mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

16K
active users

Michał "rysiek" Woźniak · 🇺🇦

I remember trying to buy a TV that does not have "smart" functionality a few years ago. It was a chore. Today it seems impossible.

And not just TVs: ovens; refrigerators; dishwashers — all have "smart" options. In fact, it seems that more and more the available non-smart models are only the simpler ones, less performant in ways that are not related to any smart functionality missing.

My non-smart TV was available only with lower resolutions than "smart" models of the same brand.

1/🧵

This really annoys me. I am too well aware of security implications of smart devices.

I do not want to have to manage regular software updates for whatever number of appliances I have at home, or risk somebody using them in a botnet (or worse).

And no, I don't trust their "disable WiFi" menu options either. Seen this setting get enabled without my consent too many times.

I *could* put them on a special VLAN, but 99% of people can't. That's a problem, and not just for them.

2/🧵

In 2016 a router-based Mirai botnet took down Dyn, one of the biggest online infrastructure companies, and many well known websites with it:
coar.risc.anl.gov/mirai-attack

Mirai mainly targeted home routers.

As early as 2018 there were already botnets that… used CCTV cameras. But of course the predominant media narrative was "hackers attack" instead of "vendors put us at risk":
vice.com/en/article/9a355p/hac

But I digress.

With all this in mind, I started thinking of how could this be solved?

3/🧵

So here's my (silly?) idea: a regulatory requirement for / smart-appliance vendors to provide either:

a). similarly-priced models physically without the smart functionality but with other performance metrics on-par with their smart models;

or

b). a reliable, verifiable, physical way of disabling smart functionality in their smart-devices.

I want to be able to buy a damn refrigerator without worrying about it joining a botnet! Just ain't cool.

I wonder if this makes any sense!

4/🧵/end

Just to clarify, my silly idea of a regulation would leave the choice between a). or b). to the manufacturer. I think it's fine to provide them with that choice.

A lot of responses to this ☝️ thread focus on how "one can simply not connect the smart appliance to the WiFi" or "you can just disable its WiFi."

It's my experience that such software settings tend to not be respected. A firmware update might "accidentally" enable WiFi. The appliance might automagically connect to open networks.

But is it just me? A poll! 📊

Have you experienced a "smart" appliance changing its network-related settings (WiFi on/off, etc) without your knowledge?

:boost_ok:

@rysiek Even if Wi-Fi is enabled, smart TVs can't connect to the Internet unless someone actually keys in their Wi-Fi password, no?

@ocdtrekkie can't find the source right now, but there was at least one case of a major ISP, I think in the USA, that deployed home WiFi routers that created a special secret WiFi networks that were not controlled by their users. They were there for other customers of the company to have WiFi away from home, so to speak.

So yeah, people should not trust their routers either.

@roywig @rysiek Sidewalk I find especially uncomfortable, because it uses non-networking devices to provide networking. (Apple and Google are also building their own secret shadow networks as well, it's basically how AirTags work, where they piggyback off other devices they own in the vicinity to get location and transmit small amounts of data.)

@roywig @rysiek @ocdtrekkie To be fair, the Comcast/xfinity one was never secret, and there's an option to disable it in the settings.

That isn't to say it isn't bad, though. Most users won't think to look for the setting. Also, I seem to recall that certain kinds of resets (one of the first things they try if you call support about a non-working connection) will re-enable the public wifi, so you have to remember to go back and turn it off again.

I eventually ended up buying my own cable modem, which is both more reliable and doesn't even have wifi support, so there's no risk of that feature coming back for me. It's also cheaper, in the long run.

Circling back to the original topic, I'd be surprised if loT devices could use the Comcast wifi, as I believe it requires a Comcast login.Though on the other hand, I suppose some manufacturers may have a deal with Comcast to let their devices bypass the login. 🤔

@rysiek Yes, that's Comcast. However, it's not secret, and you can shut it off. (And you can also buy your own modem instead of renting, which is generally preferable to save money anyhow.)

It actually provides a direct service to Comcast customers: I can connect to the xfinitywifi network on someone else's router if I am a Comcast customer, and the usage gets billed/associated to me, not the place I am.

Also a TV wouldn't be able to arbitrarily route over it either, because of captive portal.

