a special discount based on your past purchasing habits.

At its most extreme is Caterpillar’s Reman process, where the company takes back and remanufactures old products, giving them a new life — and creating new revenues — when competitors’ products are in the landfill.

Loyalty can also be a benefit of IoT strategies for manufacturers’ own operations as well. Remember that the technological obstacles to instant sharing of real-time data have been eliminted for the supply chain as well. If you choose to share it, your resupply programs can also be automatically triggered on a M2M basis, giving an inherent advantage to the domestic supplier who can get the needed part there in a few hours, versua the low-cost supplier abroad who may take weeks to reach your loading dock.

It may be harder to quantify than quality improvements or streamlined production through the IoT, but that doesn’t mean that dependable revenue streams from loyal customers aren’t an important potential benefit as well.

When Philips’s Hue Bulbs Are Attacked, IoT Security Becomes Even Bigger Issue

OK, what will it take to make security (and privacy) job #1 for the IoT industry?

The recent Mirai DDoS attack should have been enough to get IoT device companies to increase their security and privacy efforts.

Now we hear that the Hue bulbs from Philips, a global electronics and IoT leader that DOES emphasize security and doesn’t cut corners, have been the focus of a potentially devastating attack (um, just wonderin’: how does triggering mass epileptic seizures through your light bulbs grab you?).

Since it’s abundantly clear that the US president-elect would rather cut regulations than add needed ones (just announcing that, for every new regulation, two must be cut), the burden of improving IoT security will lie squarely on the shoulders of the industry itself. BTW:kudos in parting to outgoing FTC Chair Edith Ramirez, who has made intelligent, workable IoT regulations in collaboration with self-help efforts by the industry a priority. Will we be up to the security challenge, or, as I’ve warned before, will security and privacy lapses totally undermine the IoT in its adolescence by losing the public and corporate confidence and trust that is so crucial in this particular industry?

Count me among the dubious.

Here’s what happened in this truly scary episode, which, for the first time, presages making the focus of an IoT hack an entire city, by exploiting what might otherwise be a smart city/smart grid virtue: a large installed base of smart bulbs, all within communication distance of each other. The weapons? An off-the-shelf drone and an USB stick (the same team found that a car will also do nicely as an attack vector). Fortunately, the perpetrators in this case were a group of white-hat hackers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada, who reported it to Philips so they could implement additional protections, which the company did.

Here’s what they wrote about their plan of attack:

“In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction (my emphasis), provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform.

“The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack (my emphasis). To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already (my emphasis).

“To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.”

Again, this wasn’t one of those fly-by-night Chinese manufacturers of low-end IoT devices, but Philips, a major, respected, and vigilant corporation.

As for the possible results? It could:

  •  jam WiFi connections
  • disturb the electric grid
  • brick devices making entire critical systems inoperable
  • and, as I mentioned before, cause mass epileptic seizures.

As for the specifics, according to TechHive, the researchers installed Hue bulbs in several offices in an office building in the Israeli city of Beer Sheva. In a nice flair for the ironic, the building housed several computer security firms and the Israeli Computer Emergency Response Team.  They attached the attack kit on the USB stick to a drone, and flew it toward the building from 350 meters away. When they got to the building they took over the bulbs and made them flash the SOS signal in Morse Code.

The researchers”were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible. ‘There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied.’”

Worst of all, the attack was against Zigbee, one of the most robust and widely-used IoT protocols, an IoT favorite because Zigbee networks tend to be cheaper and simpler than WiFi or BlueTooth.

The attack points up one of the critical ambiguities about the IoT. On one hand, the fact that it allows networking of devices leads to “network effects,” where each device becomes more valuable because of the synergies with other IoT devices. On the other hand, that same networking and use of open standards means that penetrating one device can mean ultimately penetrating millions and compounding the damage.


I’m hoping against hope that when Trump’s team tries to implement cyber-warfare protections they’ll extend the scope to include the IoT because of this specific threat. If they do, they’ll realize that you can’t just say yes cyber-security and no, regulations. In the messy world of actually governing, rather than issuing categorical dictums, you sometimes have to embrace the messy world of ambiguity.  

What do you think?