This article is strange & many details are lacking. All the big smart toothbrushes use BLE and are not WiFi-connected. Tried to fact-check the article, but nothing.
A bunch of BLE chips are also WiFi capable, so not ruling out that someone compromised the firmware to enable WiFi functionality, but I wonder how they were able to connect to WiFi to trigger a botnet in the first place.
Quite skeptical of this article, while the premise of the danger of IoT devices still remains, nonetheless.
I tried to fact check it also. They talk about a "java-based" os that could have been the cause.
I know java me was a thing and there are micro jvm that can run on microcontrollers but still, it does not add up.
I think a DDoS attack happened (happens all the time) and security "experts" mentioned that these things could come from anywhere, even toothbrush, and the details got lost in translation / used for click bait.
>A bunch of BLE chips are also WiFi capable, so not ruling out that someone compromised the firmware to enable WiFi functionality
The ESP32 is now used as a general-purposed chip even in applications where an 8-bit MCU would have been enough. A remotely exploitable vulnerability in the ESP32/SDK could have large-scale consequences.
The only way to load firmware to consumer esp platforms is usually via mobile apps… so, someone with privileged access to consumer’s apps, or the supply chain, used that access to load bespoke firmware to toothbrushes.. highly doubtful.
Leaves open the question of how they joined the network - WiFi passwords and such. Maybe stolen from the phones/laptops and then sent to the device as part of the exploit?
I could imagine there’s a lot of toothbrushes near unsecured wifi hotspots. (Hotels, in backpacks of travellers in a cafe, a demo unit in a store) Could be as simple as polling continuously till one allows the device to phone home.
Re "Noname Ddosia": It's from the context, if you know your recent infosec history:
"Jüngst wurden damit auch Server von Schweizer Regierungsstellen während des Weltwirtschaftsforums angegriffen – als Retourkutsche für die Teilnahme des ukrainischen Präsidenten Wolodimir Selenski. Eine russlandnahe Gruppierung bekannte sich zum Angriff."
(translation: "Servers of Swiss government offices were recently attacked during the World Economic Forum - as a retaliation for the participation of Ukrainian President Volodymyr Zelensky. A group close to Russia claimed responsibility for the attack.")
It's not Dutch, it's German, so trying to translate it as if it were Dutch would give strange results (although Google Translate tried to do it anyway, and came fairly close, due to the languages being somewhat related).
The original sentence: "Das Beispiel, das wie ein Hollywood-Szenario daherkommt, hat sich wirklich so zugetragen."
Translating from German, Google Translate gave me:
"This example, which seems like a Hollywood scenario, actually happened."
Translating, as if it were Dutch, Google Translate gave me:
"The play, the one who comes to a Hollywood theater, is such a work in itself."
It's possible that terms such as "Pennsylvania Dutch", which refers to the German-Paletine originating Amish and other groups within the US state of Pennsylvania, might account for some of this confusion. The "Dutch" in that case are actually "Deutsch", that is, of German origin.
That said, the Dutch language is among the Germanic languages, and is closely-related to German itself (similarly, the Dutch-derived Afrikaans, with which Dutch is largely mutually intelligible). To someone reasonably fluent in German, Dutch looks like a somewhat garbled variant. Similarly Danish, though the spoken form varies considerably from the orthography, and Norwegian, also closely related. Contemporary German shares many words and a fair bit of grammar with English as well, making blingualism in both relatively easy, compared with, say, more distant languages such as English-Arabic or English-Mandarin.
That's a really flimsy article. Someone is claiming 3 million smart toothbrushes were used in a DDoS, but no one is talking what/who/how. That seems like the kind of extraordinary claim that requires at least some kind of evidence.
There is surely at least some technical details that enabled them to identify the toothbrushes, right?
It also seems odd that even if you (maybe unknowingly) connected your 'smart' toothbrush to wifi, it would be exposed to the public internet. Aren't most people using some kind of clunky cable modem etc. from their ISP, which would have a basic inbound firewall?
