If you like to play along with the illusion of privacy, smart devices are a dumb idea Depressingly predictable research from Which? serves as another reminder, if one was needed, that furnishing your home with internet-connected "smart" devices could be a dumb idea if you'd rather try to preserve your privacy. The consumer rights organization's analysis of a number of IoT products – from speakers and security …
All of this bollocks reminds me of the old joke about the Smart Home..
A bloke visits a showhome for the new Microsoft House.
The salesman explains to him that everything in the house is automated by voice command. More than just the lights and music etc. This house can do anything. If he wants a coffee, the house makes it. If he wants to sleep, it will make his bed.
So he asks
"Find me a seat" and a robot arrives with a chair.
"Cook me some dinner" and a robot arrives a while later with a steaming dish.
So he looks around, gobsmacked at this house that will do anything on command, and says
"Well, bugger me."
The only thing I can think of, and this is quite a stretch I admit, is that it's a matter of verifying you're old enough to legally enter into a contract in whatever region you're located. Of course that kind of falls apart when you consider how many people below the legal age of majority are likely buying washing machines. It's probably a rounding error on a rounding error.
And also that most of the people who aren't old enough to sign a contract already understand that the sites aren't checking the birthday, so 29 August 1978 is a perfectly acceptable input whether that's your real birthday or not. For that matter, a lot of us who are old enough also know and do that because what do these people want our actual birthday for. I write it down somewhere in case someone requires it for authentication, which they shouldn't. So far, it hasn't proven necessary.
My guess is that the lawyers insist on it so if it ever happens there's some kind of dispute they can claim the person represented that they were of legal age.
Reminds me of a story one of my college professors told. A US company was negotiating a supply contract with a Japanese company. Despite numerous protestations from the Japanese reps, the US company insisted on a 10% error rate. First batch of 100 units arrives. In the box are 100 units, and a note, saying how they included the 10 defective units their reps insisted on, though they weren't sure why they wanted them.
Sometimes a little bit of "common sense" is required. Insisting that people represent that they are of legal age is fine generally, but it obviously doesn't make a lot of sense with a washing machine app. Somewhere between the legal department and the actual app developers, some things were lost in transation.
I must try entering 1712-02-30 the next time some site asks for it. It is, after all, a valid date in Sweden, due to the up-fuckery of how we went from julian to gregorian calenders[1].
[1] https://en.wikipedia.org/wiki/Adoption_of_the_Gregorian_calendar#Sweden
You forgot to include every parent who's ever had to or heard of another canceling vacation to pay for repair or replacement of the washing machine due to child error.
Every neurotic mother ever.
Ie "don't you touch my machine , you better find something to do or I'll find you something you don't like.."
If the kids can touch it. it's going to break. If you can't afford for it to break then you don't let the kids touch it.
Learning how not to break things, pretty much involves breaking things.
Or you do what my parents did and teach the children how to use the washing machine. Operation really isn't that hard. You would have to work hard to break it, and knowing the steps to properly use it (maybe three of them) means there's very little chance of error. If it manages to break, it is either mechanical failure or intentional, and the latter is very unlikely.
teach the children how to use the washing machine
Or in my case, the record player. Rather than making my dad's pride-and-joy off limits, teach 4 year-old me how to set an LP going properly so I could listen to Johnny Morris reading the Railway Series. Fortunately this particular unit was "fully automatic" so no real danger of me doing something nasty with the tone arm but the same principle applies I think. In later years, we did the same with ours and the VHS player (etc.).
M.
We had a number of of those records once, which I fondly remember that I learned to play on a Carousel radiogram with a BSR Monarch fully auto record deck. Imagine my disappointment when we came to clear my father's house, although he had all of the military bands, musicals and classical LPs that I remember, the 7" Railway series records were missing.
I still remember "My doctor has forbidden me to push", and "we're running away, we're running away". Johnny Morris has a real way with spoken words.
Oh, come now. Speaking as a former tester, it's trivial to break a washing machine.
Overload it. Put non-porous plastic in it. Put any kind of plastic in it on a tumble-drying cycle. Put several handfuls of sand or mud in it. And that's just off the top of my head, I'm sure I could come up with more if I really sat down and thought about it.
Note that all these are things that could well be done by honest mistake, by kids. No malice required.
A large concrete block... the videos are amazing though
All of that is "teach your kids to use the washing machine". Apart from the plastic in a hot tumble-dry cycle, those things also shouldn't kill a washing machine. They might require some extra rinsing or stop the cycle on an error but other than that it should be fine in a modern machine.
