Author: Andy Miller

Discovery of Microphone in Google’s Nest Guard Prompts Backlash

Posted on by Andy Miller

The discovery of a microphone in Google’s Nest Guard product that was not listed in tech spec has been put down to an erroneous omission by Google, but it has also caused a backlash that escalated to the US Congress.

What Happened?

One of Google’s products is the Nest Secure product which is a home security system that operates using a phone app, alarm, keypad, and motion sensor with Google Assistant built in (which is the main hub), Nest Detect Sensors for doors and windows, and a tag which the homeowner taps on the main hub when they enter the house to disarm the system. Earlier this month, the addition of Google’s digital assistant to the product led to the surprise discovery that the main hub unit has always had a microphone installed in it, but the microphone was not mentioned on the technical specifications for the product.

The discovery of what appeared to be a “secret” microphone has, therefore, prompted anger and discussion among privacy and security advocates and commentators, concern from consumers, bad publicity for Google, and calls for action by a Senator, a Congressman, and many others.

Google Says 

Google’s response to the discovery was simply to apologise for what was an “error” and oversight on its part for not listing the microphone in the tech spec for the system, and to stress that the microphone was not intended to be ‘secret’ and had not been used until the addition of the Google Assistant.

It has also been reported that Google has said that one of the reasons for the microphone’s inclusion had originally been to allow future functionality, for example, to detect breaking glass in the home.

Criticism

Google has faced anger and criticism from many different angles over the discovery of the microphone including:

  • Maryland Congressman John Delaney calling for privacy legislation to now be applied to a broad range of tech products.  Mr Delaney also proposed that electronic tech products should have labelling on them like that on food products, so consumers can be quickly and easily alerted to any privacy and security implications.
  • Virginia Senator Mark Warner, chairman of the Senate Intelligence Committee, calling for hearings with federal agencies and the U.S. Congress about the digital economy, and the smart home ecosystem.
  • The Electronic Privacy Information Center (EPIC) calling on the Federal Trade Commission (FTC) to request via an enforcement action, that Google divests of its Nest hardware products, and that Google disgorges any data that it may wrongfully have obtained from Nest customers.

What Does This Mean For Your Business?

Smart electronic products and devices are now in homes and businesses everywhere, but consumers and business owners should have the right to be clearly informed about the security and privacy implications of those products so that they can make an informed choice about whether to buy and operate them.

As some commentators have noted, the arguments that it’s easier to ask for forgiveness than seek permission or that ‘it’s in the fine print’, shouldn’t be acceptable privacy policies from tech companies.  The idea of food packaging-style labelling on smart tech products to help inform about security and privacy implications may not be a bad one, and if the tech industry can’t regulate itself on this matter then more legislation to protect consumers and businesses seems likely.

This is a damaging story in terms of trust and reputation for Google, particularly in the US where the story has been given greater prominence and may cause consumers to think twice about the kinds of smart products that they let into their homes and businesses.

DNS Infrastructure Under Attack

Posted on by Andy Miller

The Internet Corporation for Assigned Names and Numbers (ICANN) has issued a warning that the DNS infrastructure is facing an “ongoing and significant risk” and has urged domain owners to deploy DNSSEC technology.

ICANN

ICANN is one of the many organisations involved in the decentralised management of the Internet but is specifically responsible for coordinating the top-most level of the DNS in order to ensure that it can operate in a secure and stable way and maintain universal resolvability.

Attacks

According to ICANN’s statement, public reports indicate that the DNS infrastructure is facing “multifaceted attacks utilizing different methodologies”.  Examples of such attacks include replacing the addresses of intended servers with addresses of machines controlled by attackers.  The prevalence of so-called “man in the middle” attacks, where a user is unknowingly re-directed to a potentially malicious site is of particular concern.

Cisco’s Talos Intelligence blog has highlighted how this type of attack has been carried out on a grand scale by some international players.  For example, the blog reports how Lebanon and the United Arab Emirates (UAE) have been targeting .gov domains, as well as a private Lebanese airline company.  The attackers used two fake, malicious websites containing job postings via malicious Microsoft Office documents which had embedded macros. The malware, dubbed “DNSionage” supported HTTP and DNS communication with the attackers.