There's lots of ways for this expectation to be broken.
The most obvious is UPnP, where the device can ask the gateway router to forward ports.
The second is the fact that devices on the LAN are accessible to other devices on the LAN. Malicious JS in a webpage can scan for and compromise other local devices.
And the third is the fact that whatever serves code to the toothbrush (whether it's firmware updates, or an HTML5 dashboard) can be compromised. In the latter case, it could be something as simple as persistent XSS.
> The second is the fact that devices on the LAN are accessible to other devices on the LAN. Malicious JS in a webpage can scan for and compromise other local devices.
I was skeptical at first, but did some superficial scouting.. it's trivial for a malicious website to do nasty things to any internal resource which doesn't have a strict CORS policy.
Yes, I have (non-public) variations of the https://rootmy.tv/ exploit that can fully compromise an LG smart TV from the browser session of any other LAN-adjacent device.
There was a brief window when people knew that if they used non-HTTP protocols, then malicious webpages couldn't talk to it.
But now even "native" apps are web apps, and IoT devices all use web APIs too. They can be locked down through CORS etc., but it's easier for devs to set `Access-Control-Allow-Origin: *` and worry about it "later".
In most cases `Access-Control-Allow-Origin: ` is actually a decent policy. It importantly blocks cross-site credentials. So as long as your API has any* authentication it should prevent it.
The real mistake is mirroring the Origin header from the request in the `Access-Control-Allow-Origin` response header which allows credentials (unless you add other headers)
Of course this all relies on you not accepting form posts without auth.
I suppose you could just loop through all the IPs for some common ranges like 10.0.0.0/16 and 192.168.0.0/16 looking for a given port, if you knew the toothbrushes exposed it and there was something exploitable there, that makes sense.
Hypothetically, let’s say these toothbrushes connect periodically to an API from which they fetch firmware updates. If you’re able to MitM that connection, you could deliver whatever you like as a firmware payload to the toothbrush. Or maybe someone designed the toothbrush to open ports using UPNP to enable a remote connection to tell the toothbrush that the update server has moved to a new URL?
A lot of home, small business, or neglected enterprise routers and firewalls are broken into permanently. Many of these will not auto-update their firmware or the attackers got in before the patch was available.
Then the initial actor sells access to them to other actors. I believe the Ubiquity Edge router, a small/medium/AV industry favorite, was paired with other exploits by a state actor to perform attacks on high value orgs.
I have an older Phillips toothbrush without Bluetooth, Internet or vendor-locked heads, and it charges wirelessly in a glass cup. I love it.
I recently tried to buy a second one and could only find newer models with all these garbage features I don't want. Who the hell wants their toothbrush to connect to the internet? Wound up turning to eBay to find stock of the old one.
It might sound cruel, but I hope the moron who decided to add these features into their product, and the lackey who implemented it, are having a bad day and reflecting on the wisdom of what they did.
Wifi is silly, but there really is a benefit to the Bluetooth/app connection -- it is used to see where you are brushing and spots you are missing. My dentist definitely has seen an improvement in the plaque in my back teeth since I started using a smart toothbrush that uses an app on my phone.
Just brush each tooth systematically. My dentist tells me "Just keep doing what you are doing." I have the cheapest Braun Oral-B with a two minute timer. I've worked out by trial and error that that is about the time to stroke each face of each tooth about twelve times. Now I do that even if it takes a bit longer than two minutes because I occasionally brush slower.
Ha! But presumably the bluetooth is there to tell the app what it measured and to visualize it. But presumably through a combination of sensors and accelerometers
I assume you mean the head of the toothbrush but what about my head?
The IMU data is relative to earth (kinda). But toothbrush position over teeth is relative to my head. Moving around and turning your head gets added to the IMU measurements with no way to tell it apart.
Did I turn my head/body 90 degrees left, or did I move the toothbrush 90 degrees from my front teeth to the rear left ones? Impossible to tell these apart.