Filling it with caving gear after a muddy cave is a very quick way to block everything up. (I always pre-wash in a local stream before undressing, or if not available then a hosepipe when I get home.)
Surface mud from rugby never seemed to block it at all.
I have a washing machine which is supposedly smart, it is a Samsung with an app. Why it needs an app I don’t know as I have never wanted to install it or use it.
Don’t know about the rest of you lot but I use a washing machine as follows
1. Find clothes that need washing
2. Put them in machine with detergent
3. Turn it on, and do something else whilst it washes
4. Take clothes out and put on washing line
Why do I need an app to do any of that???
"Why do I need an app to do any of that???"
But... but... what happens if you did steps 1 and 2 and you meant to set the timer for it to start 2 hours before you were due to return home from work (or wherever) but you realised part way through the day that you'd forgotten, or your planned arrival time changed one way or the other. Then it's absolutely *essential* that you should be able to log in from the train / the pub to change the settings. I can't believe our civilisation has lasted so long without this facility.
The next generation will have no physical controls so you have to use the app - because clearly, fiddingly with your phone is much easier than selecting 'non-fast colours' on the dial and pressing start!
In the last flat I lived in, the landlord replaced one of the electric heaters with a new SmartShit one. The old one had a dial to configure when it came on and off - nice and simple. The new one could only be turned on and off manually, and any configuration required use of an app. No fucking chance - I just put up with turning it on and off at the isolator switch when I wanted it on or off.
Ah, not so fast. The following is UK, possibly England (some bits fo the UK have different laws), specific.
Unless it was made clear at the time of sale that you would need (contrary to data protection law) to provide unnecessary personal information in order to use the device, then adding this requirement later would render the contract void. More specifically, you would be fully entitled to refuse to provide said information, and if that means the device does not operate as described then you send it back for a full refund citing Sale of Goods and Services Act (SOGA, though I think it's actually been renamed at some point) and Unfair Terms in Consumer Contracts Regulations (UTCCR).
The UTCCR is clear that you cannot make a consumer sign away their legal rights via a contract, and any contract that does so is automatically invalid and unenforceable. SOGA says that the product should perform "as described", and at some point that has been extended to include (for example) what the manufacturer describes on it's own web site. If there's small print saying you have to provide (for example) your DoB then that would be voided by UTCCR unless there was a valid reason to require it. If the machine doesn't work if you don't provide it, then the machine is not performing as described and you can send it back for a refund under SOGA. Similar legal basis to the shrink wrap software licences - if you don't like the licence, then unless you were given the opportunity to see (and read) it in full prior to purchase then you are able to decline it and return the package for a full refund, the retailer's protestations that "you've broken the seal" are meaningless and a deliberate attempt to avoid you exercising your legal rights (or applying Hanlon's razor, down to ignorance of the law).
Also, if a device self-updates, and an update introduces new "features" (thinking of the HP ink/toner cartridge debacle), then I believe it may still be possible to return the unit to the retailer. There would be a 6 year limit in England, I believe it's 5 years in Scotland, which is not something laid down in SOGA - it's a general time limit for bringing a civil action.
Now, if only even a few customers actually did that, then retailers would quickly realise which brands were too expensive (in terms of returns, which then can't be sold as new for full price) to deal with and would pressure the manufacturers to sort their s**t out.
"The UTCCR is clear that you cannot make a consumer sign away their legal rights via a contract,"
Ok, but do you have the money to bring the suit against the company? Did you also enter into an agreement that you had to submit to binding arbitration in place of filing a case with the courts and would also be barred from entering into a class action. The cost of pursuing a legal action is so expensive that most people find it too risky which is great for companies. What's really needed are better regulations that bar many of those contract clauses and well funded trading standards agencies that will pursue infringements. Those found in violation should be seriously fined with jail time possible for the executives or a requirement to step down and a prohibition of working in a similar role anywhere else for a period of years.
Ok, but do you have the money to bring the suit against the company?
Fast Track Service in the county court, a.k.a. the Small Claims Court - not very expensive at all. Court costs are low, and the other side aren't allowed to bring along an army of expensive barristers and threaten to bankrupt you if you lose.
Did you also enter into an agreement that you had to submit to binding arbitration in place of filing a case with the courts and would also be barred from entering into a class action
Dealt with by UTCCR - that's taking away your legal rights and is unenforceable.
