Get Your Internet Out Of My Things

2014 was the year that the Internet of Things (IoT) reached the “Peak of Inflated Expectations” on the Gartner Hype Cycle. By 2015, it had only moved a tiny bit, towards the “Trough of Disillusionment”. We’re going to try to push it over the edge.

emerging-tech-hc.png;wa0131df2b233dcd17Depending on whom you ask, the IoT seems to mean that whatever the thing is, it’s got a tiny computer inside with an Internet connection and is sending or receiving data autonomously. Put a computer in your toaster and hook it up to the Internet! Your thermostat? Hook it up to the Internet!? Yoga mat? Internet! Mattress pad? To the Intertubes!

Snark aside, to get you through the phase of inflated expectations and on down into disillusionment, we’re going to use just one word: “security”. (Are you disillusioned yet? We’re personally bummed out anytime anyone says “security”. It’s a lot like saying “taxes” or “dentist’s appointment”, in that it means that we’re going to have to do something unpleasant but necessary. It’s a reality-laden buzzkill.)

In particular, we’re going to focus on the security of the networked autonomous computer that’s inside the thing and how it reacts with the real world that it’s been thrust into. Now, we’ve already got a word for autonomous computers hooked up to the Internet, and that’s “server”. So what the IoT revolution is really doing is putting servers into toasters. Or worse, the IoT is putting servers in your father-in-law’s toaster.

Let’s use two pairs of archetypes: the neckbeard and the father-in-law to represent the extremes of the spectrum of computer security savvy, and the toaster and the server representing different levels of connectedness and corresponding need for network security. You can already see how this is going to play out: the neckbeard belongs with the server and the father-in-law with the toaster. Giving the simple toaster to the neckbeard isn’t so much of a problem, but it gets bad when the father-in-law has to care for the server.

This is the intrinsic problem with IoT. We’re disguising servers as toasters and handing them off to metaphorical fathers-in-law. What’s the worst that could happen? Let’s start by asking the FBI.

The FBI, IoT and Cybercrime

IC3PressReleaseBanner3

IoT security is starting to become a serious enough issue that the FBI issued an alert on IoT crime “opportunities” in early September. The alert starts off by explaining that adding servers to toasters greatly enlarges the attack surface for “malicious cyber actors” and points out many of the most common IoT security vulnerabilities. They also offer extremely reasonable remedies to close many of the vulnerabilities.

The FBI gives a big mention to Universal Plug and Play (UPnP). The great thing about UPnP is that it enables automatic discovery and remote configuration, so that devices that use UPnP are easily accessible to the other computers within the local network. In particular, for Windows users, this is the magic wand that the “Add Device” wizard relies on to cast his spells.

The worst problem is that UPnP devices often trust whoever is configuring them by default, and this trust can be abused to essentially punch a hole through your firewall. There are many other issues with UPnP, and this report by security firm Rapid7 is an essential read.

So UPnP, on outward-facing devices, is a foothold to compromise the rest of your network. It’s no wonder that the FBI wants you to shut it off. Assuming that you’re able to turn UPnP off, this means configuring all of your new networked IoT devices by hand, without the help of the wonderful wizard. Other suggestions on the FBI list include changing default passwords, keeping up with “current best practices” for home WiFi security, and updating IoT devices with patches “when available”. (“If available” sounds a little bit less naïve.)

Anyway, the FBI’s list is great advice for neckbeards. Our father-in-law hears about applying patches and picks up a needle and thread. This is all over his head, which means the toaster goes unpatched with a faulty UPnP implementation enabled despite the FBI’s best intentions. The criminals come in through the toaster, take over the printer, and then springboard over to our mother-in-law’s yoga mat which spends the rest of its life sending spam e-mail.

Cybercreeps and Baby Cams

We’re sure that you’ve all heard about the couple of cases of people getting their Internet-connected baby monitors and cameras owned by asshats who would then shout at the baby or harass the mother? In at least one case, the problem was that the owners hadn’t changed the monitor’s default password, which can be found with a quick web search. Not changing default passwords is a common father-in-law security threat.

For the record, Foscam, one of the first baby monitor vendors hit, has since done the right thing and gotten rid of the default password entirely. (As have many of the router manufacturers who’d been plagued by default admin passwords over the last decade.) But fixing security flaws across multiple vendors is like playing whack-a-mole: a new problem pops up every time another one gets hammered down. Otherwise, after two years of hot press on the security of baby monitors, you’d expect that Rapid7’s “Ten New Vulnerabilities for Video Baby Monitors” would be a shorter whitepaper.