> Though we don’t have the finer details of the DDoS story, it serves as yet another warning for device owners to do their best to keep their devices, firmware, and software updated; monitor their networks for suspicious activity; install and use security software; and follow network security best practices.
Maybe they should only allow qualified consumers with required certification to purchase such a smart toothbrush.
100% agree, but I have to wonder how much of the problem is that the cost of security is:
A. Not mandated
B. Increases cost of the product
At what point would people just prefer a regular toothbrush if a smart one doesn't provide enough utility to justify the cost?
This isn't specific to toothbrushes, but I wonder what products or services wouldn't exist if they were made to be secure (or safe/ethical/sustainable/etc). Makes me wonder how many existing externalities are causing hard to measure problems that could be prevented by making a higher quality product.
Of course it's because security is not mandated. In the past, and in the present, there are many companies who are willing to kill people for the sake of profits, if they can get away with it legally.
IMHO, any commercial violations of human rights, like privacy, should have criminal penalties.
Maybe the device owner only needs to be certified if the device was manufactured by a company that has had compromises or breaches in the past. That way, their sales take a massive hit if they have a problem. That may motivate these companies to do something about security.
Indeed. It's asking the same people who only know their router as a box where the internet comes from to run a packet capture and interpret the results.
“The door refused to open. It said, “Five cents, please.” He searched his pockets. No more coins; nothing. “I’ll pay you tomorrow,” he told the door. Again he tried the knob. Again it remained locked tight. “What I pay you,” he informed it, “is in the nature of a gratuity; I don’t have to pay you.” “I think otherwise,” the door said. “Look in the purchase contract you signed when you bought this conapt.” In his desk drawer he found the contract; since signing it he had found it necessary to refer to the document many times. Sure enough; payment to his door for opening and shutting constituted a mandatory fee. Not a tip. “You discover I’m right,” the door said. It sounded smug. From the drawer beside the sink Joe Chip got a stainless steel knife; with it he began systematically to unscrew the bolt assembly of his apt’s money-gulping door. “I’ll sue you,” the door said as the first screw fell out. Joe Chip said, “I’ve never been sued by a door. But I guess I can live through it.”
More recently see Cory Doctorow's "Unauthorized Bread":
> The toaster wasn’t the first appliance to go (that honor went to the dishwasher, which stopped being able to validate third-party dishes the week before when Disher went under), but it was the last straw. She could wash dishes in the sink but how the hell was she supposed to make toast—over a candle?
I guess it's time to echo the meme: "The band 'Rage against the machine' does not explicitly says what kind of machine they are enraged to, but I'm pretty sure it's a printer".
"1. It’s hard. Don’t get me wrong. I know it’s hard. And Samsung and Apple and several other large corporations want in on it. On the bright side, that will give you lots of exit opportunities, and soon you could be drinking cocktails in Bali while Amazon deals with the backlash from the smart doorlock you sold them that still doesn’t work properly. And they’ll spend the money on iteration until the device either goes away or starts working properly, and the users will have to buy Amazon Prime membership for their houses. And then someone will hack your house through the buggy wifi thermostat you bought, and your house will start ordering DOWNTON ABBEY downloads and you’ll come home to find it’s 40 Celsius indoors and the sink is flooded and your fridge has been turned into a porn spambot and you’ll realise that your house is masturbating to DOWNTON ABBEY.
> I was shooting heroin and reading “The Fountainhead” in the front seat of my privately owned police cruiser when a call came in. I put a quarter in the radio to activate it. It was the chief.
> “Bad news, detective. We got a situation.”
> “What? Is the mayor trying to ban trans fats again?”
> “Worse. Somebody just stole four hundred and forty-seven million dollars’ worth of bitcoins.”
> “Not yet. But mark my words: we’re going to figure out who did this and we’re going to take them down … provided someone pays us a fair market rate to do so.”
> “Easy, chief,” I said. “Any rate the market offers is, by definition, fair.”
A warning about Philips electric toothbrushes: you cannot turn off Bluetooth on them, even if you are not using the smart features.
