Ir al contenido principal

Canciones sobre la seguridad de las redes
un blog de Michał "rysiek" Woźniak

I want a fridge that won't join a botnet

Lo sentimos, este no está disponible en español, mostrando en: English.

I remember trying to buy a TV that does not have “smart” functionality a few years ago. It was a chore. Today it seems nigh-impossible.

By the way, we need a nice way of referring to non-smart devices. I propose: “safe”.

And not just TVs: ovens; refrigerators; dishwashers — all are now “smart”. In fact, it seems that more and more the available non-smart, err, I mean safe models are only the simpler ones, less performant in ways that are not related to any smart functionality.

Safe TVs but without the fancy backlight. Safe refrigerators but without the de-icing system. My Safe TV was available only with lower resolutions than “smart” models of the same brand.

This really annoys me. I am too well aware of security implications of smart devices. I do not want to have to manage regular software updates for whatever number of appliances I have at home, or risk somebody using them in a botnet (or worse).

And no, I don’t trust their “disable WiFi” menu options either. Seen this setting get enabled without my consent too many times. And a lot of participants to my little completely unscientific fedi poll seem to have similar experiences. Plus, there is valid concern that some devices will just try to connect to any open WiFi network; I would much rather not

I could put such devices on a special VLAN, or behind a Pi Hole, but 99% of people can’t. Plus, it’s work. Plus, most importantly, you can bet that “smart” devices will start coming with SIM cards and 4g/5g modems very soon — cars already do. Why does my fridge need Internet connectivity in the first place?

In 2016 an IoT-based Mirai botnet took down Dyn, one of the biggest online infrastructure companies, and many well known websites with it.

As early as 2018 there were already botnets that… used CCTV cameras. But of course the predominant media narrative was “hackers attack” instead of “vendors put us at risk.”

Sidenote: if you’re using the word “hacker” to mean “cybercriminal”, you are making it worse. Please stop.

With all this in mind, I started thinking of how could this be solved? Not in the sense of “how can I, a techy person, secure my network and devices”, but in the sense of “how can we as a society manage the Internet of Shit problem?”

Consider a regulatory requirement for IoT / smart-appliance vendors to provide either (vendor’s choice):

  • similarly-priced safe models, physically without the smart functionality, but with other metrics and functionality on-par with the smart version; or…
  • reliable, verifiable, physical way of disabling smart functionality (or perhaps just networking) in their smart-devices.

Additionally, the packaging or other forms of information available before purchase should state clearly:

  • does the device require Internet connectivity to set-up?
  • does the device require a mobile app to set-up?
  • does the device require agreeing to an EULA/TOS/privacy policy to set-up?
  • which functions require Internet connectivity?
  • which functions require data processing on external servers (that is, outside of the device)?
  • does the device have a microphone or a camera or other sensors?
  • does information from such sensors ever leave the device (for example, voice command data to be processed on external servers)?

I just want to be able to buy a damn refrigerator without worrying about it joining a botnet. Is that too much to ask?

This blogpost started off as a fedi thread. It got a bunch of interesting responses, and links to news about absolutely bonkers IoT stuff galore. Might be worth checking it out!