I remember trying to buy a TV that does not have "smart" functionality a few years ago. It was a chore. Today it seems impossible.
And not just TVs: ovens; refrigerators; dishwashers — all have "smart" options. In fact, it seems that more and more the available non-smart models are only the simpler ones, less performant in ways that are not related to any smart functionality missing.
My non-smart TV was available only with lower resolutions than "smart" models of the same brand.
1/
This really annoys me. I am too well aware of security implications of smart devices.
I do not want to have to manage regular software updates for whatever number of appliances I have at home, or risk somebody using them in a botnet (or worse).
And no, I don't trust their "disable WiFi" menu options either. Seen this setting get enabled without my consent too many times.
I *could* put them on a special VLAN, but 99% of people can't. That's a problem, and not just for them.
2/
In 2016 a router-based Mirai botnet took down Dyn, one of the biggest online infrastructure companies, and many well known websites with it:
https://coar.risc.anl.gov/mirai-attack-dyn-internet-infrastructure/
Mirai mainly targeted home routers.
As early as 2018 there were already botnets that… used CCTV cameras. But of course the predominant media narrative was "hackers attack" instead of "vendors put us at risk":
https://www.vice.com/en/article/9a355p/hackers-are-using-cctv-cameras-to-create-botnet-swarms
But I digress.
With all this in mind, I started thinking of how could this be solved?
3/
So here's my (silly?) idea: a regulatory requirement for #IoT / smart-appliance vendors to provide either:
a). similarly-priced models physically without the smart functionality but with other performance metrics on-par with their smart models;
or
b). a reliable, verifiable, physical way of disabling smart functionality in their smart-devices.
I want to be able to buy a damn refrigerator without worrying about it joining a botnet! Just ain't cool.
I wonder if this makes any sense!
4/
Just to clarify, my silly idea of a regulation would leave the choice between a). or b). to the manufacturer. I think it's fine to provide them with that choice.
A lot of responses to this
It's my experience that such software settings tend to not be respected. A firmware update might "accidentally" enable WiFi. The appliance might automagically connect to open networks.
But is it just me? A poll!
Have you experienced a "smart" appliance changing its network-related settings (WiFi on/off, etc) without your knowledge?
Hey #IoT #InfoSec fediverse, there seems to be a general understanding there are "smart" devices (Smart Tvs etc) that will not allow you to use them unless you connect them to the Internet so that they can call home. As in, they won't even function as a dumb HDMI screen.
However, I cannot find any source on this online. Anyone has a specific link, brand name, model, example of this? I am pretty sure this is true, just want to have a specific example.
Thanks!
@rysiek well most of cheap smart device here in the Netherlands
@HcInfosec do you happen to have any specific brand/model or a link to a write-up about this?