Also be careful with all Philips air purifiers that support Wi-Fi, because the remote control feature cannot be disabled. They create a Wi-Fi hotspot that you need to connect to with a smartphone to finish setting up the device, but if you don't use these features, the air purifier will create a permanent Wi-Fi hotspot, waiting to be exploited.
The exact same thing happened to me! Randomly one day a new toothbrush entity appeared in HA, even though I’m still using a “dumb” electric toothbrush.
I finally got rid of one of my fitness watches that had dreadful battery life and I couldn't figure out why. After a few months of this, I finally realized the same thing, you can't turn off the bluetooth on it. The app on your phone and the watch are constantly searching for each other to always sync and the alternative is to unpair the watch, use it, re-pair, sync and go which became a total headache, but did in fact give me better battery life.
The weird thing is I complained to the company's CSR people online and they had no idea why the battery was so bad and just told me to try and factory hard reset the phone as there must be something I changed in the settings.
I switched over to Polar and now the watch I have lasts 5 days on a single charge - quit the change from about a day or less.
> I switched over to Polar and now the watch I have lasts 5 days on a single charge - quit the change from about a day or less.
I uncovered a cheap digital watch in the cupboard the other day. It hasn't been in use since it's strap broke at least four years ago. It is still keeping time. Poorly, granted. It is off by half an hour, Then again, it is the type of watch that needs updating twice or thrice a year to account for DST and leap years.
I realize that modern watches are much more than timepieces, but the difference is battery life is astounding.
My Garmin stays connected to my Samsung smartphone via Bluetooth constantly and will last about 6-8 days on a single charge. I can't imagine charging my watch every night.
I've been using Garmin GPS watches for more than a decade, they get two weeks on a single charge (double or triple that if you don't use 24/7 heart rate, or GPS, or Bluetooth/Wifi, but even on long trips I don't need months without a charge). And they have Bluetooth that syncs with my phone for weather data and optionally shows notifications, but it doesn't need a phone connection to be a great watch.
Sure, my top-end Fenix 6 Pro cost $750 new in 2019, and very little of that is hardware BOM (there's a lot of price segmentation), but it's still just as good as it was then. It's honestly extremely refreshing to deal with a company and an app that tries to build and sell good hardware rather than tricking you into a subscription.
Since we're on the subject, also be careful of Philips CPAP machines, they will slowly spray disintegrating cancer-causing foam into your lungs as you sleep.
Great company though, it's not like they had the choice to not buy out one of the best CPAP manufacturers and then skimp out on materials until they hit the cancer recall margin of diminishing returns (and then hide it for as long as possible).
Anyone in Wi-Fi range can exploit the device. The sensors of the air purifier can be used for spying, and the device could also serve as a hopping point for exploiting other devices in your home.
> The sensors of the air purifier can be used for spying
To be able to... know if your target's house has a lot of pollutants? Is particularly warm? There is practically no useful information that can't be gleamed by just looking through their windows, blinds and all.
> and the device could also be used as a hopping point for exploiting other devices in your home.
It's not connected to your home network, that's the whole reason for the hotspot existing. How, exactly, could it be used as a hopping off point, except to other devices with hotspots that... can just be exploited in the first place.
You're lacking in imagination, and maybe the conceptual idea of "sensor fusion". Multiple seemingly innocuous data streams in isolation can be combined to create sensors you wouldn't have imagined
At a guess; if able to monitor over a period of time (e.g. pick up data from a parked car), a potential burglar can see when there is activity and figure what times of the day house occupants are normally at home.
More subtle; the burglar could just park up and go off for a few hours and gather the data they need - no need for a suspicious camera pointing out of the car to monitor patterns.
If the burglar only takes a 30 second look before breaking in, residents could be home but away from a window, with this the burglar can more confidently know when is a good time to break in, without exposing themselves to the same risk that looking around the house brings.
> There is practically no useful information that can't be gleamed by just looking through their windows, blinds and all.
