Hacker News new | comments | show | ask | jobs | submit login
What If We Put Warnings on IoT Devices? (troyhunt.com)
313 points by robin_reala 40 days ago | hide | past | web | 154 comments | favorite



In California, there is a law that basically everywhere (e.g. all apartment complexes) must have a sign that specifies that the compounds used on site can cause cancer or birth defects or whatever. But because the signs are pervasive, they are basically useless.

This feels kind of like that.


The problem I've always found with the California warnings is that they're so damn generic. There's nothing forcing companies to tell you what compound is harmful, where it is, or what it's used for..

A fishing sinker made from lead is pretty obvious when you see that warning. There's only one ingredient, lead, and it's obvious why it's harmful. But when you buy a complex product that says "this product contains chemicals known by the State of California to cause cancer or birth defects", the first thing I want to know is what the chemical is, the second is where it is in the product, and the third is why it's there. Nothing in the warnings makes manufacturers tell you any useful information.


Or how much of it there is. Parts per million/billion?

I'm pretty interested in how much cadmium and mercury gets into my system because they're bad news for the brain. At the same time, mercury is also in air so it's kind of inescapable. Parts per billion is interesting information because then I can control how much I ingest the way I do for food that is fattening.


It would be much more useful if it were in the form of "This property contains substances determined by the state of California to be toxic to humans. The site report may be viewed in person at 123 Maple St, Suite 200, San Mateo, or electronically at https: //sitereport.ca.us/ "

Then the print report would basically be a binder full of MSDS-like information sheets, along with the history of measurements recorded on the site.

Online, you could see the threshold levels for single massive exposure and for casual environmental or daily occupational exposures. And maybe enter your age, sex, and weight in kg, to see how likely it is that living in your apartment will kill you.

The generic warning is useless. It ranges from "last month someone found 30cm of thermal receipt paper with bisphenol-A all over it" to "someone once dumped a 55gal drum full of dioxin right into the soil where your vegetable garden is now."


This is the same problem with the cookie law in Europe.

They allowed one single, generic, disclaimer which every site pops up.

If they'd demanded:

- a separate disclaimer for each domain (or at least company) setting a cookie

- a description of the purpose of the cookies (e.g. advertising, remembering log-ins)

Then the law might have actually achieved something.


TBH, you need to put a cookie warning only if you use cookies for stuff like tracking and advertising. Logins and general site functionality are extempt from that.

Basically, cookie warning on site means the site tracks you.


I did not know this. I do not think cookie warning == site tracking. Many of those pop-ups are people thinking they need it due to the law.


That supposes testing of that nature is actually done for every item/location that has one of those warnings. It is not. Testing is expensive. The costs if you lose a lawsuit due to not displaying the warning when you should have, even more so. People are pretty desensitized to seeing the warnings. So the logical decision made by many business owners is to display the warning even if no tests have been conducted showing the presence of the chemicals and sometimes even if there is no reason to believe there are any harmful chemicals at all. There's no penalty for displaying a superfluous warning.


Yes, it does suppose that.

That people display the warning without specific knowledge of a hazardous substance is the fault of the California legislature for passing laws that provide perverse incentives to do that.

If a business could be held liable for posting the warning without a reason why, those warnings would not appear without reason. Ambulance-chaser attorneys perform a kind of arbitrage there, as private-party enforcers, like finding ADA violations at a non-accessible business and suing to force them to settle and make reasonable accommodations, or fight it, pay fines, and make reasonable accommodations. Or like the Florida folks that test their Sunshine Law against various municipal organizations. The munis are forced to settle and open their records, or fight it, pay fines, and open their records.

I guarantee there would be at least one person in California that would go around checking for warnings and asking for the MSDS reports on the hazardous materials on the property. I asked for a MSDS once, and the building manager just about lost his mind. I just thought I smelled toluene, and wanted to check to see if I was right. Their reaction made me think that maybe someone should have been suing someone, and they were just worried that it was going to be me.

As with any complex system, it's the squeaky wheels that get greased. More sensible laws would make California less an object of ridicule for other states. Indiana takes a lot of flak over the pi thing, and Kentucky and Tennessee occasionally get their "ice cream cone in the back pocket" laws waved around, but those are just silly artifacts of law. The California "causes cancer warning" law affects so many businesses, even those outside the state.