What's really needed are better regulations that bar many of those contract clauses
In the UK we already have them - SOGA and UTCCR
well funded trading standards agencies that will pursue infringements
Sadly it's only going the other way.
there's another (potential) reason: so that they can't be sued for 153 billion USD by lawyers appointed by grieving parents whose darling (2 - 17 yr old) lost their precious life inside or in proximity of the washing machine (self-operated by the abovementioned 2 - 17 yr old).
"Of course that kind of falls apart when you consider how many people below the legal age of majority are likely buying washing machines."
I take it more as who's using the app rather than the buyer. I know how long my wash cycle runs and can set an alarm if I want to know when I need to move clothes from the washer to the drying line. Since my palatial estate is of the micro variety, I can also hear the washing machine (or not) and guess what it's doing.
Like cars, I buy second hand anyway and with all of the excess gubbins installed to make these appliances "smart", I expect not many will live long enough to sell on the used market anyway. The last W/D set I bought was 14 years ago and second hand. I had to do one repair that cost $7 in parts. There's a small leak from somewhere with the washer that I think happens during the spin cycle so I bought a plastic tray to go under and that keeps from soaking the floor. It's so little that it evaporates within a day but I expect that I'll need to buy another washer sometime in the next couple of years. The dryer only gets used mainly in the winter. If I put the clothes on the line outside, the first up are often dry by the time I finish. I have an idea for using solar generated heat via evacuated tubes with a dryer to do the tumbling and air movement. Those tubes work just fine in the winter if there is sun.
One of my mates was given a smart speaker think it was a Facebook one. He hated it knowing it was a spy in his house however he had a novel idea. He stuck it in the garage with a radio tuned to Radio 4 and a looped recording saying Alexa every so often. He said he hoped it buggered up their tracking, before he got bored a few weeks later and sold it to a second hand store.
So they can sell it of course! My DuckDuckGo app tracking protection reminds me weekly that, for some reason, my Hoover washing machine is trying to give my birthday and many other items of information to Verizon media. I'm sure it's all perfectly innocent.
This post has been deleted by its author
I think my next TV’s going to a nice big gaming monitor. Meanwhile, my LG’s name service is mediated by PiHole, and I have no apps installed on it. Well, apart from the shovelware that can’t be deleted. (They’re on my Apple TV, which some might say is overpriced, while others might counter that one’s ponying cash up front to replace what would otherwise have to be squeezed out of surveillance later.)
I just never connect my TV to any networks and side load firmware updates in the event they offer anything worthwhile. I'll probably have to make a temporary exception when I get around to running a calibrator on it and will need to use a networked pattern generator, but after that I'll be sure to delete the network credentials.
I honestly can't see what 'worthwhile' updates they could offer. That is, worthwhile from MY perspective, not theirs. I guess it would be useful to be able to read - some - mp4 and mkv files, sometimes the telly shows me a middle finger with them, but I imagine it might require hardware change, rather than firmware update, though who knows, I can't be bothered to experiment. And, ultimately, all I need is to plug one of our old, spare laptops via hdmi, problem solved.
is the ability to get home when "smart" doorbell servers are offline.
Which is, of course, a million to one chance, so it happens nine times out of ten when you really need to get inside.
And I'm sorry, but I think there must be a mid-term between selling my personal data to all and sundry and living like a cave man.
It's called dumb terminals, dumb switches, dumb doorbells (get your fat ass off that couch and go see who's there), dumb shutters and a VPN for when you just can't help it.
"between selling my personal data to all and sundry and living like a cave man"
Apologies, but that's a false comparison. There are about 4000 years (here in the UK at least) between the present and the 'cave man' period, and during that interval we have mostly lived at a much higher standard than it implies. Indeed, just 30-odd years ago, before all this appification took place, we were in general very comfortable.
Just for example, my washing machine is 33 years old, connects to the electric mains and the water supply only. During that time it has needed one replacement valve and one replacement pump and it does a perfect job to this day.
It's probably still possible to eschew the snoopy connectivity without going to live in a cave, just by carefully choosing kit that will work with it unplugged. My sole concern is that future kit will be designed not to work unless connected.
The doorbell is for answering the door when you're out. Or can't get to it to answer. I very much doubt many people use their phone if the bell rings when they're at home.
But that's really not the point. All these tech companies have seen an opportunity to gather data for advertising/marketing or flogging off to the marketing businesses. And they've taken it. Because no one has said they can't.
