Has anyone worked on fighting back this kind of telemetry/spyware of essential consumer appliances?
I'm thinking something similar to what https://adnauseam.io/ does, but but amplified:
1. Someone reverse engineer what does the device send to which address.
2. Block the particular device to access internet (and make it easy for others too).
3. Constantly send bogus data to the manufacturer so the personal data they get overall loses value or is unusable. Make it easy for a lot of people to do it as well, or even just rent a bot farm.
There's too many legit and good services that end up being turned down due to abuse and DDos, and they don't even bring anything good to the attackers. Why not using these techniques for something actually good to consumers privacy?
In my ever-cynical view, I imagine in most cases manufacturers don't, themselves, especially care about the data from their devices. I see various other motivations:
1) Price increases. It's "smart". Pay us more.
2) Planned obsolescence. You have numerous new points of failure in your product + make repairing vastly more difficult.
3) Monetize collected data by selling it to interested parties. The data quality, or lack thereof, is a secondary concern.
1) Set up a pihole or ad guard or similar and block the requests the device makes. You can probably find someones list or it may already be in the default one.
2) Put all the IOT's devices into a virtual wifi lan that doesn't by default doesn't allow internet access. Then only add in the few places you want them to be able to get to. In general putting IOT devices on a network separate from your real computers is a good idea for isolation anyway since they are likely to have poor security.
I remember there was something similar once for web analytics. The extension would obfuscate stuff by changing values, esp. e-commerce values like price and quantity so that the data becomes quite tainted.
I would hate to see smart stuff taken off the market.
A DDoS could cause the company to drop support faster(Like they already always do), and hurt the people who can no longer use the features on their expensive device.
Besides, if DDoSing got popular with average consumers it would never stop, and they'd go after everything that has any privacy risk(AirTag/Tile comes to mind), no matter how critical it is to some people's lives.
Admittedly a bit of a slippery slope argument, but less so in an age where there is a significant minority that would love to undo all tech from the last 70 years.
Instead we could be fighting for laws requiring that that all smart devices use an open and app-capable OS, or that all features exposed via proprietary connection to their server also be exposed via local API.
>1. Someone reverse engineer what does the device send to which address. 2. Block the particular device to access internet (and make it easy for others too). 3. Constantly send bogus data to the manufacturer so the personal data they get overall loses value or is unusable. Make it easy for a lot of people to do it as well, or even just rent a bot farm.
requests probably need to be send with valid serials, in which you can't effectively anonymously flood the telemetry by yourself.
given that there is absolutely no way even a small percentage of Samsung fridge (why even buy one?) users will care about this, all it does is reveal the participant's identities and motivations.
for 3. I wonder if you can go a step further and pummel them with extra data. like insane amounts of (bogus) data. At some point even plain s3 storage costs will become problematic for them.
Some kind of legislative protection would be nice too. eg any mechanism that collects or transmits telemetry must be able to operate totally separate from any other feature of the device and have a hardware kill switch.
Why would you want to go out of your way to send bogus data to the manufacturer?
I'm all for being able to choose whether or not to disclose that data, but then we'll also have to accept different choices than ours. There's no point in sabotaging others.
It should be legally required for these products to allow for people to turn 'smart' features off if they want to. Unfortunately, it probably won't be any time soon.
Just wait until device manufacturers start integrating always-on LTE modems with their own SIM cards and billing so they can pull device analytics, sell you new advertising, and sell your usage patterns to 3rd parties whether or not you ever connect the things to your home wifi.
At which point you'll have to disassemble the damned thing and physically rip out the LTE modem, possibly resulting in the device bricking itself when it can't phone home after a while.
I bet if you're a device manufacturer right now and go to t-mobile enterprise sales and tell them you want 200MB of data per month per IMEI and you're going to have 50,000 units, you'll get a very attractive monthly price per unit.
Mark my words, it'll be commonplace in another 8-10 years.
UI Hell: The place I'm renting has an IKEA / Whirlpool ceramic top stove. All digital. And I HATE it.
