
What If We Put Warnings on IoT Devices? - robin_reala
https://www.troyhunt.com/what-would-it-look-like-if-we-put-warnings-on-iot-devices-like-we-do-cigarette-packets/
======
seanmcdirmid
In California, there is a law that basically everywhere (e.g. all apartment
complexes) must have a sign that specifies that the compounds used on site can
cause cancer or birth defects or whatever. But because the signs are
pervasive, they are basically useless.

This feels kind of like that.

~~~
freehunter
The problem I've always found with the California warnings is that they're so
damn generic. There's nothing forcing companies to tell you what compound is
harmful, where it is, or what it's used for..

A fishing sinker made from lead is pretty obvious when you see that warning.
There's only one ingredient, lead, and it's obvious why it's harmful. But when
you buy a complex product that says "this product contains chemicals known by
the State of California to cause cancer or birth defects", the first thing I
want to know is what the chemical is, the second is where it is in the
product, and the third is why it's there. Nothing in the warnings makes
manufacturers tell you any useful information.

~~~
seanmcdirmid
Even if they did, would it matter? It would be some chemical term, like the
one you see in an ingedient list, that is meaningless to most people.

And these are places, not products...with gardens. Even if they use organic
pesticides, they probably still have to put up the warning.

~~~
jstanley
> that is meaningless to most people.

Therefore no people should be allowed to know?

For what it's worth, I'm not in favour of California's labelling requirements
either. But just because something is meaningless to the majority of the
population doesn't mean it's meaningless to the entire population. And it is
specifically the population that is interested in knowing it that finds it
_least_ meaningless!

~~~
seanmcdirmid
I didn't say allowed or not. Sure, you should know that there are 15 ug of
theomacrotasium among a hundred other things in your environment, but then
what? Information overload means our decisions can get worse, not better, when
presented with more of it.

What would be more meaningful: certifications that act as abstractions for
complex problems. Organic kind of acts like this already, and of course there
are multiple federal certs for electronics. Having a functioning regulatory
system as well as a working civil law system also help.

~~~
freehunter
How about a warning that says "The battery in this cell phone contains an
amount of theomacrotasium known to cause cancer if ingested."

That's a completely actionable warning. Don't eat the contents of the battery
of your cell phone.

Or how about "This carpet contains formeldahyde, which is known to cause birth
defects in pregnant women. Limit exposure to this carpet for a few days after
installation."

That's a good warning. That tells me what I need to know, what the risks are,
and how to mitigate it.

~~~
seanmcdirmid
Hey, if it's just one thing, great! Now, how do you do that for a hundred
things? Again, warnings work great for very small numbers of N.

We have to find a middle ground between "has chemicals that may cause cancer"
and "a hundred specific chemicals in X quantities that may cause cancer."
Abstraction is very necessary as a pragmatic solution, even if full disclosure
makes sense as an ideal.

Heck, most places are just doing CYA, they have no idea what specific lists of
chemicals their contractors use. For the IoT case, no one has any idea how
their devices can be exploited, and merely admit the possibility of
exploitation. But that is another issue.

~~~
kaybe
Well, information on how to migitate the cancer risk is already a step
forward.

If it is only harmful if ingested you know not to give it to your toddler. If
it gives off toxic fumes while burning, well, stay away if you made a fire
mistake. etc. The warning itself is pretty useless as it is.

------
EvanAnderson
I'm of the opinion that products which require a separate service to perform
their advertised functions (i.e. a "cloud" service-- be it "free" with the
product or subscription-based) should be clearly labeled as such. I know that
I don't actually own anything that I can't self-host (or pay whoever I want to
host it), but it's clear that most people don't. Public education on this
front seems valuable to me (but, then, I'm one of those crazy people who
believes in standards-based protocols and commodity hosting service).

~~~
FabHK
Yes. There's this doorbell (400-1500 USD) that connects via internet to a
central host, and then notifies you on your smartphone. Seems sort of a neat
idea, but a house lasts several decades - is that startup and its server going
to be around that long?

