Red Pill: own your data

The state of the Internet of Things is bleak and it is looking to get a lot worse.

Sure, we are getting more connected devices at home: laptops, tablets, smartphones, fitness trackers... But the applications and services being used are gradually based on more and more sharing with third-party advertisers and aggregators to lock you in their ecosystem to make it more likely you will buy more of their stuff. And these devices only get more powerful with time, more apps, more complexity, more potential for adware, spyware and malware...

Although the consumer bought the device she actually has no control over it: you don't own the device, you are only licensed to use it under specific conditions defined by abusive End User License Agreements (EULA) and Terms of Services (ToS). This is planned obsolescence built-in to be triggered whenever the company chooses at any point without the obligation to offer any equivalent alternative.

Worse, if the company goes bust (Zeo, Greengoose, Nabaztag...) you are left with a "brick", your data history is lost forever, if it hasn't been stolen or resold.

 

So how can we redesign the current and future "Internet of Things" ecosystem to be favourable to us the users?

You're thinking "I don't care. I just want a new shiny wearable iPhad" Take your blue pill, close that tab and go back to what you were doing.

You're fed up? You want your data? You want to know what your apps are really up to? Take the red pill and keep on reading.

blue or red

 

Take the Red Pill

Red Pill is more than a regular home Wi-Fi access point: it intercepts for you the data your connected devices are sending back to the cloud.

red boxred box inside

 

Plug it in one of the ethernet sockets of your home router, switch it on, and tell your devices (IoT, smartphones..) to use that new Wi-Fi access point.

By default, RedPill is transparent to your devices and cloud services, all it does is recording http and https traffic that passes through.

For example, when a Withings scale contacts the cloud, it looks like that in the console:

   POST http://scalews.withings.net/cgi-bin/once                ...
        ← 200 text/plain 48B 3.41kB/s                                                                                                                  
   POST
        ← 200 text/plain 317B 5.12kB/s                                                                                                                 
   POST http://scalews.withings.net/cgi-bin/v2/measure             ...
        ← 200 text/html 12B 2.61kB/s                                                                                                                   
   POST
        ← 200 text/plain 12B 2.41kB/s   

adding a short script to RedPill can target a specific POST request (in this case /measure) , extract the json data, dump it in a file and share it (or not) in your personal cloud with seafile or owncloud.

On top of that, RedPill can be setup to perform "server-side replays", that means you can tell it to impersonate cloud services so the IoT device or smartphone spills the data while it believes it is talking to the cloud, but the data never leaves your home! That's your data and privacy back in your hands!

server side replay on IoT

 

One possible downside, there may be extra work with some of the raw intercepted data. You may need proprietary formulae for that data to become meaningful. For example in the case of the wi-fi scale, it returns a resistivity value instead of a calculated bodyfat value. Then it is up to you and the community to craft your own function to derive the measure. However this may allow users to develop functions that are a better fit to their own situation or health.

This setup has one big advantage over Wolfram and aggregated IoT/M2M visions: RedPill catches the data at the source instead of registering and dealing with broken/incomplete/obsolete/unavailable/paywall APIs!

Also future developments from Wolfram in the IoT field can be taken advantage of as Matematica is free and supported on the Raspberry Pi.

What if the app developers did not botch the security and encrypted the flow to their servers? The intercepting software mitmproxy can easily decrypt https traffic once you load its certificate on your smartphone.

 

For a smarter home Wi-Fi

Privacy, security and personal storage are a hard sell. It just appears easier and cheaper to a consumer to give it all up to freemium third party clouds.

RedPill or any similar appliance will never appeal to an average consumer if it does not have clear, distinct and immediate advantages over average routers and cloud services. So RedPill needs additional features to make it more attractive, these could be:

. filter out advertisements to all connecting devices (computers, phones, tablets...), this eliminates multiple filtering setups.

. bypass ISPs/governments erosion of internet experience with dnscrypt or personal VPN

. warning/blocking of downloaded malware (IDS/IPS like Snort)

. monetising your data (see Jaron Lanier's books)

 

Why not use an app directly on the phone to extract and keep all that data? Simple answer: you would need to jailbreak/root the phone, write an app that does a similar job to mitmproxy and assume the phone is not already compromised and reports truthfully.

 

How to build your own RedPill: http://counterinception.com/redpill-setup

Basically it's a Rasperry Pi running raspbian + hostapd, dnsmasq, mitmproxy, seafile,dnscrypt...

intercept all the things

Links:

own your services

http://seafile.com

http://owncloud.org (500,000+ users, too slow on RPi though)

http://indiewebcamp.com

http://openyou.org

IoT/QS business models

http://blog.bosch-si.com/internet-of-things-relevant-business-models/

http://www.bmi-lab.ch/

http://readwrite.com/2014/03/03/internet-things-money

http://devices.wolfram.com/

http://www.forbes.com/sites/parmyolson/2014/04/17/the-quantified-other-nest-and-fitbit-chase-a-lucrative-side-business/

Jaron Lanier "Who owns the future?" and "You are not a gadget" http://www.jaronlanier.com

http://www.salon.com/2013/05/12/jaron_lanier_the_internet_destroyed_the_middle_class/

interception

http://mitmproxy.org - intercepts http(s) only

https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/

http://wireshark.org

https://openeffect.ca/snifflab-an-environment-for-testing-mobile-devices

http://blog.marxy.org/2013/08/reverse-engineering-network-traffic.html

murky clouds

stolen http://www.privacyrights.org/data-breach  clocking at 664 millions stolen records, hopefully we'll pass the billion stolen records this year (update: we did)

broken https://twitter.com/mybasis/statuses/424236379141586944 https://twitter.com/mybasis/statuses/359746289933615104

gone http://web.archive.org/web/20111215162155/http://www.greengoose.com/ ( precursor to https://sen.se/mother )

gone http://mobihealthnews.com/20772/exclusive-sleep-coach-company-zeo-is-shutting-down/

gone http://www.engadget.com/2011/07/28/mindscape-pulls-the-server-plug-on-nabaztag-hands-source-code-t/

gone http://www.networkworld.com/slideshow/123018/2013-tech-industry-graveyard.html

various views

http://aaronparecki.com/articles/2013/10/11/1/the-future-of-quantified-self-devices

http://www.fastcoexist.com/3033414/mit-wants-you-to-own-your-own-data-not-give-it-away

http://openpds.media.mit.edu/

http://tosdr.org/

http://www.reclaimyourdata.eu

http://userdatamanifesto.org

https://forum.quantifiedself.com/thread-personal-data-task-force

https://www.schneier.com/blog/archives/2013/11/surveillance_as_1.html

http://www.theregister.co.uk/2014/02/21/appthority_app_privacy_study/

http://indietech.org/

http://www.npr.org/blogs/alltechconsidered/2014/06/10/320347267/project-eavesdrop-an-experiment-at-monitoring-my-home-office

http://www.theregister.co.uk/2014/08/04/your_fitness_tracker_is_a_snitch_says_symantec/

http://www.theregister.co.uk/2014/10/22/internet_of_things_data_should_b...

http://www.theregister.co.uk/2014/11/18/wearables_enter_the_courtroom_wo...

http://privacygrade.org

https://www.gov.uk/data-protection/make-a-complaint

Rating: 
No votes yet

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.