@Terry6
"Because no one has said they can't"
Plenty of people (including legislators) have said they can't but the corps are so powerful and rich that they can ignore the law and buy their way out of any consequences. That's to problem we need to fix, and the only way is to abandon monetary penalties (which are mere petty cash to the perps) and enforce correctives of behaviour with full audit and director level sanctions on persons. Breaking the law has to hurt, and every successful sidestep of penalties reinforces the aberrant behaviour, so we need penalties that hurt and can't be sidestepped regardless of commercial clout. And ideally, penalties that directly drive correction, for example: audit, compelled amendment, re-audit, with custodial sentences for failure to fulfil. The big (huge) problem is that laws to achieve this would have to be consistent internationally, and cooperation on that scale is probably impossible to achieve.
Well it should be possible to have a product banned from sale (there are already regulations which ban certain items on health/safety/environmental/other ground), and ISPs required to filter traffic from the ones already in use. However, for the latter, it's a slippery slope to jump on (yes I know we're already there - ish) - once you go there, then it's easy for TPTB to add "anything TPTB would prefer you not to see" to the list.
"The big (huge) problem is that laws to achieve this would have to be consistent internationally, and cooperation on that scale is probably impossible to achieve."
That would depend on the country or trading region (EU). A big company would not be too impacted by a tiny nation banning their goods, but the UK or US denying access to their markets for violating trading standards would be huge. It could also trickle down to importers and distributors of those goods if a company doesn't have a presence in country.
My Home Assistant app has location tacking enabled, not a default setting, and I use it to automatically turn on my lights if I arrive home when it is dark.
As far as I'm aware, the tracking information only goes to my own server.
The smart switches that the lights are connected to are from TP Link. They do come with an app, but I don't use it. I got a python script to provision them, so TP Link's cloud service doesn't get used at all.
A couple of years ago lived in a small place where the room through which you entered the house didn't have normal ceiling lighting, and instead had to rely on plugged-in lamps. And the only convenient place to plug in such a thing was the other side of the room from the door. So no, it's not always possible to do that. Yes it was annoying. I set it up as described above so I could either turn on the lights from my phone as I approached the house, or do it via a voice command once inside (and it would also tell me a joke).
"Use a Zigbee or other wireless switch an place it right next to the door. Batteries for that last at least a couple of years."
I use X10. It lets me control lights locally or from my bedroom. If somebody were to break in, I could turn on some lights where I think they are rather than where I am. I can turn on the area lighting outside from my room while I peer from the window if I think somebody is messing about outside or see them on the CCTV. 100W of LED flood lights does tend to scare "youths" away in the middle of the night. It's like daylight if I switch all of them on at once. I don't want those lights on automatic as there is wildlife in the area (coyotes, bobcats, feral pets, etc) and neighbors would get too used to the lights going on all of the time. Unusual gets attention.
Save your phone battery.
Use a Bluetooth iBeacon.
Your Home Assistant will know you're home just before you step through the door and turn the front door light for you if appropriate.
This is one of the great things about Home Assistant is that you can achieve the same outcome in so many different ways with so many different type of sensors.
"My Home Assistant app has location tacking enabled, not a default setting, and I use it to automatically turn on my lights if I arrive home when it is dark."
And to think that all of these decades, I just flip a switch. Other than the garage since the opener has a light on a timer with plenty of margin to get from the car to the door where a non-timed light switch lives so I could transfer stuff from the car to the house. The outside entrances to the house have photocells and LED lamps. I have low power LED standing lights on the inside of the house. For the 10W those lights take, I just leave them on all of the time. If I need to use the WC in the middle of the night, I don't have to turn any lights on and the ones that remain on are dim enough that they don't prevent me from falling asleep. I was thinking of putting those standing lights on timers or photocells, but the cost would take years to recoup.
"Make targeted advertising illegal" is nonsensical. How would you define it? Generic OTC medications in the US often have text similar to "Compare to <brand name>" on the packaging – that's targeted advertising. And in the US a blanket ban would almost certainly fall foul of the First Amendment.
Frankly, I've found targeted advertising occasionally useful. In particular, on my Amazon Kindles, it's led to my discovering a number of authors I wouldn't have found otherwise, including some new favorites.
"medications in the US often have text similar to "Compare to <brand name>" on the packaging – that's targeted advertising."
No, it isn't. Nobody was targeted, and everyone who reads the container sees the message. Targeting isn't putting a message somewhere so everyone who goes there reads it, but getting information about people to make a, usually automated, decision about whether to show them the advert or not.
"in the US a blanket ban would almost certainly fall foul of the First Amendment."
I'm sure someone would try it, but it wouldn't work. For the same reason, false advertising isn't protected as free speech. We all have the right to lie, but doing so in a commercial arrangement is illegal because the legislation applies to the result of the crime, not the words used. If they chose to make that illegal, and I doubt that they will, it would not violate the first amendment in the US.