Even if they did, would it matter? It would be some chemical term, like the one you see in an ingedient list, that is meaningless to most people.

And these are places, not products...with gardens. Even if they use organic pesticides, they probably still have to put up the warning.


> that is meaningless to most people.

Therefore no people should be allowed to know?

For what it's worth, I'm not in favour of California's labelling requirements either. But just because something is meaningless to the majority of the population doesn't mean it's meaningless to the entire population. And it is specifically the population that is interested in knowing it that finds it least meaningless!


I didn't say allowed or not. Sure, you should know that there are 15 ug of theomacrotasium among a hundred other things in your environment, but then what? Information overload means our decisions can get worse, not better, when presented with more of it.

What would be more meaningful: certifications that act as abstractions for complex problems. Organic kind of acts like this already, and of course there are multiple federal certs for electronics. Having a functioning regulatory system as well as a working civil law system also help.


How about a warning that says "The battery in this cell phone contains an amount of theomacrotasium known to cause cancer if ingested."

That's a completely actionable warning. Don't eat the contents of the battery of your cell phone.

Or how about "This carpet contains formeldahyde, which is known to cause birth defects in pregnant women. Limit exposure to this carpet for a few days after installation."

That's a good warning. That tells me what I need to know, what the risks are, and how to mitigate it.


Hey, if it's just one thing, great! Now, how do you do that for a hundred things? Again, warnings work great for very small numbers of N.

We have to find a middle ground between "has chemicals that may cause cancer" and "a hundred specific chemicals in X quantities that may cause cancer." Abstraction is very necessary as a pragmatic solution, even if full disclosure makes sense as an ideal.

Heck, most places are just doing CYA, they have no idea what specific lists of chemicals their contractors use. For the IoT case, no one has any idea how their devices can be exploited, and merely admit the possibility of exploitation. But that is another issue.


Well, information on how to migitate the cancer risk is already a step forward.

If it is only harmful if ingested you know not to give it to your toddler. If it gives off toxic fumes while burning, well, stay away if you made a fire mistake. etc. The warning itself is pretty useless as it is.


If it is meaningful to only a small portion of the population then that portion should pay for obtaining this information and not force the rest to pay. If you add legal costs these warning like most of regulations are really expensive.


>And these are places, not products

Those places have products that contain the toxic chemical, An apartment building is not poisonous by itself, they contain products that contain the harmful chemical. That's what they should be warning you about.


Ya, but what products? I'm sure California understood that it would be difficult for property managers to do a complete audit, so allowed this warning as a cop out (it might be that they have none of those chemicals, but who knows, we will put up the warning just in case).


It always trickles down. The property managers know who built the buildings. The construction company knows what companies produced the construction materials. The company that made the construction materials knows what chemicals are in them. That's the person who writes the warning, and the construction crew tells the property manager, and the property manager keeps a list in their office for public viewing.


I think it has more to do with the gardeners and maintnence than the orig construction. But ya, they so much as use a floor cleaner from the grocery store, that would have to be documented.


Depends what it's made of. An asbestos apartment building is kinda toxic.


Sure. Also, no one on china trusts each others apartment renovations for this reason, which is why you are expected to re-renovate every time you buy (and your own renovations do nothing for the resale value).

That stuff is actually easy to track down is what I meant. It is the day to day stuff that isn't.


>There's nothing forcing companies to tell you what compound is harmful, where it is.

This is changing. But you still have the problem of over reporting. There are provisions to verify that your use of the material is safe, but it's so much easier, and so much less risky, to just slap the label on.


Some warnings speak of "specific birth defects" which is something greater than a may/might do something. Normally this is reserved for the class of chemicals and drugs that post-thalidomide are known to cause limb-reduction defects.


Funny story, we moved from china to California last year because my wife was pregnant and the environment over there is pretty pllluted. When she saw this warning at the entrance of our new apartment, she began doubting our move (they don't have that in china!).

Kid was born without defects.


