I remember trying to buy a TV that does not have "smart" functionality a few years ago. It was a chore. Today it seems nigh-impossible.
And not just TVs: ovens; refrigerators; dishwashers — all have "smart" options. In fact, it seems that more and more the available non-smart models are only the simpler ones, less performant in ways that are not related to any smart functionality missing.
My non-smart TV was available only with lower resolutions than "smart" models of the same brand.
This really annoys me. I am too well aware of security implications of smart devices.
I do not want to have to manage regular software updates for whatever number of appliances I have at home, or risk somebody using them in a botnet (or worse).
And no, I don't trust their "disable WiFi" menu options either. Seen this setting get enabled without my consent too many times.
I *could* put them on a special VLAN, but 99% of people can't. That's a problem, and not just for them.
2/🧵
In 2016 a router-based Mirai botnet took down Dyn, one of the biggest online infrastructure companies, and many well known websites with it:
https://coar.risc.anl.gov/mirai-attack-dyn-internet-infrastructure/
Mirai mainly targeted home routers.
As early as 2018 there were already botnets that… used CCTV cameras. But of course the predominant media narrative was "hackers attack" instead of "vendors put us at risk":
https://www.vice.com/en/article/9a355p/hackers-are-using-cctv-cameras-to-create-botnet-swarms
But I digress.
With all this in mind, I started thinking of how could this be solved?
3/🧵
So here's my (silly?) idea: a regulatory requirement for #IoT / smart-appliance vendors to provide either:
a). models physically without the smart functionality but with other performance metrics on-par with their smart models;
or
b). a reliable, verifiable, physical way of disabling smart functionality in their smart-devices.
I want to be able to buy a damn refrigerator without worrying about it joining a botnet! Just ain't cool.
I do wonder if this makes any sense!
4/🧵/end
@rysiek What do you mean exactly by smart functionality? Anything that involves (bidirectional?) conversation with an external service? (For example, is a VCRs purely local ability to pause recording over commercials a smart functionality?)
@robryk good question. I would actually be tempted to say: "hey manufacturers, you've been using the term smart for years now, so… this applies to whatever you say or have said is 'smart'".
But yeah, networking would be a good stand-in here.
The first thing would probably backfire in interesting ways, given things like washing machines that have an advertised "smart" feature that they use less water by weighing the laundry. (It would either get bundled with the not-beneficial-for-consumer smarts or would lead to interpretation woes around "well, but _this is exactly the feature_ that causes the water usage metric to be lower.)
@rysiek The networking approach also helps with a different problem: things becoming obsolete due to the producer-operated infrastructure turning down. If something can operate without external communications, it doesn't have a hard dependency on such infrastructure.
@robryk sure, I never said any of this is easy.
I still like the "focus on networking" idea.