What can be done? This article from Sophos Security on securing your baby monitor, just as with the FBI’s report, suggests that you lock down your home network, implement security best practices, and choose unique and complex passwords. Again, this is all true but not exactly father-in-law-friendly advice. And what’s patently obvious is that none of the “fixes” are actually directly related to the IoT device itself, but rather good housekeeping tips for neckbeards.

Your Fridge is Leaking (Your Gmail Password)

fridge1

This summer’s DEF CON also included an IoT Village that had its own mini-track of talks. In one talk, fourteen IoT home automation devices were investigated and they (mostly) got owned. Some of the attacks involved getting into the device on a physical serial console, which we take as less of a concern than remotely-exploitable flaws. On the other hand, digging through the device locally helps one to find issues that may be remotely abused, so local access shouldn’t be disregarded out of hand.

Aside from talks, the DEF CON IoT village also had a Samsung IoT fridge sitting around that anyone was free to start hacking on. Within one day of work, these guys had an exploitable angle on the fridge.

The fridge was brilliant; you wouldn’t ever have to put up reminder notes on the fridge door because the fridge had a built-in display that synced automatically with your Google calendar. Only, the fridge didn’t bother to verify the SSL certificates that it got when calling up the Goog, which means that an eavesdropper could man-in-the-middle your fridge and get your Google credentials. If you don’t think that stealing your Gmail account password is bad news, think about the password-reset procedure at your bank, and how they send you the new password.

And with the fridge, no amount of neckbeardly network good housekeeping would save you. The problem lies in the fridge’s internal mini-server itself, or at least the software that it’s running. Your father-in-law either has to patch the software when the upgrade comes out, or live with the consequences.

What to Do?

If the IoT hides a server inside a toaster and hands it to your father-in-law, what can be done? Leaving the responsibility for securing the device and the home network in his lap is hardly fair because it’s not something he’s good at, and there’s really nothing he can do about flaws in the vendors’ security implementations. We’ll have to look elsewhere.

Creating perfectly secure IoT devices would be a start. Then follow that up with perfectly secure cloud services to connect them to, add in perfectly secure mobile apps to control them, and ensure that all communications between all of these are perfectly secure. Perfect! In theory.

In practice, there are always going to be flaws and patches. The security vulnerability footprint gr0ws as you add more computers of different types to a home network. Here’s a simple solution: don’t put the server into the toaster in the first place, and if you do, make it easy to take the things off the Internet.

That’s not as much of a Luddite position as it might sound. Indeed, this Register article claims that none other than Eugene Kaspersky, founder and CEO of a prominent anti-virus and firewall software company, thinks that’s the way to go. More specifically, he suggests air-gapping networks that have access to the Internet and the baby monitor. That is, maintain two networks in the home that don’t connect at all through any device: one network for your baby monitor and other home IoT appliances, and an entirely separate and unconnected network that connects to the Internet. After all, that’s what more security savvy institutions like the US military do with their systems.

Air-gapping dual networks is a simple enough procedure that even a father-in-law stands a chance of being able to follow, and the only additional cost is a second WiFi router. The toaster can still talk to the fridge, but neither of them can talk to the Internet and its cybercriminals. But if your father-in-law is the kind for whom two independent, air-gapped home networks sounds like too much, or if he really, really needs Internet connectivity for his toaster, you’ve got one last hope.

Shut it Off

2751537

IoT devices need a physical Internet-off switch with local control overrides. Part of the promise of the Internet of Things is that the physicality of things meets the ethereality of the Internet, so why is it that the security configurations of all of these things are on web pages? They need a button! When the Internet-connected baby cam starts shouting obscenities at Junior, a single button press kills the monitor’s connection to the outside world. Or for the privacy-conscious, a small switch on the side of the Nest could turn off all information-sharing with Google.

If we’re going to embody the Internet in our appliances, they should have physical analogs to the kind of security controls that they should also have online, and starting with the crudest on-off switch is as good a place as any. To quote from the FBI’s report: “Consumers should be aware of the capabilities of the device and appliances installed in their homes and businesses”. Nothing says “aware of capabilities” like a physical switch that lets you turn that capability on and off. Otherwise, our father-in-law is fooled into thinking that the internal server isn’t there, and that the toaster is just a toaster.