@rysiek British Telecomm do that with their standard routers. It's not a particularly secret network, it announces its SSID, etc.

@ocdtrekkie

@edavies oh, this is useful info. Any link about this?

@ocdtrekkie

@rysiek btwifi.co.uk/

I forget the SSID but it's something obvious like BT-WiFi. My neighbours have a BT router which advertises this SSID as well as their own SSID but their router's off now - presumably because they've gone to bed.

I'm not sure but I seem to remember that the owner gets priority on most of the bandwidth so doesn't really lose out much by it.

@ocdtrekkie

@edavies @rysiek @ocdtrekkie ah, i remember poking around behind the captive portal there and finding private IP addresses that pointed to large CDNs that could be used to connect to tor

probably still works, too.

@edavies @rysiek @ocdtrekkie So do Virginmedia, though you can supposedly opt out of it. I've not noticed an extra SSID, and have opted out of it, but who knows whether the router actually takes any notice of my choice.

@rysiek @ocdtrekkie this is true. The company is Comcast. They set up their routers to connect to a universal broadband wifi network. So you could basically log into your Comcast account anywhere you could connect to one of their routers. The only way around it was to use your own router, but most people don’t know anything about that. Even though I’d never use Comcast and use another ISP, I own my own router and have it on lockdown for this reason.

@rysiek @ocdtrekkie
Many ISPs (and off the shelf routers) here in NZ offer this as a mesh networking "feature".
It saves money for the ISP and adds hazard for their customers.

@rysiek BT Does this here in the UK.

Always thought this was extremely dodgy, especially since it's opt out, rather than opt in.

@rysiek @ocdtrekkie
here in Germany multiple ISPs do this. really annoying

@rysiek
@ocdtrekkie Comcast? I know they have something like that, though it's not so secret.

@rysiek @ocdtrekkie XFinity does this. You can opt out, but it's on by default.

@ocdtrekkie That’s not the only issue. Imagine someone driving by in front of your house with an open wifi hotspot and cracking all smart devices that auto-connect. @rysiek

@rysiek Option B would be nice.
Somewhat related: hw manufacturers don't use physical, hard wired switches nowhere nearly enough. I loved the physical switch to disable wifi in old thinkpads. Or the physical shutter over cameras in some laptops. There should be way more of these, literally disconnecting power from stuff like microphones, GPS, or accelerometers.

@marcink @rysiek yeah, but physical switches cost money, and worse they impact the form of the device (switches need to be accessible), the reliability of the device (cheap switches fail), and support costs ("is the app failing to connect because you flipped switches at random?").

There needs to be a way to either turn off wireless networks or enforce local access for pairing, though. Ideally also open APIs and a standard, competent, minimal IoT OS.

Also, a pony.

@rysiek Instead of mandating these mechanisms maybe we could make manufacturers responsible for damage done by holes in their "smart" features unless they can demonstrate it was the customer who neglected something the customer would consent to in a clearly informed way (three simple points, not 30 pages of fine print).
Make it expensive to sell badly maintained systems, see the effects of real maintenance costs on prices, non-smart versions should magically happen by themselves.

@rysiek Luckily most of them can be run in mode b) by just not connecting them to the network, but maybe you wanna use some basic functionality but skip, most of the bullshit... Gets harder and harder

@xpac I don't trust those devices to actually not connect. Some Smart TVs actively seek open WiFi networks and auto-connect when they find one. Some ISPs run public access points on people's home routers.

@rysiek *sigh* these idiots... In 🇧🇴 we have a stupid law that helds you responsible, if somebody does something illegal over your Wifi, so open Wifis outside companies are pretty much non-existant, although the same stuff like Comcast exists, but it needs a login after the connect, so I don't worry about that. Still, they really shouldn't so this...

@xpac @rysiek My refrigerator is designed so the right door doesn’t fully close unless pushed. When left open, after a few minutes it will beep VERY SOFTLY. I can install their app on my phone to get a discernable notification of this built-in hazard. So it’s “operable” without IoT participation, but barely. Hard to regulate when manufacturers are devious.

@rysiek

Consumers’ rights to privacy should be guaranteed by manufacturers’ of smart-tools, including the right to customise / disable the “smart” function, as well as the right to disconnect products they bought from IT networks.