When I was a kid I was put on an anti-acne drug known to cause such birth defects. Docs insist that any females wanting the drug be on birth control, some simply not prescribing it to any females who aren't open to a quick termination should they accidentally get pregnant while on the drug. There are things that we know for sure will cause serious harm. Too bad such warnings can get lost in the shuffle.


Interestingly, I want to know none of those things. I'd be more interested in knowing how statistically likely the chemicals are to increase my risk of getting cancer.


I would argue that without the prior information, the statistics are also irrelevant.


> This feels kind of like that.

It might feel like that, but it isn't. Everything[1] causes cancer. Not everything needs to have an Internet connection to a service to function, not essentially at least. It's only these people looking to monetize or "h0ok all teh th7ngs up!!1!eleven!" that are shoveling crap that no one asked for, but everyone is too lazy to object to. I've got a pair of wireless earbuds, completely modern kickstarted project. They function not just without an Internet connection, but even without a paired device. You can load music onto them like an iPod (remember them? they didn't have to be connected to a cloud to have thousands of songs).

Good design is possible if you care; bad design is trying to shoehorn required "connectivity" into something that doesn't need it.

[1] - For certain values of everything.


Right now I'm writing my bachelor's thesis on IoT platforms. I think the real problem is that there's no real established pattern for authentication (the way there is for things like signing up for a web app). You ship devices and there isn't a 'one true way' for authenticating them against your platform, authenticating the user, partnering the user with the device, and then encrypting all traffic from the device to the local or public network.

Everybody uses their own homegrown solution, which depends heavily on the hardware they have to work with. This means that some companies get it right and many get it wrong. Yeah, the biggest problem is companies shoehorning connectivity to products, but the second biggest problem is that there really isn't a standard for securing that connectivity.


Another thing about IoT gadgets and "smart"stuff in general, is the guaranteed obsolescence. It's not literally planned obsolescense, but when you install that wi-fi smartlock in your door, you know that it 5 years the company will stop updating the app that goes with it, and it won't work anymore under iOS 16, and so you'll have to throw it out and get a new lock, a new dimmer, a new garage door opener, new audio system, you name it.


> I think the real problem is that there's no real established pattern for authentication (the way there is for things like signing up for a web app).

No. The real problem is that a device you bought requires internet access for no good reason, spies on you ("collects information") with no good reason, and becomes useless garbage once the company that sells it goes out of business or decides to terminate the product line or just grows to dislike you, all that for your lightbulb in the toilet to dim to the beat of played music.

For IoT to be useful at all, the devices would need substantial configuration possibilities, like where and with what protocol send data to, or better yet, whom to allow to fetch data from the device. But this would be only for hobbysts, as general public is not interested in tinkering.


I agree with you, from the nerd perspective. The general public cares more about utility than privacy, unfortunately, but the equation is similar in both cases: are we getting more value than we’re giving up in control?

Much as HyperCard, Excel, etc have allowed non-nerds to solve their own problems or scratch an itch, there is room in IoT for these people to tinker. They just need the right tools and framing.


I'd say 95% of IoT devices right now are from companies looking to jump on the bandwagon. The "iPod" of connected devices (i.e. actually useful) hasn't been discovered yet. Most products right now are just looking to tick a box for shareholders/investors.

Sidenote, those earbuds sound interesting. Could you point me to them?


> Sidenote, those earbuds sound interesting. Could you point me to them?

Bragi's The Dash: https://www.bragi.com/thedash/


Everything connected to the internet is a potential security and privacy risk. If they had a law requiring warning labels, then all products would just have to have that warning, regardless of whatever good design was applied to it (which is subjective and hard to judge, especially in the legal sense).

But ya, take out the internet connection, and no more problems. Take out the battery and the risk of fire/explosion also goes away.


> Everything connected to the internet is a potential security and privacy risk.

Yes, that's true. What I'm saying is that not everything needs to be connected to the Internet, and requiring things to be connected to function fully is stupid and anti-consumer. By requiring the label on things that don't essentially need an Internet connection, it would allow those of us discerning consumers to avoid the crappy products.

> But ya, take out the internet connection, and no more problems. Take out the battery and the risk of fire/explosion also goes away.