(We got the inspiration for this radical solution from this talk on IoT and our surveillance society that goes much further in the direction of protection of personal privacy than device security. It’s a good read, and some of [Maciej Cegłowski]’s six fixes may also be relevant for security, but the Internet-off switch is the most obvious.)

Talkback!

Have we gone too far? Or not far enough? Are you disillusioned about the coming ubiquity of IoT devices yet? Any other ideas about making the control of security parameters of the server inside the toaster more father-in-law-friendly?

78 thoughts on “Get Your Internet Out Of My Things

  1. Good read. However, those of us who read the RFCs are hardly surprised: https://www.ietf.org/rfc/rfc2324.txt — That was 1998 and in 1990 there was an Internet toaster. Like a lot of buzzwords, they aren’t as new as they seem and they either fade into disuse or fade into the commonplace (remember when multimedia and networking were the Next Big Thing?).

    1. And 8 years ago, there was “smart dust” and “wireless sensor network”.

      It turns out that it is hard to get anything accomplished, unless you are Google or Apple. Zigbee was an abject failure. Bluetooth was a partial failure. BTLE is soldiering along.
      The ubiquitous mesh networking stack that was promised to use never happened, but we’re back to another cycle of everyone trying.

      The home fixtures market is an absolute mess of crowdfunded smart outlets, all with different radios, feature sets, and compatibility.
      This is going to get worse before it gets any better.

      1. what’s wrong with zigbee?

        I don’t use a full zigbee stack but I have tons of xbee modules and I use them for lots of ‘iot projects’. I prefer to avoid IP unless I truly need directly reachable things from IP networks. usually I’ll have one box setup as a gateway to convert IP requests into xbee radio datagrams that run custom apps protocols. this way its not a direct connection and that single point controls access in both ways.

        1. There is nothing inherently wrong with zigbee, it’s just that it never became a standard. In order to try and make it a standard the ZigBee Alliance made membership a requirement for developers which created a GPL conflict.

          People that didn’t want to deal with the membership moved on to stuff like the NRF24L01 for mesh networking or the ESP8266 modules for direct Wi-Fi (ironically the ESP8266 is probably going to drive a lot of insecure projects, though proper air gap techniques can mitigate this issue)

          1. I’d be more fond of the ESP8266 if the thing could support SSL.

            Once you can do that, I wouldn’t mind putting it in more interesting projects that have actuators and such in it. But right now, the nRF24L01+ encryption isn’t terrible and it also includes packet signing for replay attack prevention. And it can do this all in software, or you can buy a crypto board and speed it up…. But I’m using it with an Arduino, so max bandwidth anyways is .5Mbps. I’m not too concerned, until I use the STM32 more.

          2. doesn’t the xbee module support hardware encryption, at least pt-pt? I have not tried using it but I thought its right in the hardware.

            the ESP, well, not so much and I don’t take the ESP seriously because it has no ssl or secure layer (other than wpa2).

        2. XBee is too expensive. That’s what’s wrong with it. The least expensive module is $17 and there is no quantity discount. Advanced modules are $32, at least according to a quick search of Digi-Key.

          A toaster is only $25, to add XB to it, and then you’ve got add your support components. Now the toaster is $55. What can you possibly tell me about my toast that is worth that kind of money?

          For an IOT radio to be successful it has to be less than $2.

      2. Most low power networking sucks. I’ve found 1 that doesn’t suck as much.

        nRF24L01+

        Supports Mesh networking, encryption, packet signing, 3.3v device with 5v tolerance, sports 6 transceivers, and is cheap.

        Cheap?

        $6.80 for a pack of 10, low range (10-15m) http://www.aliexpress.com/item/Free-Shipping-10PCS-NRF24L01-wireless-data-transmission-module-2-4G-the-NRF24L01-upgrade-version-We-are/1680738017.html

        $3 for one with an external antenna. 1km (?!) http://www.aliexpress.com/item/Free-Shipping-10PCS-NRF24L01-wireless-data-transmission-module-2-4G-the-NRF24L01-upgrade-version-We-are/1680738017.html

        Add these to cheap micros. Yes, I use Arduino Nano clones, so suck it. I also use the MySensors library. It’s a simple protocol that I can extend to things like the STM32 (also offered on aliexpress for something like $3.20 each).

        And then I take the data into Node-Red….. But why?

