The Problem with ‘SMART’ IoT Devices…

Andrew McDonald | 11th April 2022 | Smart Home | No Comments

If you’ve watched any of my DIY smart home series, you’ll know I’m somewhat militant with my approach to smart devices. I don’t do cloud hosted stuff – if it doesn’t work without an internet connection permanently, I’m not interested. Sadly though, I’m very much in the minority, as smart internet-of-things devices with permanent internet access are becoming increasingly common in everyone’s households. That’s a pretty massive problem, although it’s one that few seem to understand, so let me explain.

There are a few key problems with all of these internet-dependent devices, from products being bricked or abandoned to having your home heating cook you alive because someone remotely told it to, and so much more. One of the most common problems to find is thanks to the requirement to be constantly connected to a server, if that server goes down, either from a technical fault or because the company has pulled support or straight up gone out of business, the device might outright refuse to work at all or at best will just have lost any ‘smart’ features it normally has.

To give you some examples of that kind of abandonware, in 2020 Under Armor pulled support for their $400 line of smart fitness trackers including a $180 set of ‘smart scales’. While the scales do continue to function manually, any data you had been collecting to show your fitness progress is now gone as the app you use to access that was pulled from app stores and couldn’t even be exported. The heart rate monitor and wrist worn activity monitor appear to be in a worse state with little to no functionality without their companion apps.

Similarly, in 2019 Best Buy pulled support of their Insignia line of smart devices – some of which weren’t too problematic such as an internet-connected fridge, but for things like security cameras, you’re just out of luck. And of course, when SONOS pulled support for a whole bunch of their devices, consigning them to a slow demise into basic speakers, that wasn’t received too well.

But the company doesn’t have to go bust or pull support to wreak havoc, a simple technical difficulty can be a major problem. Every time AWS goes down it takes half the internet, and a large majority of smart devices along with it. This can be as trivial as robotic vacuum cleaners not running on their schedules, to your home door lock not letting you into your house any more. Tesla had a problem late last year when their app’s server went down and users reported not being able to unlock their car! Now that only affected the ‘remote unlock’ feature via their app and not using your phone via Bluetooth or the ‘backup’ physical keycard to unlock the car, but still, having a server go down meaning you can’t unlock your car is really dumb.

My favourite example for this has to be during the Facebook outage where they removed all their BGP (Border Gateway Protocol) routes meaning none of their servers could be found or contacted, Facebook staff were reported to have been locked out of their buildings and offices because their ‘smart’ IoT keycard locks couldn’t phone home to Facebook servers. That also meant the recovery to get their services back online was slowed because they literally couldn’t get into the server rooms to re-add those routes. Just hilarious.

Sometimes a company decides to lock often existing features behind a subscription paywall – auto makers are some of the main perpetrators of this, with stories like how BMW now charges £160 to enable their automatic high beam headlight feature (something that was just included on older models like my friend’s 2010 530D). As in, the car has all the hardware AND software built in to use that function, but unless you pay the ransom, the feature won’t work. Yet a single unlock key can enable it. There’s talk of requiring an active subscription for things like heated seats, active cruise control and infotainment features – BMW themselves trialled billing owners $80 per year for the privilege of using Apple CarPlay in the car they paid literally tens of thousands for and which was fully capable of doing but would refuse if you didn’t cough up the cash.

Audi don’t seem to be much better, as a Danish Q4 e-tron owner posted this clip to Reddit showing a pretty basic climate control function – the ability to sync temperatures and fan settings between the two climate zones left and right – was locked behind a paywall. The hardware button was still included in their car, but pressing it just brought up a message box saying “The function has not been purchased.”. The function is part of the “tri-zone climate control” pack which costs $758.

Similarly, Toyota was in the news recently as their remote engine start function turned out to be locked behind a paywall and once the 3 year trial runs out the feature just stops working. Even though the feature works with a standard RF key-fob, if the car doesn’t have an active subscription linked to it, the car will ignore the input. Your only choice is to pay the protection money, or give up the feature entirely.

That’s one of the biggest problems with all of this server-controlled kit, you have zero control over the things you own and use every day. The company can brick it remotely, remove features or do a Mafia shakedown for more cash, and you have no choice but to either cough up, or give up. Sometimes this is technically an “opt-in” feature, like Google’s Nest thermostats “Smart Savers Texas” program which unbeknownst to most anyone who signed up allowed their local power company to remotely increase their set temperature in the middle of the night during a heatwave.

You can also have dumb things like region locking. Apparently if you purchase a Hoover brand washer/dryer in Europe, make sure you have a European Apple ID handy, because if you don’t their companion app for which the machine is somewhat wholly designed around (although not exclusively dependant on) won’t allow you to sign up.