I use some smart devices as I'm disabled and they help with daily living. However, I also have Pi-Hole set up and the amount of crap it blocks from devices calling home and trying to pass data to "user assessment", "ad brokers" and "market research" companies is unbelievable. Pi-Hole is, this minute, showing that 33% of outward DNS calls are blocked because they are trackers. That's 29K+ calls in the last 24 hours. The top blocked domain is amazonalexa.com with 10K+ blocked DNS calls, in just 24 hours! Devices still work perfectly, so what is it trying to send back that I'm blocking? Other domains in the top ten blocked are also Amazon related but everything still works just fine. Something called "Conveva" is second highest individual doman, at 2,000 blocked calls, providing "viewer egagement analytics" apparently. Of course, all devices on the network show a deluge of blocked calls for a wide variety of Google domains.
I've started using dumb, mechanical timers for turning lights on\off. Not only do they not snoop but they last for decades (I still have some old ones) unlike the IOT switches and lights which fail after a year of use.
Check the data on the wire also.
I don't know about any of the devices you mentioned specifically, but I know of at least one app that connects to a hardcoded IP if the resolved connection fails in any way - presumably it makes sense to them as a last resort, because if their server IP changes, this hardcoded ip will be changed in the next update anyway.
If I was coding to be evil, I'd cache the last-working IP permanently (only update the cached entry when a successful access is made to a resolved IP)
If discovered, I'd simply say it was to improve reliability by mitigating DNS outages.
Of course, the business model only works because people are daft enough to provide real data. They get away with selling it on because it has value. I've been putting nonsense into things like this for years now. If the rest of you did the same the business model would have long since been discredited and collapsed.
"Of course, the business model only works because people are daft enough to provide real data"
Most people do provide real data or have to provide certain real data that makes lying on the other stuff moot.
If a website is giving away something free and I can't use a fake email to access it, I give up. It's not worth the spam the vast majority of the time since the whole point of giving away the free thing is to harvest email addresses with the free thing usually being very trivial.
Recently, I visited my [retired] parents for a brief visit as a [retired] relative was visiting them while I was at work the next day. I dropped off a bit of very obscure century old bit of equipment for him, as he's an engineer and enjoys playing with things like that as it's directly connected to his interests.
The next day eBay adverts for precisely this very obscure century old bit of equipment were displayed to me. At no point had I ever searched for this online or indicated any interest in it.
It therefore follows that some smart device had (in no particular order) :-
1) Recorded our conversations.
2) Converted the speech to text and uploaded it to f*** knows where.
3) Identified the participants in the conversation by some means.
4) Picked out items mentioned repeatedly in the conversation.
5) Matched the participants of the conversations to their online accounts.
6) displayed targeted advertising to those accounts based on the above.
I personally find that considerably more 1984ish than i'm comfortable with, especially given that I don't have a single smart piece of equipment at home, meaning that all of this happened from my parents equipment.
It's rather thought provoking as to exactly how much surveillance we are actually under though, and one has to wonder about the sort of nefarious uses this could be put to by people with interests beyond advertising.
Yeah, I think a lot of this sort of synchronicity boils down to location overlaps with other people. Then SkyNet takes a punt at trying to flog you the same weird stuff that they are into. I don't think a battery powered device could cope with constantly listening.
All these app permissions should decay over time back to "piss off" rather than being fixed the first time you open the app. Usually in your excitement to try out shiny new Thing you're willing to sign over your first born in order to get going. But give it a few weeks and chances are you haven't opened the app ever again on account of it being utter pants, but its still there in the background slurping away.
Anyway, good to know the ICO has a plan... Useless **cks that they are.
Over the years I've taken my (now grown up) kids to a number of addresses (dad's taxi). And found my route to each of these places the first time by putting the postcode into my car's sat nav. Just the postcode, not the door number.A car that had never previously been to that house. Yet the "You have reached your destination" messages, much more often than not came just as I reached that child's house. Far, far too often to be chance or coincidence- especially as some of the roads were quite long and/or had large houses. So somewhere an algorithm has sifted through the children my daughter had associated with and linked me/my sat nav, through her to their locations. And these were kids.
Something that goes far beyond convenient to downright sinister.
As in towns and cities postcodes only cover around 15 houses on average (or 1 block of flats), they are usually very small geographic areas - so it's not surprising the satnav seems uncannily accurate. On a long street there'll be multiple postcodes covering only few of the houses on either side of the road.