The fire/explosion risk doesn't go away (power bricks have been known to cause fires). And electricity is essential to electronic devices functioning; Internet connectivity is not.


I think you missed the satire in the post. Obviously these warnings couldn't be used in practice since they list exploits that would've been fixed upstream if the companies had found them before release.

One exception might be the vibrator spyware "feature" which was clearly on purpose.

I took it more as a jab at the terrible software practices in this IoT goldrush than a serious proposal to add actual warning labels to their packaging.


I once saw a sign on a door of a hotel in the bay area that said something like "this door leads to an area with stuff that can cause cancer". If you went through that door, you ended up outside.

Technically, the sign wasn't wrong, but come on California...


Also like the pervasive “this site uses cookies” warnings in Europe.


If that abomination didn't exist, it would make for a great satire post.


I've actually always appreciated that we have that... coming from a less liberal place, it made me feel like the state really cared about peoples' safety over the safety of corporations, and it's usually easy enough to find more information online about the compounds.


Trying using a CA compliant gas can to fill up your CA compliant riding mower then put said mower in reverse and back it out of wherever it's parked. For bonus points do so without a helper. Stickers and warnings are one thing. Mandating consumer safety features can go wrong easily.

In some areas "this product not for sale in CA" is a marketable feature. On small engines it means it's tuned to run well instead of minimum emissions. For gas cans it means you don't need three hands to pour from them. For riding mowers it means you don't need to go out of your way to engage several redundant safety mechanisms in order to operate it (In addition to reasonable safeties like a seat switch and shifter that can't easily be bumped).

I can't think of one off the top of my head but I'm sure there's equally "pants on head" consumer safety laws about things other than garden/lawn equipment and/or in states/countries other than CA.

(BTW, this is post is the cliff notes of a conversation I had with my coworkers at a tech company so it's not like we're a bunch of hicks complaining that the guards on our saws prevent us from fitting oversized blades.)


Is it such a bad thing to value reduce emissions from some of the worst forms of easily avoidable pollution, i.e. spilled gas and two stoke engines?

If you were around when the air quality in LA was almost as bad as what we are seeing now in places like Beijing, you might agree with some of the provisions that were enacted (and were hugely successful at reducing pollution not only in CA, but elsewhere due to said "features".)


Man, I hate those gas cans. I've used a bunch of different cans with "safety" nozzles, and every time I get gas on the equipment, the can, the ground, my hands, etc. They're much worse than what we had before.


The signs in California aren't useless because the signs are useless; they're useless because of the specific implementation.

If you do have an area with known-dangerous substances, and don't put up the sign, you get hit with a penalty significant enough to hurt. If you don't have anything dangerous, but do put up a sign, nothing bad happens to you. So rather than actually check for what's there and put up the sign only when relevant, everyone errs on the side of "better put up the sign just in case".


Edit: I might be wrong and I have to go before I can get sources on it.


How did you arrive at this idea? I looked into it and it seems the list has very formal requirements for inclusion and they give the specific reason for inclusion for each chemical https://oehha.ca.gov/chemicals I guess that technically under the law the governor decides the final list but the actual compilation of the list has been delegated to oehha which has created formal requirements for inclusion.

What chemicals do you think have been included without scientific basis?


They also miss a lot of things that do contain or emit chemicals that cause cancer, like dryer sheets.



I think the current champion for disgusting-but-necessarily-put-out-of-mind required California signage is the "pool diarrhea rules". See for example:

https://boingboing.net/2016/09/07/the-messy-fight-to-stop-ca...


I have always wondered if you included both what was cancer causing and what it would cost the company/location to get rid of it on the sign it would be even better.


It's what I call the WebMD problem, though it's much older. WebMD has to put 'cancer' as possible cause for nearly every symptom because otherwise they risk huge lawsuits. Another shining example is some chainsaws having the warning label 'do not stop saw with hands or genitals'. I've always wondered, to Europeans, sue happy cultures like China or America look absolutely bonkers, but how do these cultures view Europe where it concerns that segment of society.. toothless? Sensible?


I find the phrasing so funny, "known to the State of California to Cause Cancer", as if the State of California had any bearing on evidence or scientific truth.