You can't find the touch-buttons in the dark, say when you want to make coffee in the wee morn, so you're forced to turn on lights. When you finally find a button, it takes forever to turn it to max. You have to fiddle around to turn it back down again, first click the button for the corresponding plate you want, then click a separate button to actually power it down. Again, it takes forever.
It's also impossible to train tactile memory for it, becuase the buttons are too close and too hard to discern on the dark-on-dark top, so if you try doing it blind, you'll just end up fiddling forever to find the damn thing.
If you spill something over the touch area, it'll start beeping and complaining before it turns itself off. Meanwhile the corresponding pot might have already boiled over, and you can't react in time, because the touch panel is covered in boiling liquid.
Also, honestly, I think it's actually harder to keep the ceramic top clean than a regular top. Reason: It smudges real easy, and you're never sure how much pressure or abrasives you can use without making scratches. On the old tops, you just didn't have to worry. It could withstand a sledgehammer amount of abuse before scratching or chipping.
And don't even get me started on the microwave installed here... I brought my own two-knob micro despite there already being one installed here. That should give you a clue.
Mine has a lock button for some reason, and of course it is the closest button to the hot area. Meaning if I slide a pan a bit too far to the front it'll cover & trigger the lock button because it's capacitive and now I can't use or even turn off the stove for a while unless I press on the now boiling hot lock button.
I had an ikea induction hob with a similar UI, moved house and now I have a full size gas rangemaster with 5 rings.
I really miss the induction hob. Cleaning the rangemaster is a complete nightmare, it’s full of places where dirt can accumulate, there’s even holes down the back and gaps in the side where food falls down that are unrecoverable. The gas rings sometimes don’t light up and gas leaks out while you’re cooking and don’t realise, it’s much more dangerous for children and I’ve left it on without realising a few times now.
The buttons on the induction hob sucked, yes, but the user experience was so much better, literally wipe clean and done, safe and powerful. Maybe if I had a cleaner I’d prefer the rangemaster…
My parents just got one of these POSes. What a UI fiasco.
And my mom is afraid to let anything drip on it, because they told her she needs special cleaner or it'll ruin the finish. And my parents are not gullible people.
Look forward to more of this shit, too: CA just outlawed gas appliances in new houses. But in an area stricken by permanent drought, do they do something sensible like requiring greywater recovery systems in new construction? NOPE.
Reminds me of this quote from the hitchhikers guide to the galaxy
>The only profitable division of the company is its Complaints Department, which, according to the series, takes up the major landmasses on three planets. The Hitchhiker's Guide to the Galaxy defines its marketing division as "a bunch of mindless jerks who'll be the first against the wall when the revolution comes," and an edition of the Encyclopedia Galactica that had the good fortune to fall through a time warp from a thousand years in the future defines the marketing division of the Sirius Cybernetics Corporation as "a bunch of mindless jerks who were the first against the wall when the revolution came."
I had a similar problem. A quick hack; try to put some small 3d stickers on it. At least on mine, they don’t register as input and leave enough space to use the button.
Is this the only way they can make sure they break down frequently enough to force you to buy a new device every few years rather than building something that would normally last a generation. Also I guess they might save a couple of pounds in controls. I found a good local appliance repair guy recently (could probably do it myself, but I'm not good at that sort of thing). I intend to try and repair anything from now on rather than buy new.
Have you tried selecting a ring and then holding the "reduce power" button for a moment? I've found on some units this is a faster way to get to full power. And I had one where holding the up and down buttons together skips the selected ring straight to zero.
I have a combination microwave/conventional oven with capacitive buttons as well as a dial for temperature. You can only use the buttons to adjust the timing for the microwave in 10-second increments, leaving the dial completely unused in that modality.
I added WiFi to my fridge and it's pretty great. It will tell me when the door is left ajar or when the temperature goes too high or low in either the fridge or freezer compartment.
However I made it myself with an ESP8266 and some Dallas sensors. So it only works for me. Not for anyone else.