There are also 55,540 postcodes in England and Wales that cover a single household according to the Census 2021 website.
This sounds superficially reasonable, if you don't know a few things.
A) The obscure century old bit of equipment was picked up offline and bought with cash, so it had literally no digital footprint online connected to me.
B) I knew what it was, and so had no need to search for it, or for any information about it.
C) My wife did not know what it was, and didn't care beyond when it would be leaving the premises: She therefore didn't do any searches related to it, and even if they did then they'd have been under her account; not mine as we don't have the passwords for each others accounts.
D) We both have feature phones, because neither of us have ever seen the benefit to us of smartphones. We access the internet via laptop, and neither of us log into Google for searching, and we don't have any smart devices at home. (working in IT I have developed a pathological hatred of equipment that doesn't work properly and so have excessively reliable equipment at home rather than very fancy new stuff)
E) I'd had it sitting around for a good 9 months before it was taken over to my parents without getting adverts for it.
Maybe i'm just suspicious, but...
I actually used this once at my daughter's house, which is connected via Alexa -- inadvertently of course, as I was explaining the comic. You should have seen the panicked look on daughter's and son-in-law's faces as they scrambled to tell Alexa to ignore last request. /me was all smiles....
Great XKCD ref.
Reminds me how our boss bought an Alexa device years ago (when they were just starting to be common) and set it up in the office. It was the first time most of us had ever seen one. A voice from the back of the group shouted "Alexa, order big back dildo" ...
We found it rather amusing, luckily, our boss hadn't got that level of "one click" buying set up so it failed through lack of debit card to bill it too.
I'm sure, in theory, it's possible, however... it would be very illegal in most regions because it would require breaking WPA encryption. So, any company caught doing this would likely be in a lot of trouble both from a PR and legal perspective. Now, if someone's dumb enough to be using a completely unsecured network and it sniffs any packets going back and forth that aren't to encrypted sites, it still won't look good for the company, but they're at least in the clear (happy coincidence) legally.
If you live in an apartment complex or something where you can't control whether any kind of wireless encryption is used, or it's trivially broken WEP, you should consider investing in a VPN. Even your real basic tunneling VPN would be better than nothing. Get something with an unlimited data plan and a no logging policy, then just leave it running all the time. Even better if the client has a means of "firewalling" your network connection and blocking all outbound traffic if not connected to the VPN. Sure, you have to trust that the VPN provider really isn't keeping logs or anything else, but that's only one potential source to worry about, and a known one at that, as opposed to an unencrypted wifi connection where any random passerby on the street could be a potential threat vector.
No need to hack WPA. Once they are on the network, they could act as a wifi man-in-the-middle.
E.g. you come home, your cell phone looks for SSID "HOME" but your smart fridge is also broadcasting "HOME". It accepts whatever WPA password your phone supplies and then acts as a relay between your phone and the real router.
Given that many smart devices have multiple 2.4ghz radios to support Matter/Homekit (bluetooth, wifi, maybe thread) it is much more plausible now than before.
This is still black-hat territory, but the more IP devices you have the more likely one of them can be co-opted.
For WiFi with WPA, if the hostile device has the PSK (the WiFi "password") and captures the initial handshake when a device joins the network, then cracking the individual device's session key is pretty trivial.
This is probably illegal in at least some jurisdictions (IANAL), but technically feasible.
Even without breaking WPA, a device could snoop metadata and report how many devices are connected to the network, what off-network peers they connect to, and so on. That reveals quite a lot of information.
Not on a wired network. The switch only forwards packets to the port that the destination device is connected to. So comms between your PC and your internet router aren't even visible to your Smart-ish Thing. Wired networks in a domestic setting are pretty rare however.
However on a wireless network then by definition everything can hear everything else, including the guy in the black hat lurking at the end of your driveway. Data you exchange with the access point ought to be encrypted (check your settings) so its meaningless to anyone except you, but If the encryption is compromised then its like shouting everything out loud. Thats why the encryption standards are bumped up every so often, when they become too easy to crack.
If you care that much then run a trusted VPN so there is an extra layer of protection, or use an end-to-end encrypted app like whatsapp.
Don't rely on switch port segmentation as a security measure on wired networks. That's not it's intended use, and is easily circumvented in most cases.
You really need a different LAN, or proper vlan support in your switch for that (and the assumption that no-one dodgy had physical access)
As for WiFi, best to create a separate AP for the toxic devices, with a different password, and the setting to deny access via that IP to the local lan.