The Cybersecurity Infrastructure Security Agency in the US has also been forced to order federal agencies to act against DNS tampering.

DNSSEC

One of the main ways that ICANN and Internet companies like Cloudflare and Google are suggesting that DNS-focused attacks can be countered is through the deployment of DNSSEC technology by domain owners.   Domain Name System Security Extensions (DNSSEC) has been described as a suite of Internet Engineering Task Force (IETF) specifications.  DNSSEC was designed to protect Internet resolvers/clients from forged DNS data, and it complements other technologies e.g. Transport Layer Security (usually used in HTTPS) that protect the end user/domain communication.  In essence, it cryptographically signs data to make it much more difficult to forge.

Low Adoption Rate

One of the reasons why DNS-focused attacks are so prevalent may be that the adoption rate of DNSSEC is so low – around 20%.  In fact, according to Cloudflare, only 3% of the Fortune 1,000 are using DNSSEC.

What Does This Mean For Your Business?

It is good that ICANN has identified this threat as this will now facilitate greater discussion and action and may motivate more domain owners to look into and adopt DNSSEC, hopefully across all unsecured domain names.  Although full deployment of DNSSEC is not the ultimate answer, it may go a long way towards drastically reducing the current threat.

ICANN has produced a helpful checklist of recommended security precautions that members of the domain name industry e.g. registries, registrars, resellers, and others, can proactively take to protect their systems, their customers’ systems and any that could be reached via DNS.  You can find the checklist here: https://www.icann.org/news/announcement-2019-02-15-en

Form-Jacking Attacks Hit High Profile Companies

Posted on by Andy Miller

Research by Security Company Symantec has revealed that high profile companies such as BA and Ticketmaster are among the many thousands of businesses whose websites are being targeted with “form-jacking” attacks every month.

What Is Form-Jacking?

Form-jacking involves inserting a small amount of malicious JavaScript code into the checkout web pages of e-commerce sites, thereby allowing attackers to monitor payment card information being entered and to then syphon that information off.

When a user hits the submit button on a checkout page that contains the malicious code, the user’s payment and personal details are sent to an attacker’s servers where the attacker can use this information to perform payment card fraud or sell these details on to other criminals on the dark web.

Pages that have been compromised in this way aren’t easy to spot, and to the naked eye, the checkout process looks normal.

How Big Is The Problem?

Symantec claims to have stopped more than 3.7 million form-jacking attacks in 2017, and between August and September 2018, the company says that it blocked 248,000 attempts at form-jacking.  The fact that 36% of these blocks took place from September 13th to September 20th was an indicator that form-jacking attempts were escalating towards the end of last year.

Symantec reports that 4,800 websites are being hit by form-jacking attacks every month.

Examples

High profile examples of victims of form-jacking given by Symantec include British Airways and Ticketmaster who were both targeted by the ‘Magecart’ hacking group.

The attack on British Airways saw the Magecart attackers set up a spoof web domain designed to look like those of the legitimate company, and even purchase paid SSL certificates from Comodo to make it look more legitimate. Magecart was present on British Airway’s website from August 21 to September 5, and the 22 lines of digital skimming JavaScript code that it took to operate the form-jacking attack affected 380,000 transactions.  In the BA attack, the vital customer data was skimmed and stolen in a fraction of a second between the time the customer put the mouse over the submit button and before the data had a chance to reach BA’s servers as the customer clicked on the button.

In the case of Ticketmaster attack, which took place in June, attackers first compromised a chatbot from tech firm Inbenta that was used for customer support on Ticketmaster websites.  This chatbot then provided the way in for the Magecart attackers which enabled them to alter the JavaScript code on Ticketmaster’s websites so that payment card data from customers could be captured and sent to their servers.  It is thought that the form-jacking code remained undetected on Ticketmaster’s website from September 2017 to June 2018.

What Does This Mean For Your Business?

Cybercriminals have found that better back-up practices by businesses and home users have made attacks like ransomware less likely to pay, so may have moved into form-jacking. The fact that it only requires the insertion of a relatively small amount of JavaScript and that it can be very difficult to detect make it an attractive new way to get paid for many criminals.