[http://www.doorbird.com](http://www.doorbird.com)

~~~
659087
It also notifies that central host every time someone visits your home, and
provides them with video and audio of that person. That doesn't seem like a
"neat idea" at all.

"By visiting my front door, you agree to Doorbird's privacy policy"

~~~
finnn
Couldn't the same be said about all the other shitty cloud-connected
surveillance cameras? Not saying that justifies it, just that this is a bigger
problem then just those awful internet of doorbells

~~~
TeMPOraL
Of course it can be. It's all shitty engineering - making roundtrip through
cloud with data that should only ever touch your personal devices.

------
jacquesm
Simple rule: I buy it, I own it and it should not need an external service to
operate. If it does then I'm not buying it.

None of those grafted on services for me, I really have yet to see anything
that was so compelling that I would give up and consent to essentially renting
a device and having an account with some service to make it useful.

That way you also don't need to warn anybody about the lousy security, I'm
100% convinced that those companies that are exploited are merely the tip of
the iceberg, that for each of these there are a vast multiple that were
exploited but never found out and that the remainder _also_ isn't as secure as
they should be.

Running a secure service with devices in the field is hard, harder than I give
most companies credit for and those companies that could pull it off (Amazon,
Apple, Google, Microsoft and a couple of others) are usually the ones that I
would trust even less with my data because of their ability to add it to the
pile they already have.

~~~
krapp
> Simple rule: I buy it, I own it and it should not need an external service
> to operate. If it does then I'm not buying it.

That's a good rule, but good luck opting out once most manufacturers no longer
give you an option.

~~~
JustSomeNobody
> That's a good rule, but good luck opting out once most manufacturers no
> longer give you an option.

The irony is that this is Hacker News and so many people building those things
hang out here. If we want to make a difference, we have to start making a
difference.

~~~
TeMPOraL
Well, I strongly hope those many people involved in these things can feel the
peer pressure here, and subsequently push for changes at their workplaces.

------
murftown
A little ironic: I tried to share this article on the #offbeat Slack channel
at my work, but the automatic preview image Slack generated for it (from the
top cover image of the article, which you can't really see most of, unless you
view the image separately) is a (pretty NSFW) fake front-of-the-box for a "We-
Vibe" IoT vibrator: "We can see how kinky you are". Not what I was planning to
share with my coworkers. I'd recommend the author to change the cover image,
or at least feature the whole image prominently front-and-center if that's
really what they want to do, so people don't accidentally share it
inappropriately like I did.

Good article though, and I definitely agree that these issues with IoT devices
should be made more prominent.

~~~
Bartweiss
I sort of wish Slack had a way to disable the preview image feature; I've run
into this several times where a reasonable, work-safe article was processed
into a picture not-so-suitable for Slack.

It mostly seems to be cases like this one, where the first image is concealed
or contextualized in the article but treated like a normal header image by
Slack. I think one that got me worst was a piece responding to someone else's
content. Slack simply pulled the quoted text and picture at the top - which
looked like sharing the original article, instead of a response to it.

~~~
scott_karana
An X shows up next to the preview/unfold when hovering, and allows you to
delete the preview, at least in the full desktop app.

------
michaelfeathers
It would be interesting to have a word for devices that is sort of like
'organic' for food.

It would indicate that the device is self-contained and has no connectivity.

~~~
npsimons
> It would be interesting to have a word for devices that is sort of like
> 'organic' for food.

> It would indicate that the device is self-contained and has no connectivity.

"Well-designed"?

~~~
jaclaz
>"Well-designed"?

Very good one.