This is basically why I paid 100 EUR to have the 23 years old cheap Whirlpool stove that came with our apartment fixed. It has 4 plates and 4 turning knobs, and when I turn one of them, the corresponding plate gets hot.
When I was maybe 20 years old and naive as hell, I thought it was funny that the older neighbors were really enthusiastic about their older fully analog, non-computerized Toyota Land Cruiser. They did all their own repairs on it. Now I understand.
Sadly with a fridge or a washing machine the efficiency is quite different. Buying a 20+ old washing machine will cost you a lot in electricity and wasted water.
1) what was the issue with not connecting it to WiFi in the first place?
2) surely the fact that it has WiFi was known at purchase time? Despite what the internet would lead you to believe, there is still a lot of fridges without WiFi and "smart" features out there, why not buy one of those rather than mess with this?
Edit: point 2 was addressed in the article, sorry I missed it
> what was the issue with not connecting it to WiFi in the first place?
Like many other 'smart' appliances, it creates it's own AP so allow you to set it up. So anyone within range could attach it to their network, and then do whatever they like with it.
> surely the fact that it has WiFi was known at purchase time?
It came with the place they're living in. Someone else made that decision.
Were I making the purchasing decision, wifi wouldn't factor in. If the fridge that turns out to be the best option happened to have wifi, then I'd trust myself to work out how to jail it, whether hardware "off"-ing it as per this guy, or blackholing it's connection, or just not connecting it at all (with the knowledge that some devices are rumoured to connect to any accessible open wifi).
Controversially I would like to have fridge and stove that could send me telemetry over Wi-Fi. I currently have RuuviTag in my fridge to monitor temperature and moisture, but I can't put one in my oven for obvious reasons (and it couldn't monitor stove anyway).
Obviously neither should have any actual controls over Wi-Fi, but getting a notification about open fridge door, being able to check if stove or oven is on while away from home, or getting report when something (is about to) breaks would be neat.
I bought all new appliances last year, and none of them were smart. I don't even remember seeing any smart ones at the shop. Granted, this was an appliance store in a town of about 8000 people... but it seems to me they're more gimmicks for people with too much money than a part of most peoples every day life.
I have a couple of IoT VLANs that devices gets sorted into by my level of percieved trust. Things like AppleTV and Sonos goes into the trusted one, things like Printers, various chinese IoT like Aquara sensors, Eufy cameras and more are put into the untrusted one. Trusted devices have static DHCP assigned IPs, as well as printers (for AirPrint and mDNS)
Everything in the untrusted VLAN is blocked by MAC address in the firewall in the outbound direction.
I keep a (surprisingly small) spreadsheet of all my firewall rules, so migrating to a new firewall is a matter of spending 30 minutes setting up the 50 or so lines from the spreadsheet, of which most are rules for allowing inter VLAN traffic, i.e. allow AirPlay reverse connections from AirPlay capabale devices.
I should add that i run Eufy cameras in Homekit mode, so they only need access to talk to a HomeKit bridge/hub (AppleTV/HomePod), and only need internet access for firmware updates.
Rather than disconnecting these type of appliances completely I’d rather disconnect them from the cloud and connect locally, for example using Home Assistant. I have captured an OTA update for my Miele appliance but so far haven’t gotten around to poking around. Has anyone tried something similar?
This is something that stresses me a lot. I care about fighting against these non-features but most people around don't care and have the mentality of "I have nothing to hide"
I've lost count the amount of times I thought about "I should just do an open-source version of <some home appliance I need and is full of spy/crapware>"
So why are we getting it anyway? We are getting it because it is essential to the smart cities agenda. It is planned that everything be micromanaged by a technocratic elite.
Think of China's social credit score on steroids. Have you used up your allocation of credits? Your fridge/heating/etc can be switched off.
Have you been a bad citizen, posting dissenting comments online? Then you can't travel, will have your bank account frozen/constrained.
A digital pass and smart technology everywhere are required. Then technocrats can have fine-grained control of everything.
This will be done in the name of the environment - in the name of 'saving the earth' most of us will choose digital enslavement and will even force it on others.