Companies can use network-based and file-based protection against form-jacking, and ways to stop attackers getting in to inject the code include using firewalls to block all incoming connections from the internet to services that should not be publicly available, enforcing a (complex) password policy, turning off file sharing if not needed, turning off and removing unnecessary services, keeping patching up to date, and configuring email servers to block or remove emails that contains file attachments that are commonly used to spread threats e.g. .vbs, .bat, .exe, .pif and .scr files.

Also, companies should guard against software supply chain attacks by testing new updates, even seemingly legitimate ones, in small test/sandbox environments, and by monitoring the behaviour of all activity on a system to help identify any unwanted patterns.

Targets Of A Rise In Extortion Scams

Posted on by Andy Miller

A report by cyber-crime researchers is warning professional people and those in higher level management positions that extortion scams are on the rise with higher earners as the obvious targets.

Report

The report, from researchers at risk protection firm Digital Shadows, tracked so-called ‘sextortion’ campaigns from July 2018 to February 2019, during which time they discovered that more than 89,000 unique recipients were the targets of 792,000 extortion attempts!

Why?

Extortion scams aimed at higher earners have become popular because:

– These scams are cheap and easy to operate. For example, aspiring extortionists can purchase sensitive corporate documents and extortion manuals online from other criminals for less than £10.

– The rewards are high.  Professionals, business owners and high net worth individuals who hold positions of power within companies have the ability and often the motivation to pay.  For example, as part of the research, analysis of bitcoin wallets associated with extortion scams showed that “sextortionists” are making an average of £414 per victim.

Sextortion

As the name suggests, sextortion involves blackmail and bribery through coercion based upon the criminal threatening to release images and/or other information about their victim.

This type of crime is now one of the main methods of extortion. Individuals who are thought likely to be vulnerable to this type of crime are often targeted with manufactured attacks.  For example, one type of attack which features in extortion guides is carried out when a criminal begins an online relationship with a married person and then threatens to reveal details of the affair to their partner unless a ransom is paid. Less sophisticated ‘sextortion’ attacks involve using a password to ‘prove’ to the victim that they have been compromised, claiming to have video footage of the victim watching adult content online, and then telling the victim to pay a ransom to a specified bitcoin address.

What Does This Mean For Your Business?

Most businesses will continue to face some of the more common threats such as phishing attempts, malware, social engineering, hacking, credential compromise and DDoS attacks.  Cybercriminals are, however, becoming even more daring, and the amount of resources available to them on criminal forums now makes extortion-style attacks more likely.  For example, a massive leak of 2.6 billion rows of data from 12,000 files dubbed Collection #1 onto hacking forums was revealed in a blog post in January by security researcher Troy Hunt, who is most well-known for managing the ‘Have I Been Pwned’ service. Mr Hunt said that the leaked personal data is a set of email addresses and passwords totalling 2,692,818,238 rows and is made up of many different data breaches from thousands of different sources.

Some ways that businesses may be able to protect themselves from extortion attacks include:

  • Checking the HaveIBeenPwned website to find out if your accounts have been previously breached.
  • Regularly backing up data and storing sensitive files in detached storage away from your main network, and making disaster recovery plans, business continuity plans, and periodically testing your backup and recovery processes.
  • Not answering extortion emails.
  • Making sure that your email system is secure and applying best practices for user permissions.
  • Educating / training staff on how to deal with extortion emails.
  • Where possible, minimising your personal and professional online exposure.
  • Keeping software patches up to date.
  • Making your remote workers use a (good, paid-for) VPN.

Tech Tip – How To Put YouTube Videos on Automatic Repeat

Posted on by Andy Miller

If you’d like to put a YouTube video on repeat play e.g. because you want to watch or show a work / instructional video, or even listen to your favourite music on a loop while working on your laptop, there are two easy ways to do it.  Here’s how:

Go to YouTube.com and navigate to your chosen video.

