I’ve resisted as long as I could. It’s futile.
My home, and likely yours, has been slowing filling with small, internet connected devices. These include voice-controlled smart speakers like the Amazon Alexa, Google Home, appliances, smart thermostats, cameras, smart light bulbs, smart plugs, smart everything. They’re called “internet of things” or IoT for short. Yet, these things may not be as smart as they seem, and we may be taking on some unknown risks.
Convenience
Convenience is a huge driver in our lives. No more turning on lights with a switch when Alexa or Google Home can do it with a command of your voice! What’s more, you can do this while you’re out in your neighborhood or anywhere in the world. Want to open your garage door when you approach your neighborhood? Done. Want to adjust the thermostat before you get home and check a video feed of your pets chewing your fancy couch? Done and done.
Hal, open the pod bay doors.
-Dave
There’s no argument against this convenience. The possibilities are truly amazing and were impossible before this technology came into being. These devices monitor patients for serious health conditions. A doctor can receive incredibly detailed stats on heart rate, blood sugar, activity levels, medication levels… all in real time. Doctors are alerted to abnormalities – likely before the patient realizes there’s a problem. This can save lives. This can be truly incredible.
Of course, there is the absurd. Do we really need an internet-enabled toaster? Is modern life so difficult that we need to press a button to re-order toilet paper from Amazon?
Economics
Here’s where things start to break down in some cases of consumer-grade IoT. Security costs money. It takes time, skill, and effort to develop secure programming, to fix bugs after they’ve been sold, to enable secure communications, and protect information stored on these devices.
Consumers are cheap. We often won’t pay more for a product that has little to no perceived benefit compared to another. Say you’re shopping for a smart plug, something to control a lamp from your phone or Alexa. One may cost $10, the other is $20. They both do the exact same thing: turn something on and off.
“Alexa, turn off the Alexa”
-Luke
So manufacturers must make a choice: either stand out in the market and sell a more secure product, or race to the bottom, and compete on price. I think the vast selection of cheap products answers this question.
Startups. These are small, often new companies and innovative people who want to bring new products to market. They have similar challenges. Costs must be kept as low as possible. That leaves little beyond the most lean design, development, manufacturing, and marketing of these IoT devices. Investors and venture capitalists won’t put money into something that isn’t as lean and profitable as possible. They want the largest return on their investment, and that’s understandable. A startup simply can’t invest in all this unnecessary security. Getting the product out the door as cheap as possible is priority number one.
The startups that do survive for at least a few years, are more established and can put more effort into security. That makes me wary about buying a product from a new brand that nobody has ever heard of before.
Lets think about economics in a different way. Can you buy a TV that isn’t smart anymore? Maybe. Though your choices will be severely limited. Because TV manufacturers include smart features in every model, the added cost for each is negligible.
It may cost more to leave out smart features in TVs. Why? Competition is fierce and there is little profit in the actual TV anymore. These manufacturers found they can make small amounts (pennies) over a period of years by selling your viewing habits to advertisers, researchers, and who knows who else. Multiply that over many millions of users and it starts to make sense – and cents.
Not to worry, it’s all written in the end user license agreement (EULA) that you agree to when you power it up that TV the first time. You read all of these for each service and product you use, right?
Privacy
TV viewing habits are a perfect segue into privacy and how our IoT usage information is collected, used, and misused. TVs aren’t the only things that collect such usage information. Roku, Apple TV, and all the other streaming devices, Alexa, Google Home, Google Chromecast (streaming devices that are now often built into other electronics), sound bars, you name it. If information can be collected and monetized, it probably is. Devices watch us in a diabolically brilliant way: by analyzing what we’re watching or listening to. A company called Samba TV develops the technology to make this possible. Others technologies will record, transmit, or store your voice commands.
Some companies are less than transparent about what they collect and what they do with this information. Some of these unscrupulous companies are caught red-handed. They quicky apologize and remind us that our privacy is number one priority. We hope they’re honest as they slyly update the EULA.
An unfortunate side-effect of these economics is that we often can’t disable the smart features. If we try, it’ll cripple some basic feature of the device. What if you don’t want your TV watching you watch your TV? Then you may endure some delayed message nagging you to turn on all of those nifty smart features.
The most deceptive behavior (rumored, not confirmed) is where some TVs will search for open Wi-Fi networks to talk back to their mother ships. This occurs AFTER you disable Wi-Fi or simply choose not to connect to your own network. The best way to protect yourself here is to read and understand those agreements.
(In) Security
Take a look at this security camera for sale on Amazon. The description touts “receives regular security firmware updates.” That is impressive! It is nice to finally see a vendor would put that front and center. Most consumers don’t update their devices, the vast majority of device don’t or can’t update themselves, and most people simply don’t care.
A quick search of this camera on the vendor’s own website reveals the current firmware date is 2017. Nice. Two years is what one vendor calls “regular.”
Updates and patches
What's the big deal about updates and patches? Over time, security pros find weaknesses in software, hardware, and the protocols these things use to talk to other devices. Including the way these talk to things outside of your home or business. One of the greatest benefits of IoT is being able to interact with them while you're nowhere nearby. That makes sense. So how important is that communication? Very. One example is the breach of a casino their a fish tank. I'm not kidding.
This two-year update cycle isn’t out of the ordinary. You see, for a $10 smart plug or a $70 camera, there simply isn’t enough wiggle room in the cost to keep these devices up to date. For some, they may not even be capable of updates. Many devices are simply abandoned, never to be updated again. What are you expected to do? Throw it away and buy another. Even, for example, something you may have purchased ten years ago that works just fine today. How will this play out in more durable products, like refrigerators? Will the manufacturer support the smart displays and other connected technologies found in these appliances?
This works perfectly fine, why buy a new one?
This is a major reason why we continue to use outdated software and IoT devices. Businesses hesitate to invest in new technology when the older stuff works just fine. There is no tangible or significant benefit to upgrade. That’s necessary to justify the cost for the new product. We have to make the same decisions for things we use in our homes as well.
There is a dirty secret in technology. Product descriptions, sales people, or manuals mention nothing about this. It is difficult to know how long something is expected to function and how long its software will be supported. I expect my smart plugs to last a few years. A smart refrigerator and smart car, maybe 10 to 15 years. If our expectations aren’t in-line with the manufacturer, we may have little recourse.
This disposable reality creates more electronic waste (e-waste). We’re still not very good at managing this. If you want security, this is the reality. There a rising movement called “right to repair” which aims to improve this situation. Consider educating yourself on this because it may be one of the few long-term solutions.