^ That's the plan in a nutshell - which is aimed to be in place for 2030.
I'm disappointed that all these smart home appliances connect exclusively via WiFi. None of them connect via Ethernet even though they are stationary and often connecting a cable to them could be easy. The WiFi connection is usually unreliable, supports only 2.4 GHz and requires multiple steps to establish.
[+] [-] thn-gap|3 years ago|reply
I'm thinking something similar to what https://adnauseam.io/ does, but but amplified:
1. Someone reverse engineer what does the device send to which address. 2. Block the particular device to access internet (and make it easy for others too). 3. Constantly send bogus data to the manufacturer so the personal data they get overall loses value or is unusable. Make it easy for a lot of people to do it as well, or even just rent a bot farm.
There's too many legit and good services that end up being turned down due to abuse and DDos, and they don't even bring anything good to the attackers. Why not using these techniques for something actually good to consumers privacy?
[+] [-] somenameforme|3 years ago|reply
1) Price increases. It's "smart". Pay us more.
2) Planned obsolescence. You have numerous new points of failure in your product + make repairing vastly more difficult.
3) Monetize collected data by selling it to interested parties. The data quality, or lack thereof, is a secondary concern.
[+] [-] PaulKeeble|3 years ago|reply
1) Set up a pihole or ad guard or similar and block the requests the device makes. You can probably find someones list or it may already be in the default one.
2) Put all the IOT's devices into a virtual wifi lan that doesn't by default doesn't allow internet access. Then only add in the few places you want them to be able to get to. In general putting IOT devices on a network separate from your real computers is a good idea for isolation anyway since they are likely to have poor security.
[+] [-] sdoering|3 years ago|reply
Just can't remember what it was called.
[+] [-] eternityforest|3 years ago|reply
A DDoS could cause the company to drop support faster(Like they already always do), and hurt the people who can no longer use the features on their expensive device.
Besides, if DDoSing got popular with average consumers it would never stop, and they'd go after everything that has any privacy risk(AirTag/Tile comes to mind), no matter how critical it is to some people's lives.
Admittedly a bit of a slippery slope argument, but less so in an age where there is a significant minority that would love to undo all tech from the last 70 years.
Instead we could be fighting for laws requiring that that all smart devices use an open and app-capable OS, or that all features exposed via proprietary connection to their server also be exposed via local API.
[+] [-] kurisufag|3 years ago|reply
requests probably need to be send with valid serials, in which you can't effectively anonymously flood the telemetry by yourself.
given that there is absolutely no way even a small percentage of Samsung fridge (why even buy one?) users will care about this, all it does is reveal the participant's identities and motivations.
[+] [-] Mumps|3 years ago|reply
[+] [-] lupire|3 years ago|reply
[+] [-] user3939382|3 years ago|reply
[+] [-] encrux|3 years ago|reply
I'm all for being able to choose whether or not to disclose that data, but then we'll also have to accept different choices than ours. There's no point in sabotaging others.
[+] [-] VoidWhisperer|3 years ago|reply
[+] [-] walrus01|3 years ago|reply
At which point you'll have to disassemble the damned thing and physically rip out the LTE modem, possibly resulting in the device bricking itself when it can't phone home after a while.
I bet if you're a device manufacturer right now and go to t-mobile enterprise sales and tell them you want 200MB of data per month per IMEI and you're going to have 50,000 units, you'll get a very attractive monthly price per unit.
Mark my words, it'll be commonplace in another 8-10 years.
https://me.me/i/tech-enthusiasts-everything-in-my-house-is-w...
https://arstechnica.com/gaming/2020/01/unauthorized-bread-a-...
[+] [-] kebman|3 years ago|reply
You can't find the touch-buttons in the dark, say when you want to make coffee in the wee morn, so you're forced to turn on lights. When you finally find a button, it takes forever to turn it to max. You have to fiddle around to turn it back down again, first click the button for the corresponding plate you want, then click a separate button to actually power it down. Again, it takes forever.
