Roomba: Not only eats my iPhone cables, but it also spies on me now?

Hello and thanks for reading.


At our Novotech head office, we have a Roomba that routinely makes its way around our office, keeping the carpets nice and neat.  For the most part, it kind of does its own thing….which often includes eating my iPhone cable that is plugged into the wall.  While it doesn’t replace a thorough vacuuming, it definitely helps with crumbs and things.


However, who knew that Roomba had an alternative motive when it was going around your home?  One of the biggest pushes that companies have towards the world of IoT is information, and apparently, your Roomba knows a lot more about you than you think, as least according to this Washington Post article.


Should we be concerned or angered?


I think in this case, the answer is no and a definite yes.  Most of the time when usage/location information is sold, it is done so in a cumulative fashion (so they may sell information about room sizes in the NW US, as an example, and not about your home specifically).   Traditionally, this information would have been achieved by using things like the original home blue prints, but the Roomba would give a much more accurate picture, as it would work on homes of all sizes and build dates and it would even factor in things like renovations.


As I mentioned, not really something to be concerned about…but I would be angry.  I have always said that nothing is truly free in this world and this is the case for many “free” applications’.  Take an application like RunKeeper, which keeps track of how much you run.  Seems like a great idea and it is a useful tool.  However, that information (where you run, when you run, what shoes you wear, etc), is valuable to many organizations…..cities want to know where people run to plan the next path system and corporations want to know how to better market apparel to you, just as an example.  If you use a free application, you have to know that the trade off is that your data is likely the way the company keeps their lights on.


However, Roomba is not free, so why are they double-dipping?


The answer is because they can.  Most people don’t even think twice about agreeing to online forms that grant them the permission to do so.  The question is, should you care?


The Bottom Line

The reality is that just about anything can gather data on your usage and with the low cost of Wi-Fi/Cellular modules, more devices will start to.  Your toaster will tell the manufacturer how dark you like your bread, which will allow them to better optimize the components on the next model…..your washing machine will tell your manufacturer how often people use special cycles while your dryer will reveal how often you really bother to empty the lint tray… get the point.


One can easily argue that IoT provides information that will make things more reliable and safe…indeed it does.  However, it also provides data that can be used for things that you may feel invade your privacy, so maybe it is time to read some of the T’s and C’s that you agree to, even on your next Roomba.

A different kind of “fishing” highlights IoT’s Security vulnerabilities

Like most people, I have visited a casino now and then.  If you go to Vegas, it is basically impossible to make it to most hotel rooms without going through one in fact.  What always amazed me when I was there was how much expense went into these buildings…..canals, huge water fountains and incredible ceiling art are just some of the ways that casino owners try to entice you to spend money.  I would bet, however, that they did not think one of these fixtures would potentially jeopardize the integrity of their data systems.

I am referring to a story in the Washington Post where creative thieves were able to use the IoT system that controlled most aspects of a fish tank to enter into some key systems at the casino.  Now, I have no idea what data they may or may not have accessed, but the sheer idea of it boggles my mind…..why was there even a link available between the tank’s IoT system and a key data system?

Stories like this are both good and bad for the IoT industry.  The bad side of it is that it can potentially scare away customers who may not believe that their data is immune to hackers and may delay/defer from deploying an IoT solution.  However, it is also good to have people be reminded that some simple steps are often all that is needed to prevent such a crime.

Most of the known attacks in the world of IoT tend to have been centered around things as simple as users failing to implement a password or if they did, they simply used the default username/password that is common to all of these devices.  As well, using an edge device that has some intelligence (such as the ability to filter which users/IP addresses can even make changes) will also go a long way to preventing such an attack.  Finally, using a security service (such as the shameless plug I am doing for our SecureIoT™ offering) will help to minimize the impact of some future attacks.

The Bottom Line

No system is ever fully immune from an attack.  An organization can put in the most advanced system available, but can be attacked by ways such as an employee leaving an unlocked screen to use the facilities or a phishing attack.  Companies need to be diligent and this starts by simply doing the basics.  If I had to guess, I would suspect that it was something as simple as not changing a password that allowed this attack…..If you take proper precautions, your IoT deployment will go smoothly and your data will be safe.