Method 1

Put the mouse over the video or the play button, right-mouse click, and select the ‘Loop’ option from the drop-down list

Method 2

Go to URL of the video you’re watching e.g. https://www.youtube.com/watch?v=ECVz610Rkns

Remove the https://www part.

Type the word ‘repeat’ after the word ‘youtube’ in what’s left of the URL e.g. youtuberepeat.com/watch?v=ECVz610Rkns

Hit the enter button, you will be re-directed to the listenonrepeat.com website, and your chosen video should now repeat until the page is closed.

Crypto-Mining Apps Discovered in Microsoft Store

Posted on by Andy Miller

Security researchers at Symantec claim to have discovered eight apps in the Microsoft Store which, if downloaded, can use the victim’s computer to mine crypto-currency.

Only There For A Short Time Last Year

The suspect apps are reported to have only been on the Microsoft Store for a short time between April and December 2018, but it is thought that they still managed to achieve significant download numbers, as indicated by nearly 1,900 ratings posted for the apps.

Which Apps?

The suspect apps, in this case, are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search apps.  These apps have now been removed from the Microsoft Store,

What Is Crypto-currency Mining?

‘Crypto-currency mining’ involves installing ‘mining script’ code such as Coin Hive into multiple web pages without the knowledge of the web page visitor or often the website owner. Multiple computers then join their networks so that the combined computing power can enable mathematical problems to be solved. Whichever scammer is first to solve these problems is then able to claim/generate cash in the form of crypto-currency, hence mining for crypto-currency.

Crypto-currency mining software tends to be written in JavaScript and sends any coins mined by the browser to the owner of the web site. If you visit a website where it is being used (embedded in the web page), you may notice that power consumption and CPU usage on your browser will increase, and your computer will start to lag and become unresponsive. These slowing, lagging symptoms will end when you leave the web page.

Mining For Monero

In the case of the eight suspect apps, they had been loaded with a script that had been designed to mine the ‘Monero’ crypto-currency.  Monero, which was created in April 2014 is a decentralised cryptocurrency that uses an obfuscated public ledger.  This means that anybody can broadcast or send transactions, but no one outside can tell the source.

How?

The secret mining element of the eight suspect apps worked by triggering Google Tag Manager (GTM) in their domain servers as soon as they were downloaded.  The GTM, which was shared across all eight apps, enabled them to fetch a coin-mining JavaScript library, and the mining script was then able to use most of the computer’s CPU cycles to mine Monero.

GTM – Legitimate

GTM is usually a legitimate tool that is designed to enable developers to inject JavaScript dynamically into their applications.  In this case, however, it had been used as a cloak to conceal the malicious purpose of the apps.

Not The First Time

This is not the first time that suspect apps have been discovered lurking in popular, legitimate app stores. Back in January, for example, security researchers discovered 36 fake and malicious apps for Android that can harvest a user’s data and track their location, masquerading as security tools in the trusted Google Play Store. The apps, which had re-assuring names such as Security Defender and Security Keeper, were found to be hiding malware, adware and even tracking software.

Also, back in November 2017, a fake version of WhatsApp, the free, cross-platform instant messaging service for smartphones, was downloaded from the Google Play store by more than one million unsuspecting people before it was discovered to be fake.

What Does This Mean For Your Business?

This is not the first time that apps which perform legitimate functions of the surface and are available from trusted sources such as Microsoft store have been found to have hidden malicious elements, in this case, mining scripts.  The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and the increasingly sophisticated activities of crypto-jackers and other cyber-criminals, combined with a global shortage of skilled cyber-security professionals to handle detection and response have left businesses vulnerable to this kind of hidden app-based threat.

Although the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Microsoft and Google don’t always seem to be able to detect the hidden aspects of some apps.

The fact that many of us now store most of our personal and business lives on our smartphones makes reports such as these more alarming. It also undermines our confidence in (and causes potentially costly damage to) the brands that are associated with such incidents e.g. the reputation of Microsoft Store.

Some of the ways that we can try to protect ourselves and our businesses from this kind of threat include checking the publisher of an app, checking which permissions the app requests when you install it, deleting apps from your phone that you no longer use, and contacting your phone’s service provider or visit the High Street store if you think you’ve downloaded a malicious/suspect app.