Most non-ISP routers have such a facility
That's why we have encryption on as many communication methods as possible. The smart devices probably aren't breaking your encryption, and many of them simply aren't powerful enough to be useful at doing it, but if they did, they could intercept your packets between your WiFi devices and the access point. However, if you're using an encrypted connection at a higher layer, for example HTTPS to communicate with a website or a communication platform with encryption, then just obtaining those packets from your WiFi will only leak a small amount of information. They might be able to tell that you're doing something with your medical provider's server, but not what specifically you or they are saying. Nothing prevents them from turning those devices into spies, but most likely, they'd need some much more powerful servers at the other end to do the heavy lifting because most IoT devices have some pretty weak processors in them. That's expensive and most users' communications are not valuable enough to go to that effort, especially because that's a few crimes wrapped up in one and most companies choose not to commit crimes that are that blatant, preferring a more oblivious crime that they can argue is so minor that nobody should care.
Not through. Fortunately most domestic wifi is incapable of passing the necessary IP packets.
If they want to get funky with the hardware drivers the radio hears anything close enough and they might be able to do something with it but wifi can be configured to render this mostly useless.
Unlike one responder has said, plugging the devices in would generally be _worse_ with regards to the possibility of devices snooping on each other because ordinarily network hardware will happily obey any port's instruction to send it all traffic, similar to the wifi radio but without any thought in the protocol's design of protecting any port from any other (eg. per-port encryption). This is generally known as promiscuous mode and I don't think any domestic ethernet switches have it disabled.
Finally though, any serious communication will be encrypted long before it hits the wire (or radio) so your conversations with your doctor are safe from your iot devices that don't have a microphone.
Having said all that I wouldn't worry about it. They're all selling the same stuff back and forth to each other anyway. You're either in or you're out.
That's why they go on their own subnet.
In reality, as others have said, sniffing your comms data is likely to involve criminality so probably doesn't happen. What is more likely is that they will map out your network and send back details of whatever other devices they find. I'm pretty sure I read about Facebook doing this some time back.
This post has been deleted by its author
There's a ton of information in IP packet metadata that's useful to data thieves (including appliance manufacturers). And while most HTTP traffic is over TLS these days, and HTTP dominates home-user traffic, glossing that as "most data" could be misleading.
"I bought new a couple of years ago."
Is there an option for something like OnStar or another service? If the hardware is there, it could be sending data back to the mothership but since you didn't pay for service, you won't be getting any of the services it might offer.
Is someone forcing you to buy a new car?
Well, sooner or later any car reaches the "too old to be practical to keep going" stage - obviously when that is depends on what you use it for (if your job/lifestyle requires something that you can be confident will start first time every time, and won't drink fuel like it's still 1950s prices then an old gas guzzler won't cut it) and when it was built (my old Land Rover will probably be practical to keep going long after our newer (not new) cars have gone to the scrappy). I suspect that for modern cars, they are more reliable, but when they do break it tends to be more terminal finance-wise.
And that's going to be a rolling window.
So eventually, your choice will be to buy a new(er) car or catch the bus - if the latter is an option for you. These days, I see fewer and fewer current models that don't resemble an iPad with wheels in terms of user interface.
And for me, there's another issue rarely mentioned - the growth of electronics and software in safety critical systems (something I deal with in the day job). I think it's a fairly safe bet that few (if any) of the bits are actually built using good design principles, and it's a dead cert that teh whole lot would never qualify to be given a SIL* rating. When you are sat in a car, where the throttle is under software control, ditto the brakes, ditto the steering, ditto the gearbox ... and there's no key that will physically remove power to something needed to keep the car going - well it's comforting to know that there could be SFA you could do if it all went wrong (or was hacked) other than sit back and enjoy the ride for the possibly very short rest of your life.
*System Integrity Level.
Well, the EU is trying to give us back removable batteries. Apart from that, though, I don't see any easy solution. Let's see.
A) A large majority of users could autonomously decide to refuse to buy smart devices, thus putting high pressure on companies to produce non-smart devices. This is unlikely to work, because you can't get large majorities of the general population to agree on anything unless the problem is blindingly obvious both in its nature and its consequences. Privacy violation is far too subtle for that.
B) A large majority of users could autonomously decide to start deploying technical counters or even data poisoning techniques, thus greatly devaluing smart devices for companies. This works for individual users, but not as a general solution, for the same reason as (A), plus it requires technical skills, providing an additional barrier.
C) A large majority of users could autonomously decide to actively reject targeted ads, i.e. under no circumstance click on any ad on the Internet, actively avoid buying things you see in ads if you can, always only buy products you have explicitly searched for. This would devalue targeted advertising in general, and I personally do it, just out of sheer spite. But it still won't work, for the same reason as (A).