        Node-Red has plugins for a lot of different IoT devices. And it’s also easy to write them yourself. Or you can “bit-bang” TCP and diy :) But above all, if you do something a certain way, provide an open way to communicate with it. If you’re using a JSON interface, make it clear what does what, and us glue folks make make your one-off device work seamlessly.

        It’s not the best solution. The best would be that everyone uses the same radio comm protocol, and the same interfaces. But that’s not going to happen in the short or medium term. So instead, focus on making your shit, and then make your shit work with things like an MQTT server, CoAP server, or Node-Red plugin.

        1. Yes, the NRF is a great solution..for some problems. The idea of zigbee was to make it work for everything, even replacing regular IR remotes. That is why it is so complex and big. That is why it failed….. nobody wants to include anything more than the bare minimum and as far as i remember from zigbee, the bare minimum was still complex (64K of flash i think). add licence fees and ….less people interested.

          you can make a simple sensor with a NRF and 2K of memory for a lot less money. But that is your own protocol, it will probably not work for a high number of things.

          1. I’m using the MySensors protocol, which is a 25 byte max transmit. Its all open standard, and a Node-Red node is available for easy decode.

            The idea is that my Node-Red dashboard can communicate many protocols at the same time (MQTT, CoAP, various proprietary protocols) and I can interface with them all. If your specific product has proprietary protocol, and you publish it, its open enough for me to use it!

            Now, is nRF24L01+ good for **everything**? Nope! But we do have up to 2Mbps to play with. The max packet size is 32bytes, so things like voice are doable over those chips. All you’d need is a decent CPU and a encoder chip. And if you’re willing to use patented protos like GSM voice encode, you can even get the data down to 96Kbps.

            Nevertheless, we have a good deal of “wiggle room” with this chip. Use the 3$ one, and I could see some nice walkie talkies…

      3. Zigbee is not dead, it’s just invisible. Where I live, all the smart meters implement it. How do I know? We’ve had protestors marching the streets handing out pamphlets espousing how carcinogenic Zigbee radiation is. *facepalm*

  2. That UPnP stuff is drivel, you don’t connect IoT through a windows box, you use a router, and you use a decent router that doesn’t accept configuration over UPnP from the internet (do they even still exist?), and that an IoT devices opens a port through UPnP is the same as it opening a port manually, or in fact manually is worse since then you are often forced to have it open all the time whereas UPNP has a default timeout.

    And linking to some paper from 2012.. not very current anyway, and I don’t think people that have UPnP exposed for configuration on the internet are helped by papers – or anything else for that matter.

      1. UPnP isn’t the entry way into your network, it is the method by which anyone on the inside can let anyone else in. If your gateway supports UPnP forwarding, then a compromised widget can open any arbitrary set of ports it likes, suddenly all of the other widgets you have on the network have a public facing attack surface. And all these widgets have a standardized method for discovering all the other (likely vulnerable) widgets. Why even bother assuming that a widget has to be compromised in the first place, some legitimate guest may have the compromised device, that is a host that should be on the network, but I’ll be damned if it should be opening ports quietly.

        1. “If your gateway supports UPnP forwarding, then a compromised widget can open any arbitrary set of ports it likes”

          Yeah and if you have an unknown chinese guy living in your closet there might also be risk to your network..

          Even if for some reason you have an IoT device that is designed in such an odd way that it allows someone to use its open port to get commands to open other ports (we are into quite an imaginative fantasy at this point) then what next? So you have more ports open, it still needs something to attack on the other side of those ports that is waiting to be attacked and is vulnerable.

          And why is this now suddenly an issue anyway? People connect a million devices to their phones and internet/WiFi without blinking an eye (including devices made by google and amazon and other big companies with a certain past I like to point out at this moment) and now the dumb IoT devices are for some reason the risky thing?

    1. Those alternate firmware OpenWRT, Tomato, Linux, OpenBSD based routers etc let you have control on uPnP.
      If you really have to have the LoT devices, put them in a double NAT (i.e. router behind a router). That way the damage is limited.

      1. That’s fine. But there’s no reason the cooling control circuitry is hooked up to the front end computing. Data acquisition is all and good. But the problem here is that these companies are **not** going to offer indefinite updates for security errors and such.

        You want an IoT portal for your fridge? Hang 2 appropriately rated thermistors inside each compartment, a humidity sensor in the vegetable bin, and talk to a tablet on the outside hung up on a 3d printed mount.