Also, if you are using an ad blocker on your computer, you can set it to block a specific JavaScript URLs related to crypto-mining, and some popular browsers also have extensions that can help e.g. a browser extension called ‘No Coin’ is available for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).  Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current crypto-currency mining threats and scams and what to do to prevent them, are just some of the other ways that you can maintain a basic level of protection for your business.

Browsers Slowed By Adverts and Analytics

Posted on by Andy Miller

Research by developer Patrick Hulce has shown that around 60% of the loading time in a browser is caused by JavaScript code that is used to place adverts or analyse what users do.

Analysed Pages

The researchers analysed data from desktop and mobile versions of a million sites, including many popular ones, and sampled programs written in JavaScript, which is the code that is popularly used not only by developers to make sites interactive, but also by Google to help place ads on pages and analyse user activity.

Two-Thirds of a Second Loading Time Added

The analysis revealed that if ad-placing and analytics JavaScript code are used together on a page this can add more than two-thirds of a second to loading times.

WordAds Script

The JavaScript code that was found to add the most time to page downloads was the WordAds script that’s used in WordPress blogs.  This was found to add a staggering 2.5-second delay to the arrival of a page.

Other Causes

The research did acknowledge that there are other popular causes of slow loading pages including network delays, large file sizes for some content, and even ad-blocking programs which increase script execution time.

Problems Caused By Slow-Loading Pages

Slow-loading pages can cause problems such as frustration to (and loss of) visitors from web pages, and pages being penalised by Google’s search rankings for desktop and mobile search results.

Google sends out Google speed updates for mobile search rankings of the slowest of sites on the Internet. The updates are directed to those who have verified properties in Google Search Console and are aimed at reducing the search rankings of really slow mobile pages.  The updates give site admins recommendations about how to measure and fix slow-loading page problems.  In October 2018 for example, Google announced that it had begun (since July 2018) incorporating a new Speed update algorithm in the mobile search results as a search ranking factor.

Run A Test

It has long been known that JavaScript can add extra time to page downloads.  If you’d like to check whether your pages are being slowed down by JavaScript you can, for example, go to https://www.webpagetest.org/ or Google’s https://developers.google.com/speed/pagespeed/insights/.

What Does This Mean For Your Business?

Slow-loading web pages can frustrate users and lose your business customers, as well as damaging the position of your web pages in Google search results. Web pages that load quickly are known to have longer average session times, lower bounce rates, and higher viewability, and Google suggests that a good target time in which a page should load is under 2 seconds.

Test tools such as webpagetest.org are good ways to see how your pages currently perform.  Ways to improve slowness caused by JavaScript include only loading the JavaScript needed for the current page / prioritizing what a user will need and lazy-loading the rest with code-splitting and optimizing JavaScript.  If, for example, you have a WordPress website, you can use plugins to help reduce your page load time.

Scooter Hack Threat

Posted on by Andy Miller

An investigation by researchers at Zimperium® found a security flaw in the Xiaomi M365 electric scooter (the same model that is used by ridesharing companies) which could allow hackers to take control of the scooter’s acceleration and braking.

Xiaomi M365

The Xiaomi M365 is a folding, lightweight, stand-on ‘smart’ scooter with an electric motor that retails online for around £300 to £400. It is battery-powered, with a maximum speed of 15 mph, and features a “Smart App” that can track a user’s cycling habits, and riding speed, as well as the battery life, and more.

What Security Flaw?

The security flaw identified by the Zimperium® researchers is that the ‘smart’ scooter has a Bluetooth connection so that users can interact with the scooter’s features e.g. its Anti-Theft System or to update the scooter’s firmware, via an app. Each scooter is protected by a password, but the researchers discovered that the password is only needed for validation and authentication by the app, but commands can still be executed to the actual scooter without the password.

The researchers found that they could use the Bluetooth connection as a way in.  Using this kind of hack, it is estimated that an attacker only needs to be within 100 meters of the scooter to be able to launch a denial-of-service attack via Bluetooth which could enable them to install malicious firmware.  This firmware could be used by the attacker to take control of the scooter’s acceleration and braking capacities. This could mean that the rider could be in danger if an attacker chose to suddenly and remotely cause the scooter to brake or accelerate without warning.  Also, the researchers found that they could use this kind of attack to lock a scooter by using its anti-theft feature without authentication or the user’s consent.