It's also impossible to train tactile memory for it, becuase the buttons are too close and too hard to discern on the dark-on-dark top, so if you try doing it blind, you'll just end up fiddling forever to find the damn thing.
If you spill something over the touch area, it'll start beeping and complaining before it turns itself off. Meanwhile the corresponding pot might have already boiled over, and you can't react in time, because the touch panel is covered in boiling liquid.
Also, honestly, I think it's actually harder to keep the ceramic top clean than a regular top. Reason: It smudges real easy, and you're never sure how much pressure or abrasives you can use without making scratches. On the old tops, you just didn't have to worry. It could withstand a sledgehammer amount of abuse before scratching or chipping.
And don't even get me started on the microwave installed here... I brought my own two-knob micro despite there already being one installed here. That should give you a clue.
[+] [-] logifail|3 years ago|reply
Speaking of beeping, why is it so hard to completely disable the "I'm finished" beep on household devices?
My microwave beeps, incessantly.
My dishwasher beeps, four times, when it's finished. Especially nice when this happens after midnight when everyone is sleeping.
My washing machine beeps, for the best part of 10 mins, when it's finished. Also nice when this happens in the wee small hours.
My tumble dryer - praise the Lord - has a function to disable its beeping. The beeping got disabled within minutes of it being installed.
[+] [-] alpaca128|3 years ago|reply
This should be illegal.
[+] [-] albertgoeswoof|3 years ago|reply
I really miss the induction hob. Cleaning the rangemaster is a complete nightmare, it’s full of places where dirt can accumulate, there’s even holes down the back and gaps in the side where food falls down that are unrecoverable. The gas rings sometimes don’t light up and gas leaks out while you’re cooking and don’t realise, it’s much more dangerous for children and I’ve left it on without realising a few times now.
The buttons on the induction hob sucked, yes, but the user experience was so much better, literally wipe clean and done, safe and powerful. Maybe if I had a cleaner I’d prefer the rangemaster…
[+] [-] NonNefarious|3 years ago|reply
And my mom is afraid to let anything drip on it, because they told her she needs special cleaner or it'll ruin the finish. And my parents are not gullible people.
Look forward to more of this shit, too: CA just outlawed gas appliances in new houses. But in an area stricken by permanent drought, do they do something sensible like requiring greywater recovery systems in new construction? NOPE.
[+] [-] bajsejohannes|3 years ago|reply
[+] [-] FridayoLeary|3 years ago|reply
>The only profitable division of the company is its Complaints Department, which, according to the series, takes up the major landmasses on three planets. The Hitchhiker's Guide to the Galaxy defines its marketing division as "a bunch of mindless jerks who'll be the first against the wall when the revolution comes," and an edition of the Encyclopedia Galactica that had the good fortune to fall through a time warp from a thousand years in the future defines the marketing division of the Sirius Cybernetics Corporation as "a bunch of mindless jerks who were the first against the wall when the revolution came."
[+] [-] licebmi__at__|3 years ago|reply
[+] [-] thorin|3 years ago|reply
[+] [-] daveoc64|3 years ago|reply
Like fan (convection) ovens, is this just something that Europe is used to and is alien to people in the USA?
Personally, I love that the entire surface of the hob (including buttons) is a flat piece of glass. It makes cleaning trivial.
[+] [-] bjackman|3 years ago|reply
Delighted that my new place just has knobs!
[+] [-] reuben364|3 years ago|reply
[+] [-] perceptronas|3 years ago|reply
[1] - https://www.zdnet.com/home-and-office/home-entertainment/i-s...
[+] [-] GekkePrutser|3 years ago|reply
However I made it myself with an ESP8266 and some Dallas sensors. So it only works for me. Not for anyone else.
[+] [-] wardedVibe|3 years ago|reply
[+] [-] lqet|3 years ago|reply
Simplicity lasts longer.
[+] [-] walrus01|3 years ago|reply
[+] [-] sschueller|3 years ago|reply
[+] [-] gambiting|3 years ago|reply
2) surely the fact that it has WiFi was known at purchase time? Despite what the internet would lead you to believe, there is still a lot of fridges without WiFi and "smart" features out there, why not buy one of those rather than mess with this?