I have plenty of imagination. I also am practical and realize how illogical the argument of “sensor fusion” is to do something you can just use your eyes for.
Nobody is going to go out of their way to do this when KISS methods already exist and y’all don’t seem to understand practicality if you don’t see that.
The issue is what happens to these toothbrushes in a couple of years when their vulnerabilities will be discovered. Their inevitable exploitation could be prevented by simply allowing to turn off bluetooth. Or even better, only enable bluetooth if the user wants to set up and use these smart features, at least in that case the vulnerable firmware can be updated using the smartphone app.
"Shipped dumb by default" is enticing as a legal requirement.
Have a colorful switch to enable it, whatever.
But poor security posture out of the box, for a questionably-supported, poorly-developed, long-lived physical device seems important enough to mandate slight one-time inconvenience.
In the future, this bullshit is going to be looked back at like default passwords on ISP WAPs.
Why do toothbrushes need to be able to make web connections in the first place? I get that it's for tracking brushing habits, but can't that be done with local connectivity only, like LAN or something?
Not every toothbrush user has a server at home and the skills to attach to it. I would even say that most of those users had no idea what they enabled when they activated their toothbrushes. And let's not forget about vacuum cleaners, refrigerators, washing machines, coffee makers and the other zillions of "smart" personal data channeling smart appliances. I'd dare a survey, how many HN people actually work on exactly these technologies, how many read these words, and how many actually care?
I have several gizmos which use Bluetooth. They're a little bit slower to connect to than the WiFi ones, but they work fine, and "a bit slower to connect" seems fine for a toothbrush.
I also have several gizmos, including lightbulbs, which use WiFi. To my chagrin, I've had internet outages which meant that I can't turn on a given light until the Internet comes back. I put up with it, because telling my computer to change the lights is too much fun, but when the internet goes out, I'm embarrassed both personally and professionally.
Somehow we've failed as a profession to provide people with a home network which continues to function as long as the router has power, and that sucks.
> Somehow we've failed as a profession to provide people with a home network which continues to function as long as the router has power, and that sucks.
Wikipedia says the computer interface was 80's, but if you managed to have a computer in the seventies, you probably knew enough electronics to homebrew something.
yeah, everything keeps getting reinvented worse or made worse by adding unwanted, poorly implemented features. My unstated point was that a version existed decades ago which was more robust than the new, reinvented version.
I'm not sure that people (in general) want these things. It seems like product managers adding stuff to justify their existence and people buying what they find on the shelf. You get an internet connected oven because you have no choice anymore. (Hyperbole, but the non-internet choices are narrowing.)
Maybe people want to change the color of their lightbulb (I'm guessing it gets old quick), but I suspect they're not asking for it to be on the internet.
I find it a genuine quality-of-life improvement to adjust the color of light. The temperature matters more, but being able to do strong hues is really nice. Not everyone is into mood lighting, but I like it.
And I don't care as much about whether or not the bulb uses IP to reach my phone, but why should my outside connection going down ever matter? As long as the router has power, the internal network should continue to function. It's a shame is what it is. I figure I could put in the sweat to make it "work on my machine" but that doesn't solve Joe Normal's problem, and it doesn't sound like a fun hobby to me either.
Separate access points from the router are a thing, and if the command and control for the lights are local they'd continue to work. People just mostly choose to go with a single integrated unit instead of a router, a switch, and one or more access points.
Just have the toothbrush run a web server and then the user can point a web browser at it. It can also come with a mobile app that would scan the local network looking for the device in order to discover the IP.
> I'd dare a survey, how many HN people actually work on exactly these
technologies, how many read these words, and how many actually care?
This is an excellent question. We'd likely find that there is an
enormous disconnect between high IQ, well educated engineers and high
emotional and social intelligence.
The perennial excuses; "it's just a job" , "everybody's doing it", "if
I didn't build <monstrosity x> then someone else would" ... these have
grown tiresome and weak. Everybody now knows these are stupid and
dangerous things we are doing.