Told The Company

The researchers made a video of their findings as proof, contacted Xiaomi and informed the company about the nature of the security flaw. It has been reported that Xiaomi confirmed that it is a known issue internally, but that no announcement has been made yet about a fix.  The researchers at Zimperium® have stated online that the scooter’s security can’t be fixed by the user and still needs to be updated by Xiaomi or any 3rd parties they work with.

Suggestion From The Researchers

The researchers have suggested that, in the absence of a fix to date, users can stop attackers from connecting to the scooter remotely by using Xiaomi’s app from their mobile before riding and connecting to the scooter.  Once the user’s mobile is connected and kept connected to the scooter an attacker can’t remotely flash malicious firmware or lock the scooter.

What Does This Mean For Your Business?

This is another example of how smart products/IoT products of all kinds can be vulnerable to attack via their Bluetooth or Internet connections, and particularly where there are password issues.  Usually, the risk comes from smart products from the same manufacturer all being given the same default password which the user doesn’t change.  In this case, the password works with the app, but in this case it appears as though the password isn’t being used properly to protect the product itself.

There have been many examples to date of smart products being vulnerable to attack.  For example, back in November 2017, German Telecoms regulator the Federal Network Agency banned the sale of smartwatches to children and asked parents to destroy any that they already have over fears that they could be hacked, and children could be spied-upon.  Also, back in 2016, cyber-criminals were able to take over many thousands of household IoT devices (white goods, CCTV cameras and printers), and use them together as a botnet to launch an online DDoS attack (Mirai) on the DNS service ‘Dyn’ with global consequences i.e. putting Twitter, Spotify, and Reddit temporarily out of action.

Manufacturers of smart products clearly need to take great care in the R&D process to make sure that the online security aspects have been thoroughly examined. Any company deploying IoT devices in any environment should also require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to specific and measurable criteria.  In the mobile ecosystem and in adjacent industries, for example, the GSMA provides guidelines to help with IoT security.

As buyers of smart products, making sure that we change default passwords, and making sure that we stay up to date with any patches and fixes for smart products can be ways to reduce some of the risks.   Businesses may also want to conduct an audit and risk assessment for known IoT devices that are used in the business.

Potential Jail For Clicking on Terror Links

Posted on by Andy Miller

The new UK Counter-Terrorism and Border Security Act 2019 means that you could face up to 15 years in jail if you visit web pages where you can obtain information that’s deemed to be useful to ‘committing or preparing an act of terrorism’.

Really?

The government states that the Act is needed to “make provision in relation to terrorism; to make provision enabling persons at ports and borders to be questioned for national security and other related purposes; and for connected purposes”.

As shown online in at legislation.gov.uk, Chaper1, Section 3 of the Act, which relates to the amended Section 58 of the Terrorism Act 2000 (collection of information) for example, states that unless you’re carrying out work as a journalist, or for academic research, if a person “views, or otherwise accesses, by means of the internet a document or record containing information of that kind” i.e. (new subsection) information of a kind likely to be useful to a person committing or preparing an act of terrorism, you can be punished under the new Act.

Longer Sentences

The new Act increases the sentences from The Terrorism Act 2000, so that a sentence of 15 years is now possible in some circumstances.

The Most Terror Deaths in Europe in 2017

A Europol Report showed that the UK suffered more deaths as a result of terror attacks than any other country in Europe in 2017.  The bill which has now become the new law was first introduced on 6th June 2018 after calls to for urgent action to deal with terrorism, following three terrorist attacks on the UK within 3 months back in 2017.

Online Problem

One of the key areas that it is hoped the law will help to tackle is how the internet and particularly social media can be used to recruit, radicalise and raise money.