        –OR–

        The refrigerator company needs to offer open source pinouts for a standard computer interface, after setting up sensors through the thing. And from there, any company/individual can play “Who wants to IoT?” …… But one can wish of the old days with circuit diagrams pasted on the back of the box.

  3. I’ll have to go with you haven’t gone far enough. I am old enough to have seen the birth of the internet and may other new technologies. There is a basic rule that many have forgotten along the way. That rule is stated fairly simply, but it really is very complex in nature. And that rule is…

    Just because you can do a thing, does not mean you should do a thing.

    This rule applies to most things in life. Look at the way people communicate on Facecrack. 90%+ of the posts on there would quickly be eliminated by this simple rule. The IoT would be decimated. The first question we need to be asking ourselves is this. Why do we need a server in a toaster? Is there any particular reason we need the internet involved to know if our toast is burnt? Won’t the smell of char-coaled wheat flour suffice? And does the rest of the world really need to know that our toast is burnt? Does the rest of the world need to know that we are having toast for that matter? How much information do we need to share and at what level does it all just become mental masturbation?

    Connecting any and everything to the net is just a bunch of crap. There is a place and time for everything and we need to reexamine this. Giving the rest of the world access to the this much and type of information is a marketers wet dream. Part of the problem is that we have allowed ourselves to quit being human beings and allowed ourselves to become marketing data streams.

    Good God. What are we doing?

    1. There’s plenty of good “Why’s”.

      1. You can’t make decisions if you don’t have measurements. Sensors provide measurements.

      2. With enough sensors, I can make things that “Do” stuff, like logic controlled outlet, actuate motors and solenoids, send emails/texts/chat, log in/out of services.

      3. With these sensors, I can also view at a glance the status of my house or building. There are things like Fire Sensors that can detect fire (as opposed to smoke detectors). Placing them above your oven provides an easy way to check a question like “Burners off?” The logic can also be combined together with sensors to ask if “Are there people present in the building?” before doing something about it.

      4. With a standards approach of hooking these sensors up, (Say node-red), I can then provide a third party company with this sensor data so they can serve as an alarm company. In Node-Red, it would look like this

      ——->Alarm Company

      And you type in your login/password and details of your residence. And if you don’t like them anymore, delete the connector line and the box.

      _________________________

      So yes, there’s a very rich way of handling all sorts of actions in the home. And yes, your toast idea is dumb, as is using it as a strawman for every other possible idea that isn’t “IoT toaster”.

      1. I think you missed the whole point of my post. It isn’t to say “don’t ever do this”. It’s to say “Think before doing”.

        If you have valid, concise and thought out reasons for doing a thing, then by all means do it. If you are just doing a thing to do a thing, then you need to think about it again.

        Having a good why is fine as long as it isn’t outweighed by the why nots..

        1. I agree with you. Sounds like useless, competition for the sake of competition and to brag about how tech smart you are. None of this is making the world a better place to live, just more stuff to end up in a landfill.

      2. I’m firmly with Taylorian71. So you put sensors everywhere and measure everything. Still no real Earth shattering benefit. I have an alarm system for burglery and fire. Beyond that I can’t see much use for sensor laden home.
        There will someday be a limit to the “toys” the public will by. IOT tells me we are approaching that now.

        1. the thing is, iot isn’t supposed to be a toy. it’s supposed to make life easier and faster. so i have an iot connected fridge, pantry, general kitchen, right? i want to know if i can make chicken pot pie tonight, but i have a roomate who likes to eat that one thing you absolutely need. i find a recipe, send it to my home server, which connects to the iot router and asks if we have all the things in it. if not, it finds the lowest price for deliver to your home groceries, and checks in with me whether to order it. say i need a particular thing, like an oven, but i thought the crockpot recipe would work without it(it doesn’t, but i didn’t read that through) my iot will say “your oven broiler is broken, cannot complete recipe” and then i know i can’t make chicken pot pie. all within my fifteen minute break at work, or the traffic jam on my way home. that’s the ease of an iot toaster. that’s the helpfulness. and it’s relatively secure. only access is through manual or a set server. and that is through the router, so the server is the only approved user other than your iot devices. encrypted aaccess, the whole shebang. sure a lot of the stuff we have is toys, but… that iot lamp? now you know exactly how much the lamp is costing you when you leave it on. i’m surprised phones and electric cars don’t already have that. just input your price per kw/h and it tells you how expensive a charge will be at home. or a charge was.

