Smart devices


10 - 12 minutes to read, 2491 words
Categories: android security web
Keywords: android antivirus battery bloatware data recovery security web

Smart devices are devices that connect over the internet for exchanging data with other systems.

I generally do not want smart devices.

I want dumb devices. Even better if those dumb devices are configurable. And programmable devices (ie devices that can be programmed by me, especially with ease) are probably the best.

What’s wrong with smart devices

While there are no requirements on what a device needs to be able to be (or not to be) smart, those are some common properties I see in most smart devices:

  • it needs an internet connection

  • it does not work offline, or only partially

  • it requires some sort of account

  • privacy and security are an afterthought

  • they are opaque, the user does not know how they work or what they do

  • they need updates

  • they have an expiration date

  • they have a kill switch

Internet connection

While it might be true that having an internet connection is not an issue, it does not mean that I want all my devices to be connected to it.

First of all, it consumes electricity for no good reason. Especially on battery-powered devices, this is a huge drawback.

Second, the internet connection might not be unlimited, thus without any control over what data is sent, it is hard to know if it might be a problem or not.

Third, even if electricity and data are not an issue, the server the device wants to reach might be temporarily (or for a longer period) not available.

Accounts

Creating an account is most of the time straightforward, but often also annoying.

If lucky, only an email address (eventually a username) and a password is required. If less lucky, other pieces of information like phone number are required too.

This makes it harder to use the device of someone else (bought second hand, or lent by a friend) if some sort of registration is required, or if it is not obvious how to remove all associated personal pieces of information.

And even if there is no interest in those scenarios, often I would like to try something out before buying it, creating an account might be easy, but what about deleting it? Thanks to the GDPR, companies are more careful when handling personal data, but it is generally not a smooth experience.

Also, there are other complications, like data leaks.

Security

Because those devices are connected to the internet, they are reachable not only by those who bought them but also by virtually everyone else.

For this reason, they mustn’t be usable by everyone.

Unfortunately, we do not know how to write secure software.

But even if we were able, there is always the human factor.

It is easy (as in does not cost nearly anything) to try to trick a million people over the internet with spam, less easy to go home-in-home to one million of person and try to convince them to do something or at least a little more expensive to send a million letters.

How does it work?

Physical devices, no matter how complex, are generally much easier to understand compared to a programmable devices.

The hardware can reach only a given set of different states, no matter how big, it is probably nothing in comparison to the number of different states a minicomputer can handle.

Adding the possibility to interact with other devices, or other smart features adds a lot of points of failure.

Updates

Because we do not know how to write secure software, smart devices generally need updates.

But updates do not only fix errors, but they can also introduce new ones, and remove functionalities.

If you bought a smart device for functionality that it’s going to be removed, then you are in d luck. A common functionality might be the integration with older devices, like older android phones.

Begin forced to buy a new, or compatible phone, for using another device is wrong, yet it happens all the time.

Testing?

Testing if a toaster works reliably is easy. Testing if a toaster connected to the internet works reliably is impossible.

Expiration date

No company is going to maintain their product indefinitely, as they will not make any money from it unless customers are paying for the updates.

Thus smart devices have an unwritten expiration date. More than 5 or 10 years.

Kill switch

For a smart device, having a kill switch means that the company producing it can disable it remotely.

The official use-cases are often against theft, but obviously, it could be misused (by malice or accident).

Even devices that do not have a kill switch can be disabled remotely. If it is, for example, not possible to turn off updates, or if those are installed automatically, they can be used as kill switches too. Also if some activation or registration is required can be misused for "killing" devices.

Is it possible to do something against a kill switch?

At least in this case, you can contact the support and share proof of purchase if you still have it.

But are those drawbacks worth for having a smart device?

No, I do not believe so. At least not for most smart devices.

As I do not know how a smart device works, I do not know how much I can trust it. Will it work every time the same way? Or does it have some "smart" functionality trying to help me and change the interface every time or pop-up suggestions all the time? Are all features available all the time, or do some expire after some time?

Many times a dumb device, because it is simpler, not only costs less and is easier or more intuitive to use, it might also be much more efficient.

Note 📝
It is not true that smart devices always cost more. For example in the case of televisions, apparently, the smart one would cost less than the non-smart one because the company can make money from the data it can collect through the "smart component".
Note 📝
Even if dumb devices are easier to assemble, many are more or less impossible to build by ourselves from scratch.

A cheap analogical kitchen timer is, for example, often much more comfortable to use compared to a phone or a smart home assistant.

It will work anytime unless it breaks apart.

It does not consume electricity, so you never need to charge it or replace batteries. It is also not a problem to use it with dirty hands and wash it afterward.

Also, it is much easier to constantly see how much time is left on the timer, whereas with a smart assistant, you have to ask it to tell you how much time is left, and with a smartphone to unlock the screen and open an app to see the remaining time.

Adjusting the timer might be more or less complicated, while with the kitchen timer it’s trivial.

Obviously, an analog kitchen timer cannot be compared to a smartphone or home assistant, it has a much narrower scope. It is a "specialized"/"optimized" product for a single task.

Another example would be smartwatches. They offer multiple functionalities, but a wristwatch is currently much more practical for checking what time it is. First, it does not need to turn the screen on and off for consuming less energy. When using a smartwatch one needs to touch the screen, which is not always practical, for example when having the hands full, driving or riding a bicycle or during a meeting flicking the wrist isn’t very subtle

Also, it is annoying at night to touch the clock by accident and blind yourself.