@rysiek 1. Ppl would still buy the ‘smart’ versions.
2. There’s already a lot of vulnerable IoT devices out there and they have a very long life.
3. It’s not technically hard for your ISP to know you have a compromised IoT device, but legally, it’s far from clear they have the authority to do anything about it.

@BenAveling

1. Many, if most, perhaps. That's okay, as long as choice actually exists.

2. That's a related but separate problem. As an analogy: we can ban plastics even if there's already plenty of them in the environment.

3. It's not the ISP that should be doing something about this, it's the vendor. The ISP could alert the owner, regulation could allow the owner to sue the vendor. This could help also solve 2.

@rysiek I had to return a thermostat because the model I needed (due to my equipment setup) had Alexa built in, and unlike their previous models, there weren't any obvious wires to snip to "fix" it once it was opened up. Had to switch to another brand completely.

@JLab8 @rysiek Search for "millivolt thermostat" to reliably get a non smart one. No electronics, entirely mechanical.

@rysiek I worried about this too, since I wasn't able to find a good 4k "dumb" TV a few years back. But i feel safe with it now because I deleted our WiFi credentials from the TV. It has played nice so far.

@rysiek I like your thinking, but I prefer the "consumers should be able to disable all smart functionality" option. Otherwise, you're dependent on retailers choosing to take on the burden of stocking both the smart and non-smart versions of every device. And if they can sell almost as many items by just stocking the smart version...

@rysiek I think A& B should be mandated.

obviously doesn't work out as can be seen on the Windows "N", "K" & "KN" versions...

mstdn.social/@kkarhan/10970998

@rysiek All the time! Happened just last week.

@lucire care to share more? What kind of appliance? What was the context (firmware upgrade? power outage? just randomly? etc)?

Obviously fine if you'd rather not. :blobcathappypaws:

@rysiek I’m not a technologist so I don’t even know what you call them, but one of the wifi things disconnected itself and reconnected itself. Random, not during an upgrade, not during an outage.
Not a range extender, not a transmitter—the name escapes me at the moment.

@rysiek this made me realize i have surprisingly little iot in my life.

@rysiek automatically connecting to an open network? that sounds like a security disaster (in a way not even benefiting those who did that)

@xarvos @rysiek security disaster? that sounds like most of IoT

@rysiek you forgot the “I managed to avoid getting a smart appliance so far”

@rysiek Thankfully, we are far enough away from the neighbors that I can see all visible networks and verify that they all use some sort of authentication. At the moment, none of our "smart" appliances/objects have the ability to connect to a network without needing a password but that could change if the neighbors do.

@kailagenevieve @rysiek
So provide it your own dummy passwordless access-point that allows only specific MACs to connect, and allows the minimal internet connection for a connectivity check, but nothing more than that?

@tzafrir @rysiek Eh... no desire to actually connect any of them to a network for any purpose whatsoever at any point unless I also went to the trouble of firewalling that network off from the internet completely and I'm ok taking the chance that an accessible network will pop up. They don't need updates even for features I actually use.

@rysiek I'm still in a happy position that the only "IoT" appliances I have around are those I made by myself; let's keep it that way for as long as possible 🤞

@rysiek Don't forget the computer inside the computer, either! I was intrigued to find that the 5G modem in my OpenWrt based router is actually a tiny Linux box. It's truly penguins all the way down...

@rysiek I'm lucky I have no smart appliances in my house, not even one. And I'm lucky I have a husband who supports my idea of "let's not buy anything smart or connected"

@sabrinaweb71 @rysiek not sure what you have against some automation but I’m guessing it isn’t with the automation itself and instead has to do with privacy, or control. If I’m right check out home-assistant.io or similar systems. Its a bit more work to get up and working but worth it I think.

Home AssistantHome AssistantOpen source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.

@DevInTheMtn @rysiek you're right, I have nothing against automation in itself, but I'm very very very concerned about privacy

@rysiek

"A firmware update might "accidentally" enable WiFi"

Ok, but it's standard practice that even technologically unsophisticated people have passwords for their WiFi setups. Unless it contains software to crack the password, it won't be able to get online.

I'd love to have the option for a dumb TV, but if you never let your TV onto your network, the damage it can do is limited.