          1. Or, you could think for 5 seconds about the recipe you just read with your own eyes, and determine whether you have the ingredients and appliances needed to make it.

            And if your oven broiler broke between the time you left for work and the time you checked your phone for your gadget to tell you about it, you have bigger problems than what to make for dinner, because you have an intruder in your house, and a strange one at that.

        2. monitoring water I’ve found water leaks and stuck open sprinklers – saved me thousands in home damage and hundreds in water and sewer bills – monitoring electric nothing of real value so far. Wife loves being able to change the hvac – I love it because I can reset it when she leaves the house. I love having the alarm connected so I know when the maids come to the house and to piece of mind by check up on the pet sitter.

  4. I’m want my appliances all connected to report real time operational and diagnostic data to manufacturers, to make better products, make targeted and efficient service calls, effectively turn every instance into a lab test from which something can be learned. Frankly i don’t care about security at all. I’m want auto scheduling of non essential functions to coordinate with the utility to increase grid efficiency and resiliency. Mostly in just want little Internet queens to stop whining about hypothetical, irrelevant, and easily avoidable problems.

    1. The information your IoT appliances send out to manufacturers is worth more when sold to third parties than it is to their support teams. Even if they don’t sell it, the information is still more valuable to unscrupulous third parties who would like to intercept it.

      “Frankly i don’t care about security at all.”

      So you don’t care that the gesture-sensing camera on your TV might be hijacked and used to spy on you, or that somebody who hates you might hack your toaster use it to burn your house to the ground, or that your IoT fridge can be exploited to give somebody access to your email credentials, which can then be used to reset your bank account password and empty your money into some Russian kid’s Lamborghini fund?

  5. I work for a company that works with appliance companies and develops products. Here is the issue. A world wide known manufacturer of washing machines says that 70% of what they sell has 3 knobs. One for wash and rinse temps, one for load size and one for fabric type and wash time. Why do you need a washer or dryer that has IOT? Forget to run it? Do it when you get home.

    Smart refrigerators that you can access when you are at the grocery store and don’t remember if you are low on milk? Well, back in the day when Radio Shack stocked radio parts and Heathkit made affordable kits, we had this silly little thing called a pad of paper and a pen attached to the fridge. It was great technology that allowed a user to compose a shopping list. It was hooked up to social media and anyone in the house could add or subtract to the list. It was portable as well. All a user had to do was remove the top sheet and go to the store.

    Flat screens in your refrigerator? More likely than you think. Needed? Nope. Refrigerators need to refrigerate and pretty much nothing more. Oh wait, if you have a flat screen, your young fledgling artist can draw a picture, scan it to a .jpg and add it to the screensaver. Or they could just get a magnet…

    1. I do want to know when the laundry is done (so I don’t let wet things sit, and also that I don’t let dry things sit and wrinkle). the laundry buzzer is not audible from inside my house. I need a remote buzzer of some kind. this is natural for iot. similarly, I may want my oven or microwave to buzz me when I’m in my hardware lab.

      both of those are just notifications of an event, but those devices are not currently able to send notifications of any kind.

      I have lots of display devices around the house (clocks and things). I have built up a system that connects things that ‘alarm’ to things that can show status. that’s my iot for home (and btw, no cloud, no wan, no ip networking needed).

      the wan does not need to be part of this, but smart-home still has good utility. for me, the key is that I have control and not some other company. that means its 100% diy. works for me even though you have to be a techie to install/configure and even run it.

      1. Yeah, this is a similar use case for me.

        The washer is outside, so the buzzer is inaudible. The model I had previously had a delayed start feature, but that is missing in the later model. Having the washer connected would allow me to schedule the start for 5am, so that the wash is done by the time I wake up at 6am, and can put the next wash in before I go to work. The washer could then notify my wife when it is done, so she can take the second load out, and get the third load started. (Yes, I have 3 kids, if you were wondering why there is so much washing!).

        The washer also defaults to a “softener” cycle, which is a waste of water for me, since we don’t use softener. We have been unable to find the option to eliminate this cycle, other than simply interrupting the machine at approximately 17 minutes to the end, when the spin and drain cycle has completed, and before the water starts for the next cycle. Being able to automate the interruption at this stage would save a lot of water and electricity.