Is there a kind of fatalistic malice at work? How do people who work on
this kind of thing manage the dissonance?
What data though? How would it be valuable? From what I saw they are getting money from the device sale itself. These iot toothbrushes are like $400 and basically just track brushing time and pressure. Those don't seem like super valuable ad tracking metrics.
Let's assume we have the following data: the user's email address, some sort of smartphone identifying value, their ip address, and their brushing habits. That's not very much; who would want that?
Well, we know this is a person who will drop $400 on a toothbrush. They like shiny things, they have at least a middle-class disposable income, and they don't mind the headaches of internet-connected devices. Let's sell this information to big-box electronics retailers and other smart appliance manufacturers. Maybe this person would like to buy a $500 toaster too, or espresso machine, or soda machine, or bread machine, or microwave.
They care a little bit about oral hygiene. Have they seen a dentist lately? If they have $400 for a toothbrush, then they probably have better than average dental insurance. Let's also sell their information to the larger dental offices in their area (as determined by IP).
Do they need mouthwash? Let's pop up an ad for a subscription mouthwash service. How about floss? Would they perhaps also appreciate a razor made out of aerospace titanium?
Oh, but wait ... their IP address just changed, and they are brushing their teeth 3 hours later than typical. They're traveling! They're traveling and they took their expensive toothbrush with them. This opens up an entirely new set of possibilities. Travel insurance? A credit card with travel incentives? New luggage? How about offers for travel upgrades? There are hundreds of companies paying for the opportunity to contact pre-qualified customers that travel with disposable income.
Oh, wait ... they just bought a set of lightbulbs that we also make...
I was at the store looking at them recently and all the toothbrushes advertise having "AI", an app, wifi/bluetooth etc. I guess it's hard to come up with reasonable upsells on this stuff.
It's possible but its really unreliable. A device trying to reach out to an app on your phone to proxy the data while your phone is sleeping/app not running just doesn't work that well. You don't want to have to open the app while using the device, you just want all the data to be there when you look in a week.
These devices almost always have wifi since the chips usually have both anyway. And reaching out to a fixed wifi is so much more reliable.
And then the user goes out for the day, opens up the app, and wonders why the last 3 days of data is missing. Meanwhile the chip that does Bluetooth also just has wifi bundled in. Aside from the security risk, directly connecting to wifi is a vastly superior experience.
How much data can a toothbrush collect? Surely just a few hundred bytes per brushing session. The ESP32 has 160 kB of usable RAM out of the 520 kB total capacity. Surely enough for weeks of data even if the data structures are badly designed.
The problem is you can't reliably collect it over bluetooth. I doubt iOS allows apps to just run always active background tasks to fetch data over bluetooth while the app is not open.
The user expects the data on the app to always be in sync. If they check it outside of bluetooth range and see days of data is missing, it'll look broken.
Because apps aren't allowed to be persistently running in the background. So you'd have to get the user to actively open the app while using the toothbrush which is annoying. If you let it connect to wifi, it will just work always without any manual user effort.
They are allowed to run at intervals. Just make the interval short and control it by the GPS location so that it doesn't ping the brush when you aren't at home.
My theory is that every technology goes through a period of experimentation before it’s clear how it should be employed.
That’s why we had project plowshare for the bomb and now internet connectivity for every imaginable device, even ones that only need an on-off switch.
I am a bit mystified why we need connected toothbrushes, but I very much applaud the spirit of experimentation, even if it sometimes gives us toothbrush-powered botnets.
> every technology goes through a period of experimentation before
it's clear how it should be employed.
Sure, but as I said here yesterday [0] experimentation is something
that has far reaching consequences, and that's why professional
scientists have codes of ethics that seem quite absent in the tech
world.
Also, as far as the Internet goes, we've had maybe 40 years of time to
"experiment". There comes a time for results, conclusions and some
sort of maturity in outcomes.
First they came for *The Onion*
And I did not speak out
For I was not an Onion writer
Then they came for *Black Mirror*
And I did not speak out
For I was not a Mirror writer
Then they came for Horselover Fat...
