New Times,
New Thinking.

  1. Science & Tech
5 January 2017

This £160 “smart hairbrush“ symbolises the big problem with the Internet of Things

Is it worth the risk of hacking - and the potential invasion of privacy - to find out if you're brushing your hair wrong?

By Amelia Tait

Who wants a hairbrush that’s connected to the internet? Well, its manufacturers – Kérastase, Withings and L’Oréal – seem pretty excited about it. They unveiled the gadget at the CES technology show in Las Vegas to great fanfare.

The £160 Hair Coach is part of the “internet of things” – devices that promise to be smarter and cooler because they are connected to the web. It contains a microphone that promises to record the sound of breaking hair, and multiple sensors that will send data about your brushing technique to an app on your phone. 

In the last year, the Internet of Things industry has boomed, with everything from smart kettles to smart dolls entering our homes. Unfortunately, many of these devices have been shown to be prone to security breaches. Recently, security researchers found that a connected cooking pot could be hacked to gain access to your phone.

“Any Internet of Things (IoT) device, if security hasn’t been considered properly during development, can be hacked,” says Ken Munro, a security entrepreneur from PenTest Partners, a company which carries out security tests on IoT devices. 

Munro hasn’t yet looked at the Hair Coach, but he speculates about the security of any IoT device with a microphone and internet connection. “Listening to hair breakage requires a microphone, so can it hear more than just breaks? It’s clearly very sensitive, so could it detect human voice and potentially become a spy bug?”

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via saturdayread.substack.com The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via morningcall.substack.com
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU

A spokesperson for Withings explained that the microphones are activated only when the user starts brushing their hair. The brush detects when it is being used and begins data collection automatically. The company then store 3-5 second audio recordings. Withings claim the microphone is not able to pick up conversations “unless the user is speaking really closely to the brush”. The spokesman added that: “Furthermore, we will apply some filters to not record voice frequencies.”

Ken Munro is sceptical that this is technically possible, however. “The manufacturer may counter that the microphone has been configured solely to listen to particular frequencies, but that’s often achieved in software rather than hardware. Hence, there may be potential to modify what it can hear and create that bug,” he says. Withings emphasises that all of its data is secure. “Even if someone achieves to hack the device, all our datas are encrypted,” the spokesman said over email.

The brush might well be secure. But its price and its function make it a vivid symbol of the debate over the Internet of Things as a whole. Does every gadget need to be digital? Or is something else going on?

“This just smacks of a marketing team panicking about how to keep their product relevant in the digital age, but some products simply don’t need to be digital to be relevant,” says Renate Samson, the chief executive of privacy campaign group Big Brother Watch. “It’s one thing to bung a sensor and microphone into a device and think your marketing solutions are solved, but what security protections are being installed?”

The rush to digitise has lead to mulliple security and privacy failures in other IoT products. Just last week, a Twitter user shared his experience of his new smart television being infected by ransomware, with hackers demanding $500 (£406) for him to get use of his TV back. In 2015, Munro managed to hack a connected children’s doll and make it say swear words, and more recently, he discovered a flaw in the security of a WiFi enabled vibrator that meant anyone could discover which individuals used the device by discovering the location and name of their WiFi connection. “That’s probably not a feature that owners realised or would like!” he says. 

Concerns go beyond spying, however, as IoT devices can be used to carry out Distributed Denial of Service (DDoS) attacks. (Essentially, this is when a website’s server is brought down by being hit with so many simultaneous requests for data that it cannot cope.) Last October, sites including Netflix, Twitter, and Spotify temporarily went down after hackers infected unsecured IoT devices with malware, then used them to make server requests. “There’s this renewed urgency to talk about what happens when we connect all these things through the Wi-Fi without giving much thought to their security,” said NPR technology reporter Alina Selyukh at the time.

But what can you do to keep yourself safe? Ken Munro advises that if you are purchasing an IoT device, you should check whether it needs a pairing PIN to connect to Bluetooth. Without a PIN or passcode, anyone nearby would be able to access the device. It’s also important to investigate whether the product is properly encrypted between the app and the company’s cloud servers. If not, your personal information about how you use the device could be open to hackers. Although it might not concern you to have data about your usage of your kettle, bin, or hair brush being disclosed, Munro emphasises that such flaws can also lead to your home network and phone being hacked. 

Privacy is also a concern when it comes to data collected by IoT devices. Many IoT companies will share your data with third parties such as advertisers or law enforcement. Last month, Amazon refused to hand over voice recordings from their “constantly listening” Amazon Echo to the police when asked to in order to aid a murder case, but not all companies will resist such requests.

All of these problems are solvable, but the bigger question is – are the gadgets involved worth the bother? A parody account on Twitter, @InternetofShit, reveals the ways that IoT devices actually make our lives worse, not better. Among their recent posts they have chronicled theromstats that show you adverts, alarms that can’t be turned off, and a dollhouse where the doors won’t open.

If we continue the trend of connecting everything we own to the internet, it’s only a matter of time until we become unable to use every day objects due to unforseen faults and flaws, like the person with a “smart lock” unable to open their own front door. Smart devices are going to have to get, well, a little bit smarter. 

Content from our partners
Water security: is it a government priority?
Defend, deter, protect: the critical capabilities we rely on
The death - and rebirth - of public sector consultancy