        FWIW, the washer is a Samsung WA13v5 top loader, and it has an expansion connector on the controller board. If I could figure out the pinout (7 pins) and protocol, I could probably plug in an ESP8266, and hook it up. Pictures here: https://goo.gl/photos/quygxksoHXbqboKE9 The board is potted in a transparent resin, making it tricky to connect directly to the various buttons, which is the “easy” solution. Anyone able to identify the connector in use?

    2. I want my fridge to record data on compressor cycles, refrigerant charge over time, reheat processes, local environment variables, and I want the algorithms that control these things to update when my manufacturer learns new ways to improve their appliance from this data. I want them to take measurements that might precede failure and to report exact diagnostic issues to improve the efficiency of service calls, products. HecK I want them to implement this all automatically, charge me n upfront premium, while in the background they make a profit off this data, by making Uber like calls to the lowest bid repairman.

      This over the top complaining makes no sense, there will always be a low end special with sloppy analog control and no energy efficient digital controls. Youll never have to take the fancy stuff, youll be able to hum along content and ignorant of the added utility of data and data driven efficiency. The luddite can buy these items up while the rest of us, consumers, service contractors, and manufacturers slowly find ways for new cheap technology to improve the garbage around us. The relentless whining and focusing on the absurd amuses me to no end.

      1. No, I want my fridge to keep the set temperature, as long as it has power. Not more, not less.

        Ideally it does not need service and keeps its refrigerant in place. And I know that’s already possible: My fridge does this since the days of R12 refrigerant, but I don’t know, how old it is, as it was in the apartment, when I bought it in 1998.
        I agree, that there are more efficient modern devices with digital control and inverter drive, but still they don’t need an internet connection and I don’t want it on the fridge

        1. Good for you. There will always be 30 year old compressor technology and poor analog control that will do the minimum necessary. That you pay incur additional operating expenses for the privilege low efficiency and poor control or in the future lose utility incentives and incur time of use fees for not cooperating with the grid is entirely your choice. Why are you insane with emotion that others might chose to be more connected, cooperative, and efficient?

          1. Furthermore, although fancy high-efficiency appliances will be the first to get connectivity, I seriously doubt there will ever be a requirement to provide it connectivity. So you can remain blissfully siloed by simply not connecting their $5 wifi chip. What are you so dedicated to fighting this completely optional choice? It’s the most irrational yet disturbingly widespread opinion encountered in this community…

          2. Seriously? Manufacturers do not need connection to all their fielded devices to know their weaknesses.
            They still must design them for high uptime as field repairs are costly. They still must do extensive testing
            on the devices before fielding them. If anything the IOT might give them further leeway to crapify product
            designs because failures can be ‘predicted’ and you get billed before you are inconvenienced by direct
            failure. Oh and what about product ‘features’ enabled by monthly fees which the manufacturer can control.
            They love that ongoing revenue stream which so many people fall for these days. Hey it’s only $5/month,
            that isn’t much until two years have passed and you have shelled out $120 for something fairly worthless.

          3. @jeff teller

            Because on the highly computer controlled gadgets, the companies will connect everything to a computer and have the computer drive it. Is that a bad thing? Doesn’t have to be. But it is, the way these companies do it.

            1. Non-essential sensor fails. Whole unit shuts down.
            2. Requires, or highly ‘suggests’ internet connectivity.
            3. Lack of upgrades = exploits
            4. computer or parts die = costs in parity to buying a new thing

            My wife has a Hyundai sonata 04. The temp sensor gives out bullshit readings. Example: this week, it’s been in the 60s mostly. Car detects 22f. What that means is the thermostat goes from cold air to hot and hotter. Because there’s no way to just say “small amount of warm air” as it mixes the outside detected temp.

            There are other ways to do this. The main thing I can think of is to publish how these sensor nets work. And then its much easier for companies (and us) to sprout up and fix them. But that would require levels of cooperation, which our very system of capitalism refutes.

        2. Fine. You can retrofit a temp sensor in the freezer and fridge and squirt that data to your local IoT network. Why?

          You can see if your fridge and freezer is at what temp. And if the fridge does die, you will see a graph that climbs upward. Where it was at 35f, you will notice 37f… And when it does die, you will see a nice S curve from whatever it was supposed to be at to above 41f.

          And you can sound an alarm above 41f. You just now saved your food in your fridge.

          It would cost $5, plus a 3d printed box (or $5 more for a box) to make a temp sensor that plugs in on top of the fridge, has 2 leads, and is taped to the side inside each door.