Edit: point 2 was addressed in the article, sorry I missed it
[+] [-] paranoidrobot|3 years ago|reply
Like many other 'smart' appliances, it creates it's own AP so allow you to set it up. So anyone within range could attach it to their network, and then do whatever they like with it.
> surely the fact that it has WiFi was known at purchase time?
It came with the place they're living in. Someone else made that decision.
[+] [-] blenderdt|3 years ago|reply
Related HN question from years ago: https://news.ycombinator.com/item?id=25275350
[+] [-] nixass|3 years ago|reply
It says right there in the article:
these appliances came with the new place so i’ll be stuck with these i imagine for some time
[+] [-] BLKNSLVR|3 years ago|reply
[+] [-] ant6n|3 years ago|reply
for now. That’s not true anymore for example for TVs.
[+] [-] prmoustache|3 years ago|reply
[+] [-] 2muchcoffeeman|3 years ago|reply
[+] [-] nextlevelwizard|3 years ago|reply
Obviously neither should have any actual controls over Wi-Fi, but getting a notification about open fridge door, being able to check if stove or oven is on while away from home, or getting report when something (is about to) breaks would be neat.
[+] [-] Tepix|3 years ago|reply
Well, this isn't it. Only the corporations receive your data.
[+] [-] LAC-Tech|3 years ago|reply
I bought all new appliances last year, and none of them were smart. I don't even remember seeing any smart ones at the shop. Granted, this was an appliance store in a town of about 8000 people... but it seems to me they're more gimmicks for people with too much money than a part of most peoples every day life.
[+] [-] kebman|3 years ago|reply
[+] [-] 8fingerlouie|3 years ago|reply
I have a couple of IoT VLANs that devices gets sorted into by my level of percieved trust. Things like AppleTV and Sonos goes into the trusted one, things like Printers, various chinese IoT like Aquara sensors, Eufy cameras and more are put into the untrusted one. Trusted devices have static DHCP assigned IPs, as well as printers (for AirPrint and mDNS)
Everything in the untrusted VLAN is blocked by MAC address in the firewall in the outbound direction.
I keep a (surprisingly small) spreadsheet of all my firewall rules, so migrating to a new firewall is a matter of spending 30 minutes setting up the 50 or so lines from the spreadsheet, of which most are rules for allowing inter VLAN traffic, i.e. allow AirPlay reverse connections from AirPlay capabale devices.
I should add that i run Eufy cameras in Homekit mode, so they only need access to talk to a HomeKit bridge/hub (AppleTV/HomePod), and only need internet access for firmware updates.
[+] [-] joris9000|3 years ago|reply
[+] [-] neilv|3 years ago|reply
https://xkcd.com/2030/
https://old.reddit.com/r/ProgrammerHumor/comments/aloi5v/pro...
[+] [-] auton1|3 years ago|reply
[+] [-] witx|3 years ago|reply
I've lost count the amount of times I thought about "I should just do an open-source version of <some home appliance I need and is full of spy/crapware>"
[+] [-] verisimi|3 years ago|reply
So why are we getting it anyway? We are getting it because it is essential to the smart cities agenda. It is planned that everything be micromanaged by a technocratic elite.
Think of China's social credit score on steroids. Have you used up your allocation of credits? Your fridge/heating/etc can be switched off.
Have you been a bad citizen, posting dissenting comments online? Then you can't travel, will have your bank account frozen/constrained.
A digital pass and smart technology everywhere are required. Then technocrats can have fine-grained control of everything.
This will be done in the name of the environment - in the name of 'saving the earth' most of us will choose digital enslavement and will even force it on others.
^ That's the plan in a nutshell - which is aimed to be in place for 2030.
https://www.technocracy.news/
[+] [-] eterevsky|3 years ago|reply
[+] [-] firefoxd|3 years ago|reply
1: https://news.ycombinator.com/item?id=22083759