But by far the most egregious offences have been committed by Tesla. In late 2019, Tesla remotely disabled their “Autopilot” and “Full self driving” features on a Model S that was in the process of being sold to a new owner. Why did they need to disable those features? Oh, because the new owner “hasn’t paid for it”. No, the feature isn’t (currently) a subscription service, it’s a one time fee, and no as far as I’m aware the original owner didn’t receive a refund for their non-use, no Tesla just wants to bill any new owners again in full.

But that’s not all! No, as reported widely early last year, Tesla has the ability to remotely unlock and use the “smart summon” feature without your consent or control. The specific case was from a Facebook group post that suggested a repossession agent was both hired and assisted by Tesla in repossessing a Model 3 from a shopping plaza car park without any interaction from the registered keeper. While the obvious retort to that story is “uh just make your payments duh…”, the implication that Tesla, without your consent or control, can remotely unlock and functionally drive (especially when driverless self-driving is allowed) your car is horrifying. It’s not hard to imagine that if you have a grudge with a Tesla employee and happen to drive one yourself, you could wake up to find your car gone or it’s driven itself into your front room.

And speaking of criminal employees, the absolutely insane amount of data each of these devices can report back means it’s trivial to know literally everything about you from a single search of a database. Everything from knowing where you live, what you have been buying, when you are (or aren’t) home, and even listen or see you at home. Amazon confirmed they do have employees listen to recordings from their Alexa devices – they were very clear that they only listen to some randomised, anonymised samples of your commands to help train their voice recognition software, and of course that they have strict controls on that data, but you can’t say that smaller companies would have such systems. And even if they did, they still use all that information for targeted advertising. They use it to manipulate you, both into purchasing their products or services, but even as part of political advertisements.

On top of that, those databases then become targets for hackers to extract from. That level of data collection allows for identity theft stupidly easily, or for scammers to much more easily manipulate you – or worse impersonate you – for everything they can get. It’s also worth noting that these sorts of devices are also a target for hackers both to acquire information and to use them as part of a botnet. Many “smart” devices are laughably insecure – so much so that you can use a site like Shodan to search through literally millions of publicly accessible devices including cameras. Here’s a multi-camera live feed from a Thai manufacturing plant. Live, unsecured just on the internet for anyone to view.

On the botnet front, that’s used to attack other people’s networks in what’s called a DDoS or Distributed Denial of Service attack – basically overwhelm their network with so much traffic that they can’t operate anymore, their site effectively ‘goes down’ for any legitimate users because it’s so busy serving the fake traffic. There are millions of devices as part of botnets worldwide, many are IoT devices with unpatched security vulnerabilities.

While there are plenty more examples and other issues, I’m not sure I can handle much more of this dystopian nightmare fuel so instead let’s talk about what we can do about all this. While there aren’t any simple answers, the obvious solution is to just not use or buy any of this cloud connected/cloud required tat. Of course it’s easy for me, a massive tech nerd, to suggest that because I have the knowledge and experience that makes setting up a wholly self-hosted smart home solution pretty easy, but not everyone is me. Not everyone knows what I know, and for a large majority of people buying this sort of tech, running their own self-hosted solution exclusively would be well outside their comfort zone and a much harder sell.

Data protection laws would also be helpful, although if it’s in a company’s best interest to capture your data they’ll work out how regardless. Wherever you can use non-cloud connected devices, whether that be sticking with a “dumb” fridge or toaster, or opting for one with non-direct internet control such as many Zigbee smart home devices which can then be run self hosted on something like a Raspberry Pi (check out my DIY smart home series for that!), anything you can do to reduce your reliance on external servers and services is better.

For the whole abandonware problem, this HACKADAY article introduced me to the idea of “Source Code Escrow”. Basically, companies would provide their source code for everything from their device firmware to server side processing and even potentially hardware designs like PCB files or 3D models, held privately and securely until the company either ceases operations or decides to end support for a product, at which point that source code would become open source and available to the community to update and tweak. That would be especially useful for some devices that flat-out refuse to function without a connection to a server, where an update should be able to remove that issue or even let you run a server for it locally if needed so those devices can keep working. This sort of solution is unlikely to work on its own as beyond a selling point they can list, a company would have little incentive to partake. That’s where consumer protection laws may be able to help, requiring companies to use some sort of source code escrow solution so regardless of their fate, their products don’t become landfill waste.

https://mobile.twitter.com/LeaVerou/status/1445336004320243715

https://www.thedrive.com/news/43329/toyota-made-its-key-fob-remote-start-into-a-subscription-service

https://teslamotorsclub.com/tmc/threads/app-is-getting-500-server-error-cant-connect.247264/

https://www.businessinsider.com/texas-energy-companies-remotely-raised-smart-thermostats-temperatures-2021-6?r=US&IR=T