          Seems like a great deal to me, and has the added feature of “Controlled by you”.

      2. Your refrigerator’s compressor cycles are predictable. The temperature difference between the outside of your fridge and the inside of your fridge is what determines how often your fridge compressor cycles. If you want your fridge to cycle less often (and your food to go bad quicker), set the thermostat inside at a higher temperature. Or open it less often.

        The fridge manufacturer already knows how to make a better, more efficient fridge. They simply choose not to, because you wouldn’t buy it at the price point required. So they arrive at a compromise between performance and price.

        That “internet-connected fridge” has the same compressor, coils, and refrigerant in it as the “luddite” model next to it on display at Home Depot. The way it functions is exactly the same. The refrigerant temperature difference between the high pressure and the low pressure sides is the same. The duty cycle that the compressor runs on is determined by the number of times you open it to see what’s there. There’s no magic efficiency to be squeezed out of it by sticking a bunch of sensors in it. The efficiency is determined entirely by the design and operating conditions. The manufacturer doesn’t need to monitor *your* specific fridge in order to determine how the product can be improved. They can do that in a test lab. All the “smart” model has is a $30 touchscreen, a $5 wifi chip, and $8 worth of LEDs in it, but they suckered you into spending an extra $1000 on it, because they know you love mentally masturbating to words like “efficient” and “smart grid”.

        The desire not to get swindled does not a luddite make.

        There’s nothing sloppy about analog controls, by the way. They react instantaneously. There’s no sampling or measurement resolution to worry about. And in fact, many digital control systems simply model analog controls.

        Any future innovation in refrigeration technology will come from improvements in materials, not the analysis of the minutia of sensor data in every fridge in every residence.

    3. Chances are that the manufacturer won’t do any firmware updates for your fridge. Not until there is a way for them to make money for these kind of services. They make appliances and they have already been paid once it has been sold. The only time they would do something is safety related.

  6. I don’t want an IoT…. I want a LoT (Lan of Things). I want to network all the things in my house, it’s always been a dream for me. I sure as hell don’t want anything in the house phoning home or to have to log into 10 different companies web portals to drive them. It’s why I hacked my samsung airconditioners, they’re now content little lan devices that I can drive from my console (I don’t even know where I put the remotes). And my Bluray player? you can bet the two times I’ve ever turned that on it’s been firewalled off (I actually have a script in my router that detects Sony products and blacklists them automatically)

    1. And I like my coffee black. There will always be choice. Maybe I should start a blog where I complain about people who take sugar.lol, nah I can just complain about it in comment sections every time it comes up

        1. The anti-IoT crowd is literally hysterical beyond reason. Can’t even tell if you are joking or expressing honest (yet ridiculous fear). The satire is indistinguishable from reality. LoL.

          1. I’m going to make a $500 frisbee that records the temperature and barometric pressure every time it’s thrown, and if you tell me its a stupid way to record weather data, you’re a fear-mongering luddite.

          2. Understood.

            I am not anti-IoT, just more accepting if the LoT premise mentioned above. To me, makers, engineers, and other devs should provide more time for the consideration of which connectivity technologies to implement in their devices. To be clear, if it already plugs into a standard receptacle, why not make use of homeplug, instead of subjectto the extra

  7. I think theoretically it might be so that the more devices there are the more confusing it gets for the average portscanning hacker, let them try to hack a coffeemaker because they think it’s a proxy running on a windows box, based on the port :)

    1. Ah – but – “Mr Mocca” probably have more MIPS to spare than the poor windows box already loaded with serving targeted adds, chatting with the fridge about the expiry date of milk and generally spying on the users ;-)

  8. Early this summer my neighbor bought a IoT air conditioner and placed it right outside my office window. Annoyed with the rattling noise I figured out how to connect to it via WPS (the number was right there on a sticker) and flash a bad firmware image. I think he went through three or four air conditioners before giving up.

  9. ” If you don’t think that stealing your Gmail account password is bad news, think about the password-reset procedure at your bank, and how they send you the new password.” Completly idiot. Who use gmail for any serious emails??!! like bank account?! If you actually use gmail for anything other than comments on website then you are an idiot and you deserve to be hacked.

    1. I’m waiting for some manufacturer of some sort of connected device with constant power to do this. Until someone puts one on an ammeter to analyze the “vampire load,” it’d likely go completely unnoticed.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.