The sanity is already here – it's just not evenly distributed.
Stanislav Lem wrote the "Washer Tragedy" where washing machines got smarter and were taking over. I think he would have been proud of these toothbrushes...
I dread the inevitable "Internet dildo wars of 2037" where millions of networked dildos and refrigerators wreaked havoc on the entire Internet causing billions in damage. "Suspects remain at large."
> Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits
Along with that thread on the Folk computer the other day (https://news.ycombinator.com/item?id=39241472 ), and a discussion on signal interference in long-range wifi and the like (https://news.ycombinator.com/item?id=39246399 ) this makes me wonder if broad household surveillance centralized to a single computer per home for analysis might have benefits over decentralized IoT computation.
That's what I do. But I presume others like it, so here's an alternative for them. I have an uncle who was really into household automation back in the 80s/90s.
I wish my lone internet-of-shit device worked well enough to participate in a botnet. My house came with an internet connected sprinkler system--if the power blips, the sprinkler system boots up before the WIFI router, can't connect and then refuses to work until rebooted. I realized this when my lawn started dying.
Assuming that the article accurately reports the facts (I have my doubts) and these unnamed toothbrushes were used in DDoS attacks, it seems like the obvious deterrent would be for the harmed party to sue for damages. That seems like it work to deter companies from making internet connected when they aren't really needed.
One probably has to enter the wifi password in an app and then the connection info gets sent to the brush via Bluetooth. That's how my smart watch behaves.
well, you need to have something to run that business logic (which includes phoning home to the manufacturer), don't you? Java is as good as any other runtime.
Dude. This is too much. My fridge is capable of being connected to the internet, so is my oven, garage door opener and my dishwasher. WHY? These things have worked so well without this crap. I wish manufacturers would stop this insanity.
This literally happened to me on Friday. I was setting up a smart TV for my uncle and he just uses it for his Chromecast so I thought "whatever, I'm not going to connect this TV to his wifi."
Come to find out, the TV locks you out of EVERYTHING if you do not connect it to the internet. You see the homescreen but you aren't allowed to switch the input unless you connect to the wifi. Even after connecting to wifi, you only get access to FAST channels, and still have to register with a Samsung account before you get permission to change the input.
I don't think I had ever been more upset at a piece of tech in my life.
You're sure you read the instructions correctly? What's the make and
model of that, please? I think people would like to know. That would
certainly be illegal over here in Europe.
TVs are the worst. Everything except OLED sets have been getting cheaper and cheaper and I'm certain these manufacturers aren't achieving this via production line optimizations. It starts with the connection to vacuum up the data, next comes overlay ads, in a few years it'll be subscription plans instead of a sticker price. and the general public will love it.
I had one like this (Toshiba), and I did the initial setup, then blocked it at my router from ever accessing the Internet again. Next TV purchase was a different brand (TCL) that didn't require such stupidity.
My just installed Bosch washing machine says that some programs are only accessible in their app. I pondering whether to send it back or give in and block it at the router (although the app will be free to do its nonsense).
Genuine question, are these things really the norm where you live? I don't have a garage but none of those other appliances are capable of being connected to the internet for me. I am well aware that there are "smart" models out there and their prevalence is probably on the rise but it surprises me that someone so opposed to everything being internet-connected has so many such appliances.
I'm in the UK, are these smart appliances way more common in the US or something?
Every internet-of-shit device should be legally required to go through a security audit, and the vendor should commit to mandatory 5 years of API being up + 5 years of security updates, with N days to fix CVEs with severity over a certain threshold.
Would make the shitty vendors think twice before creating piles of e-waste due to zero cost of entry.
A bunch of BLE chips are also WiFi capable, so not ruling out that someone compromised the firmware to enable WiFi functionality, but I wonder how they were able to connect to WiFi to trigger a botnet in the first place.
Quite skeptical of this article, while the premise of the danger of IoT devices still remains, nonetheless.