Criticism

The new Act, which received royal assent on 12th February, has been criticised by some as being inflexible, based too much upon ‘thought crime’, and being likely to affect more of those at the receiving end of information rather than those producing and distributing it.  The new law has also been criticised for infringing upon the privacy and freedom of individuals to freely browse the internet in private without fear of criminal repercussion, as long as that browsing doesn’t contribute to the dissemination of materials that incite violent or intolerant behaviour.

The new Act has been further criticised by MPs for breaching human rights and has been criticised by legal experts such as Max Hill QC, the Independent Reviewer of Terrorism Legislation, who is reported as saying that the new law may be likely to catch far too many people, and that a 15-year prison is “difficult to countenance when nothing is to be done with the material, it is not passed to a third party, and it is not being collected for a terrorist purpose.”

What Does This Mean For Your Business?

We may assume that most people will be unlikely to willingly view the kind of material that could result in a prison sentence, and many in the UK are likely to welcome a law that provides greater protection against those who plan and commit terror attacks or who are seeking to use online means to recruit, radicalise and raise money.  The worry is that such a law should not be so stringent and inflexible as to punish those who are not viewing or collecting material for terrorist purposes, and there are clearly many prominent commentators who believe that this law may do this.

Businesses, organisations and venues of all kinds are often caught up in (or are the focus of) terror attacks and/or must ensure that they invest in security and other measures to make sure that their customers, staff and other stakeholders are protected.  A safer environment for all in the UK is, of course, welcome, but many would argue that this should not be at the expense of the levels of freedom and privacy that we currently enjoy.

Kellogg’s Uses Virtual Reality To Sell More Cornflakes

Posted on by Andy Miller

Breakfast cereal manufacturer Kellogg’s has been working with third-party VR companies to help it determine the best way to display its new products in stores.

Who?

Kellogg’s is reported to have been working on a pilot scheme with Accenture and Qualcomm.  Accenture is a Dublin-based global management consulting and professional services firm with a strong digital skill-set, and Qualcomm Inc is a US-based world leader in 3G and next-generation mobile technologies.

What?

The pilot’s aim was to determine the best in-store placement for Kellogg’s new Pop Tart Bites.  This involved the use of Accenture’s Extended Reality (XR) software and Qualcomm’s VR headsets.  This combination gave test subjects an immersive and 360-degree experience of a simulated store environment in which they were able to ‘virtually’ pick products, place items in shopping trolleys and make purchases.

Monitoring

The VR headsets and XR software enabled Kellogg’s to closely and precisely monitor the user’s eye movements.  The analytics meant that this test was also able to yield data such as which new products the test subjects looked at and how long they looked at the products.

New Insights Reveal Surprising Result

Whereas traditional understanding of in-store product placement points towards eye-level (or close to it) as an ideal spot, the new insights that the technology provided in this pilot concluded that positioning the new product on a lower shelf could increase sales of the product by 18%.

Growing Trend

The use of a combination of VR, AR and analytics in retail environments has been a growing trend among big brands in recent times.

Brick-and-mortar retail chains have, however, been criticised for reacting slowly to the introduction of technology that could help them and have found themselves at a disadvantage to online retailers who have been able to use digital technology to hyper-personalise retail experiences for their customers. The brick-and-mortar retailers have also been faced with challenges caused by economic and cultural shifts, e.g. customers moving more towards online shopping.

Change In The Landscape

It’s not just manufacturer brands that are now able to take advantage of the technological change in the landscape to benefit sales.

Retailers now have access to many affordable and relatively easy-to-use AI development tools available, such as those offered by big tech vendors e.g.  Google, Microsoft and Amazon. This means that building an AI system/machine learning system has never been easier.  Retail chains, for example, also have the advantage of having access to massive amounts of data which can be used in a value-adding way with analytics and AI.

What Does This Mean For Your Business?

This story illustrates how the combination of new technologies such as VR, AI and advanced analytics have yielded new insights which could make a greater contribution to sales than more traditional methods.

The portable nature of the technology (and the AI aspect) mean that they are also able to deliver these value-adding insights more quickly and cheaply than before, thereby contributing to faster and more effective product launches and more successful product strategies.  The superior insights gained from combining new technologies such as these mean that it is now possible for business product placement decisions to be made that could positively impact total brand sales, versus only single product sales.