A good candidate would have been "smart", but unfortunately it is already
taken to mean the opposite.

~~~
fmx
I use "dumb". Sure, it sounds negative, but when used in context it's easy to
understand for anyone that knows about "smart devices".

------
trimtab
Z-wave and encrypted ZigBee controlled products work pretty well for in-home
automation. Communication is encrypted between devices.

The problem can be the Z-wave/ZigBee controller which may very well require
Internet and Cloud access to "phone home."

I avoid using IoT devices that I can't re-program or if nothing is available
except some proprietary/cloud driven device I isolate them into their own
little network space, so they can't attack the rest of the network or "phone
home" unless I let them. Sometimes, that isn't possible and that's when 30 day
return privileges come in real handy.

The ability to trace the packets coming off of most IoT devices is fascinating
and sometimes scary. A lot of devices are like the recent OnePlus smartphones
that record and send most everything to their "true master" the manufacturer
of the device. At least, with a Oneplus you can fix that, by reflashing the
phone.... which is not true of most IoT devices being sold today.

Have you noticed that BestBuy seems to only sell IoT devices that will "phone
home?"

~~~
firefoxd
You gotta have a link for what you said about the OnePlus.

~~~
alexland
There was a post on /r/Android about it [1], but it seems like you can toggle
this off by disabling device analytics in the settings.

[1]:
[https://www.reddit.com/r/Android/comments/75ev0z/oxygenos_is...](https://www.reddit.com/r/Android/comments/75ev0z/oxygenos_is_collecting_a_lot_of_personal_info/?utm_content=comments&utm_medium=browse&utm_source=reddit&utm_name=Android)

------
0xfffff
I read about proposal to prominently put expiration dates IoT devices, to show
how long it will be servered with security updates. That could be interesting
and also raise awareness.

~~~
DarronWyke
Not really. Don't forget that for the longest time home routers shipped
broadcasting the default SSID with no password. Now they come preconfigured
with a locked-down SSID and password (though the management interface is still
usually behind admin/admin or an equivalent). Security isn't on most people's
minds -- it has to be built into the product from the get-go to get the
largest reach.

------
DarronWyke
It wouldn't change a thing, at least not in any meaningful fashion. People
want the latest whiz-bang thing and these devices are marketed to those who
have the barest understanding of technology.

------
NKosmatos
Interesting idea. I wonder how this would look like on commercial software
packages :-) Yeah I'm an oldschooler that remembers buying software and games
in actual physical boxes!!!

~~~
rootlocus
I sometimes buy hard copies of games simply because I dreamed of having a
PlayStation or a gaming PC as a kid, but my parents couldn't afford either, so
I never got the chance of collecting anything related to PC games.
Unfortunately, most of them only come with a small piece of paper inside with
a steam activation code written on it. I remember when games contained entire
manuals in the box.

------
vannevar
If there is such a warning, it should be along the lines of:

"This device is inherently insecure and could be remotely operated by persons
unknown anywhere in the world."

~~~
TeMPOraL
Also: "This device collects data to be processed by the vendor and possibly
resold to third parties."

Also maybe they should be honest and just write: "This device will stop
working at any time the company behind it gets bought and/or decides to
abandon the product line."

------
DonHopkins
WARNINGS:

WARNING: This product warps space and time in its vicinity.

WARNING: This product attracts every other piece of matter in the universe,
including the products of other manufacturers, with a force proportional to
the product of the masses and inversely proportional to the distance between
them.

CAUTION: The mass of this product contains the energy equivalent of 85 million
tons of TNT per net ounce of weight.

HANDLE WITH EXTREME CARE: This product contains minute electrically charged
particles moving at velocities in excess of five hundred million miles per
hour.

CONSUMER NOTICE: Because of the "uncertainty principle," it is impossible for
the consumer to find out at the same time both precisely where this product is
and how fast it is moving.

ADVISORY: There is an extremely small but nonzero chance that, through a
process known as "tunneling," this product may spontaneously disappear from
its present location and reappear at any random place in the universe,
including your neighbor's domicile. The manufacturer will not be responsible
for any damages or inconveniences that may result.

READ THIS BEFORE OPENING PACKAGE: According to certain suggested versions of
the Grand Unified Theory, the primary particles constituting this product may
decay to nothingness within the next four hundred million years.

THIS IS A 100% MATTER PRODUCT: In the unlikely event that this merchandise
should contact antimatter in any form, a catastrophic explosion will result.