D) A major political power could decide to limit the ability for companies to gather PII. The EU has given this a shot with the GDPR, and it's definitely annoying for data gatherers, but it's not enough to really fix the problem even when it's being adhered to properly, and it's also extremely difficult to enforce. This might work, but, if taken far enough, it will have splash damage.
E) A major political power could decide to limit the ability for companies to employ targeted advertising. This might work, but I'm not aware of any noise in this direction beyond do-not-call registries (and even those don't work, due to lack of enforcement). I suspect that Google and Meta would resort to hired assassins before letting this one gain steam. Nevertheless, if anyone out there wants to do this, they get my vote.
F) One or more companies could decide to make privacy their USP and start a marketing campaign around it. This might have some limited success, but it'll never be a general solution. They'll get a niche, and that's it.
Overall, I think it's bleak.
"A large majority of users could autonomously decide to refuse to buy smart devices,"
Or they can do what I do and not use any of those "smart" features or load all sorts of apps to their phones. I don't even lock my phone as I don't keep anything all that personal on it. There's a contact list but it's only a subset of what's on my computer. My phone is just a phone. I suppose somebody could find interest in my shopping lists, but that's more work to harvest than something connected. I also don't leave Data, Wifi or BT on. I have Torque pro for the car, but use an old phone for that. I found a blacklisted phablet cheap that works just fine for that application. A friend of mine lost it, reported it and then found it again. There's no way to reinstate the device again once it's been blacklisted so he sold it to me cheap.
>But The Reg says that if you're really concerned about privacy, you'd do better to not buy these things, throw away your mobile phone, and move to a shack in the wilderness. ®
Box ticked already and no mobile signal, but saying that last night I had to give money to Skype and OMG, suddenly Google is involved in that transaction and then everything went weird because Google wanted my address but luckily as A) my phone is a country A phone, B) my credit card is a country B credit card and C) the use case wallahs at Google are dumb as shit, the resultant address ended up as Spanglish, but the transaction still worked so they weren't needing that address to confirm the transaction were they. Dumb American logic saves me again.
Again no mobile signal but have a Mr Musk dishy which makes Google think I'm in Madrid rather than off grid.
The only reason I can think of having a smart washing machine/dishwasher or dryer is to be able to activate it automatically when the electricity is cheap if you’re on an hourly varying electricity tariff based on the next day spot price (companies like Tibber). Even then, it doesn’t need all this personal data to offer this functionality. You still have to remember to load the machines though and it’s not a good idea to leave your clothes in the machine for too long.
I can’t think of a realistic reason to have a smart fridge/freezer though.
The information is forwarded to data brokers who aren't exactly faceless but do keep a very low profile because if the population as a whole knew what they were and how they worked there would be one of those 'pitchfork and torch' moments. This explains why smart devices collect so much information -- its a completely separate function to what the devices actually do and the transaction between broker and provider is like a rental (we can deliver 'x' clients to you at '$y' a head).
The relationship between 'raw data collectors' and 'data brokers' isn't clear, they may be one and the same, they may be different corporations, The issue of deniability comes into play here since a lot of collection sails very near the legal wind -- in an ideal world they'd collect everything, everywhere, all the time but there are invariably laws that give people the illusion of privacy. (If they're effective then they negate the website if they're in Europe -- you either adopt a "Take me, I'm yours!" approach or have to select numerous obscure offerings so I usually just end up leaving websites that bother me like this.)
From my understanding of the permission structure, access to Bluetooth and WiFi under Andriod version 8 thru 11 and is lumped into the location permission - something that was changed under Android 12 and later. Of course it should never have been put there in the first place, but that isn't the fault of the app developer. For these researchers to state that they have "no idea" why an app that has to use Bluetooth or WiFi to search for devices might request or require location permissions shows a lack of understanding profound enough that it undermines the credibility of the rest of their research.
I avoid these things as much as possible (apart from a phone, I have no 'smart' devices), but for anyone who feels that they really have to have them then use an old phone, wipe it and set it up with a dedicated account and use it only for controlling the SmartShit, use fake DOBs for everything (and any other information which can be faked), and never use it for web browsing or to sign into any email, etc, accounts. And turn its internet off unless it absolutely has to be on (e.g. for an update).
Other things such as a separate VLAN for any SmartShit and the controller phone would also help, but more complicated.
None of the above is entirely a solution, but would significantly reduce the data which they are able to capture.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
