It seems anything new you buy has some level of "smart" inside. If it plugs into an electrical outlet or takes a battery, there is likely some "smart". I've had to do a lot of handling of smart devices. Every vendor has an app for your phone, every vendor has stuff reporting to the cloud, and every vendor assumes you want to automate things.

In some cases this is a good thing. However there are times when it creates its own issues. As this is a blog maintained by a skeptical security person, let's focus in on some of these "issues" that smart creates.

• The User Agreement or Privacy Policy. If there is one, it often does not apply to you in the way you think. For example there might be a User Agreement and Privacy Policy on the company website, but the phone app was written by another firm with a separate cloud presence for data generated by the app. This is especially common with firms reselling hardware that was manufactured in China that is shipped to the United States where the remaining manufacturing process is completed. I've seen as many as four different User Agreements on three continents for what appears to be a single product, and there was conflict between the policies.
• The phone app is a nightmare. Lack of encrypted transmission of data between the phone app and the cloud, inclusion of tracking information to third party sites, outdated and vulnerable packages included into the app build process, passwords stored in plaintext, overreaching permissions required to function, and so on.
• No regular updates. The app is there, like the vendor promised, and it has a lovely (c) 2015 notice on it - just below the part where it states "version 1.0".

On other note: I have a fairly involved home network (e.g. "homelab") and can run VLANs, monitoring individual device traffic, and I'm known to hack away on personal devices to see what makes them tick. Bear that in mind when reading some of my "solutions" in that there is often not an easy fix like unchecking a box or turning off a feature.

The Usual Process

If I am researching something where I have time, I will list features, read reviews, pour through installation manuals (even if the item has to be installed by a specialized tradesperson), and can make a list of concerns where I can get things addressed. For example I’m replacing my 30+ year old 240v window unit air conditioner in the server room, and I am going through that process now, and unless the old one dies suddenly I can take my time and get exactly what I want.

I do try to “fix” things as best I can. For example I had no choice to speak of on the new HVAC system as the old one died during wintertime. The HVAC repair folk showed me my choices and I made my pick right there - all without even glancing at a detailed spec sheet or installation manual. I simply made sure I had a separate WiFi network set up for it and it would be on its own VLAN, and that was about all I could do. Are there any issues with it? Of course. Nothing major, but nothing easily fixed either. In the solar battery case, my solar energy installer Kosmos Solar told me this particular vendor had an inverter that worked with nearly every brand of battery, solar panels, and even auto-start generators, so I said yes. I did check it out and I had more than enough time to change my mind, but a few key features made this inverter seem like the right choice, even though I was still going to set up a separate VLAN and so on.

Detailed Evaluation

When I do check out a vendor, here are the rough steps I complete.

Network isolation. Most smart devices talk to the Internet. First, does it have to? Some vendors require it for your warranty to remain valid (depending on the device you might not care, if for example it is inexpensive to replace), others require it so you can actually adjust settings. If so, see if the product can be isolated onto a separate VLAN. This is usually not a problem as the device doesn’t care, it simply needs connectivity.

Firewall rules. If the device must upload data as a part of the warranty agreement, adjust the firewall rules to allow outbound connections but restrict inbound connectivity. This meets the requirements of warranty, as the warranty usually does not state that the installer or the vendor requires remote access as a condition of the warranty itself. Additionally I allow outbound DNS and NTP queries as well, so the smart device has the correct time and can find its upload site.

WiFi or Ethernet. 99% of products only support WiFi, but I do check just in case Ethernet is available. If so, I order the version of the product or the extra adapter that uses Ethernet.

Multiple ways to access the data. Ensure if there is a phone app, the same information it gathers and tracks can be accessed locally (even via a tiny LCD screen). During an Internet outage, you still might want to adjust the HVAC temperature settings or view a security camera. There might be some data you do want access to, but it only sends that data to the cloud for processing into a more useable format. Maybe your idea of local API access to that data will require cloud access. Yes, in these cases you could write your own fake cloud presence and get the smart device to upload to your own server (rendering the phone app useless), but that could take a substantial programming effort - especially with multiple smart devices that all do the same thing.

Phone app eval. Reverse engineer the phone app and look for bugs. This can be a serious project in and of itself that I will cover separately in another blog post.

Privacy policy. Check the company website as well as any website used for data upload by the smartness of the product. If the app was "outsourced" or the copyrighted product of another company, check their privacy policy as well.

Where does the data actually go. The server that collects the smart data is 99.9% of the time a basic cloud-based web server. Check that it isn’t a nightmare of security problems, and note any flaws without committing a felony.

Reporting of findings. Find out if they have a bug reporting process, and report the findings. This one can be difficult, and could lead to you bypassing normal chains of command. I really try to go through normal channels first (help desk, forums if they have them, opening a trouble ticket etc), but if I am getting nowhere I start acquiring things like a company VP email or even a CEO personal phone number. If I am running into difficulty I resort to the worse tactic of all - I take to social media and start asking for help in contacting the company for a security issue in their product.

Quick Examples

A good example of dealing with smarts is my HVAC system, made by Daikin. The warranty required that the installation company be able to monitor the system, and the connection was WiFi from the thermostat. I could isolate the unit on its own SSID, but if the HVAC was “rebooted” it required the SSID not be hidden to be able to find it, so its SSID is not hidden but it is on its own VLAN. Firewall rules only allow outbound connectivity, so the HVAC company (or anyone else) cannot make changes remotely.

I have a smart weather station, an Ambient Weather WS-2000. It also uses WiFi so it uploads weather data to the cloud. My online profile is set to private so only my personal account can view it, but it supports a few features I want - mainly SMS notifications of certain weather events. It also allows me to look at historical data, which I have an avid interest in since I have solar panels and weather patterns can impact that (plus I used to storm chase and an a weather nerd).

Major appliances like my refrigerator, stove, and dryer are smart capable, but as I find no point in setting all of that up I simply didn't. They function fine without it.

Conclusion

If you don't need it, either turn the smarts off or never enable them. If you're a nerd like me, you can configure things as securely as you can, because it is good fun nerd stuff and good practice that could benefit your skill set.

In the future I will blog more specifically about how I search for security flaws and concerns within the smart world, and relay my experiences with a vendor or two.