PUBLIC NOTICE AS REQUIRED BY LAW: Any use of this product, in any manner
whatsoever, will increase the amount of disorder in the universe. Although no
liability is implied herein, the consumer is warned that this process will
ultimately lead to the heat death of the universe.

NOTE: The most fundamental particles in this product are held together by a
"gluing" force about which little is currently known and whose adhesive power
can therefore not be permanently guaranteed.

ATTENTION: Despite any other listing of product contents found hereon, the
consumer is advised that, in actuality, this product consists of
99.9999999999% empty space.

NEW GRAND UNIFIED THEORY DISCLAIMER: The manufacturer may technically be
entitled to claim that this product is ten-dimensional. However, the consumer
is reminded that this confers no legal rights above and beyond those
applicable to three-dimensional objects, since the seven new dimensions are
"rolled up" into such a small "area" that they cannot be detected.

PLEASE NOTE: Some quantum physics theories suggest that when the consumer is
not directly observing this product, it may cease to exist or will exist only
in a vague and undetermined state.

COMPONENT EQUIVALENCY NOTICE: The subatomic particles (electrons, protons,
etc.) comprising this product are exactly the same in every measurable respect
as those used in the products of other manufacturers, and no claim to the
contrary may legitimately be expressed or implied.

HEALTH WARNING: Care should be taken when lifting this product, since its
mass, and thus its weight, is dependent on its velocity relative to the user.

IMPORTANT NOTICE TO PURCHASERS: The entire physical universe, including this
product, may one day collapse back into an infinitesimally small space. Should
another universe subsequently re-emerge, the existence of this product in that
universe cannot be guaranteed.

~~~
lucb1e
Just a sidenote, this is not original content and no source is mentioned. From
a quick ddg search, this seems likely to be the original (1991):

[https://stuff.mit.edu/people/dpolicar/writing/netsam/warning...](https://stuff.mit.edu/people/dpolicar/writing/netsam/warning_labels.html)

------
ksk
I get the humor value, but isn't this just elitism from the software folks?
Should we add similar warnings to websites of startup companies? Or during the
installation of pretty much every single OS?

I saw some folks recommending punitive damages against IoT companies that ship
this insecure junk. Well how about prosecuting software devs who introduce
security vulnerabilities?

------
mar77i
Urm, you know, people got used to IoS. Telling other people how to make their
choices is telling other people what to do. It's not always nice, and frankly,
never actually works.

~~~
DannyB2
> It's not always nice, and frankly, never actually works.

It works and is profitable. Just ask any advertiser. And it is nice. It
increases corporate profits. What could be nicer than that? /s

------
rasz
Sure, but Microsoft starts first with same label on Windows 10.

------
koverda
If we follow Troy's line of reasoning, then we would need to add these
warnings to phones, tv's, websites, credit cards -- just about anything that
contains data about you.

I guess the main point the author is trying to make is that data can get
compromised, and some people might not be aware of that.

Nothing new or groundbreaking.

~~~
npsimons
> If we follow Troy's line of reasoning, then we would need to add these
> warnings to phones, tv's, websites, credit cards -- just about anything that
> contains data about you.

I honestly don't see a problem with _requiring_ this and enforcing it with the
corporate death penalty. Need I mention Equifax?

------
ericb
We need UL listing for security on IoT devices.

------
mtgx
Ugh, hey Troy, thanks for making the post NSFW with that featured vibrator
image...was it really necessary to make the point of the article?

~~~
rootlocus
I shared it on #general and nobody complained.

------
DonHopkins
NOTE: This packet is sold by wait, not by volume. Packed as full as
practicable by modern automatic equipment, it was delayed the full net wait
indicated. If it does not appear full when opened, it is because contents have
been compressed during shipping and handling.

[http://www.directionsforme.org/item/315569](http://www.directionsforme.org/item/315569)

~~~
FabHK
weight...

> This package is sold by weight, not by volume. Packed as full as practicable
> by modern automatic equipment, it contains full net weight indicated. If it
> does not appear full when opened, it is because contents have settled during
> shipping and handling.

Not entirely unreasonable note, but nothing to do with IoT