And there is the battery issue, wristwatches have it too, except that the battery lasts much longer, and there are also "self-winding" watches; they recharge themself through the movement of the wearer’s wrist.

Like the analog kitchen timer, a dumb watch is an exclusive device optimized for tracking time.

One common property of all dumb devices is that they do not have security issues simply because they are air-gapped. They cannot be accessed remotely, and even if accessed directly, there is not much it can be done (except breaking them). Because there are no security issues, and because the scope is much narrower, it is easier to test them thoughtfully, and there is generally no need to update something.

They also do not have an expiration date, those devices will work until they break apart, there are no kill switches or automatic updates that can remove some desired functionality.

Of course, planned obsolescence was a thing before smart devices, it can even be observed with something as simple as school books. Often a newer revision of a book comes out after a couple of years with only marginal differences in content, but maybe a slightly different layout or chapter orders. Teachers (even rightfully) might want every student to have the same copy of the book. Might not seem a big issue, but school books are expensive, especially for families with more children, and not being able to use them for more than one year, even if in perfect conditions, is frustrating. But smart devices (in general the software industry) made planned obsolescence a much more common issue. Self-repairing is nearly impossible (in the meantime also some dumb devices are getting harder to repair).

Are smart devices always bad?

Just like it was hard to imagine why we would need an internet connection on our phones, or why we would need portable phones at all, I currently find it hard to imagine the need for many devices available over the internet.

So there are surely valid use-cases for smart devices, the issue is that the choice between a smart and a non-smart device is disappearing for some types of products.

For example, I am unable to find (locally) an analog bathroom scale. I want one that does not need batteries, lasts 50 years like the one my parents owned, that just shows how much I weigh when I step over it, without touching it for turning it on and waiting to power up.

I would also like smart devices much more if they were less opaque to the end-user (like being able to disable unwanted features) and easier to customize.

For example, writing simple programs for Android with Termux made my phone much more enjoyable.

Data Interoperability between smart devices is also a big issue. Often one needs to use custom programs for interacting between different devices, if there would be an open protocol, and no need to depend on external servers (or on having an internet connection in general) it would make many devices much more interesting.

Smart failures

Warning ⚠️
This section is in progress. I generally do not search for issues that IoT devices have, but sometimes it happens that I notice something, and I’ll add it here.

Updates

This example shows how much updates can be problematic; what happens if you update a microwave with the software of a steam oven? It won’t work anymore. This is exactly what happened to AEG Nederlan.

The cherry on top? Factory reset has no effect and Wi-Fi has stopped working too, so getting an update with the correct firmware is not possible.

Another example is a Blu-ray player that does not play Warner and universal movies after an update.

And shoe updates can go wrong too!

Even tested systems, like Payment terminals, will have issues.

Security

Fridges that integrated with Gmail had some security issues, making it possible to steal the login credentials.

Unsecured devices, even if they do not give access to any personal information, are still little computers that can be used for doing some work. In 2016 one of the biggest DDos attack has been orchestrated with IoT devices.

But making DDoS attacks is only one of the many possible uses for a device continually connected to the Internet. Using it as a webserver, bot activities, and so on. On KrebsonSecurity there is a nice graphic.

Some devices are designed with security in mind, like cameras or doorbells, but the risk of making the whole situation less secure is real.

Other devices, like coffee machines and lightbulbs are not acknowledged as potential vector attacks by consumers.

And no, putting an antivirus on those devices is not a solution.

Another problematic smart device are smart keys for cars.

Even devices that nees to be connected to the internet for doing the job, like a router, can have serious security bugs.

Also when a device can be configured in a more secure way, it is not always easy for the end-user to understand the implications of an unsecure device, in some fortunate cases, the hackers might help you.

Sooner or later all devices connected to the internet, unless mantained and monitored regularly, will get hacked

One thing is certain: we do not know how to build secure devices, especially if connected to the internet.

How does it work?

Turning off some features is not always easy to understand, sometimes the hard way (like unplugging the affected hardware) is the easiest way.

And what about a undocumented/hidden microphone?

Also it is not obvious that phones, even when turned off, might still be comunicating with other devices.

Privacy

Once give some data to someone else, you lose control over it. It should be obvious, but it is hard to remember that anytime a microphone connected to the internet might be recording what you are doing, and eventually send this data to someone.

Just like this data is sent to someone else, deleting it might be hard, or impossible. I bet on many devices, by taking them apart and using smiple data recovery techniques, it is possible to extract most if not all data. At least on Android Phones the internal storage is encrypted by default.

In Germany, the doll My Friend Cayla has been banned because. Similarly to smart assistants, it’s a microphone and camera that are always active and connected to the internet, with obvious consequences for privacy. In America, there have been concerns too.

Even a toothbrush can collect sensitive data, but fixing those leaks is not alwys the first priority.

Expiration date

The company Insteon abruptly shut down their servers, without giving any notice to anyone.

Doing a factory reset, in this case, worsens the situation.

Through reverse engineering, it seems that it might still be possible to use some (or all) smart devices again.

In this case Samsung decided to drop support for many features.

And even bigger companies, especially Google will turn off smart devices.


Do you want to share your opinion? Or is there an error, some parts that are not clear enough?

You can contact me here.