I'm of the opinion that products which require a separate service to perform their advertised functions (i.e. a "cloud" service-- be it "free" with the product or subscription-based) should be clearly labeled as such. I know that I don't actually own anything that I can't self-host (or pay whoever I want to host it), but it's clear that most people don't. Public education on this front seems valuable to me (but, then, I'm one of those crazy people who believes in standards-based protocols and commodity hosting service).


Yes. A couple years ago I bought a network-attached hard drive with some kind of cloud backup service bundled (the current marketing-speak seems to be "personal cloud"); fortunately I did a little extra reading before opening it, because it wouldn't even let you set it up for local access without registering an account on the cloud service.


For sure, that’s what killed the Pebble watch for me.

I got it home, opened the box, thinking I had a new watch!

Nope. You have to connect it to the internet and let it phone home first. It would not tell time, permit you to manually set the time, or let you explore that watch at all, until it spoke with it’s mothership.

I put it back in the box, and tossed it in the closet, and it’s still there, and now it’s completely unusable because the company collapsed.


Technically it is still usable, with an update that allows the watch to be de-tethered from the old Pebble servers[0], and there is an open-sourced version in active development as of this Spring[1].

[0]https://developer.pebble.com/blog/2017/04/04/transitioning-u...

[1]https://rebble.io/


What a waste! Here in the EU you have 8 days to sent it back without any reason. That is a nice rule for this type of nonsense.


Wasn't it 14 days? And it only applies to online shopping (supposedly to compensate for losing the ability to see/try things before buying them)...


If it is in a mint condition with boxing, hold on to it, in a decade or so I believe it would be worth a lot.


In a decade the hardware may fail (yay today's manufacturing practices). But in 2-3 years, most Pebble fans will probably have broken their current watch, and will be desperately looking for replacement. Since among smartwatches, Pebble was the single least shitty option (by a wide margin) and no company is stepping up with a comparable alternative, people might pay good money to get a working one. I know I probably will.


As long as it isn't the Pebble Time Round, and the battery doesn't swell and require replacement...


> I'm one of those crazy people who believes in standards-based protocols and commodity hosting service).

If that counts as crazy, then lock me up, because I'm crazy too. I'll second everything you said, but I'm not so sure it's entirely ignorance - I believe a large number of people just don't care (which is ignorance of another kind).


They don't know to care. That's why I think we need public education. As companies who make these "IoT" devices go bust and the various Internet-enabled cloud widgets the general public has purchased turn into bricks people will get an "education" of a sort.


> standards-based protocols

Ok seeing we talking IoT what standard: of the top of my head mqtt, coap, http/rest, soap? Those are just communication protocols. Now we still need to standardize the application data layer jsonschema, swagger/openapi, wsdl? and most of the time the vendor wants to own the application for their benefit. Also the classic xkcd of standards leading to more standards is so true.

As you mentioned the problem lies with the general public, don't care attitude. Hopefully there is enough that will try to educate and help their peers.

But a lot of us is going to learn the hard way how criminals used our iot devices against us to rob us blind and only then change will truly start to take place.


This self serving 'general public don't care' argument by software folks is becoming tired and cliched.

The general public doesn't care about freedom of press. Let's take that away. The general public doesn't care about elections. Let's take that away.

People use these self serving assumptions of ignorance to empower themselves. You have a ton of devices and things you use in your everyday life. Why should a doctor or civil engineer need to understand the details of software and hardware technologies to get value from it? Do all software folks understand the details of medical stuff or their home construction?

That's why you need regulations, so vague terms like the 'general public don't care' are not used to abuse them.


> That's why you need standards, so vague terms like the 'general public don't care' are not used to abuse them.

I wouldn't argue so much for standards of technology, as for standards of conduct. It's funny you mention doctors and civil engineers, two professions with high ethical standards precisely because they went through the same painful growth the software industry is going through now.

The 'general public', quite frankly, is ignorant about a great many things. And let's be honest: it is very rare indeed to be the kind of person with the aptitude, time and willingness to become a polymath to the point that you'll never be scammed in any field, ever. It is incumbent upon us, the knowledgeable and ethical practicioners of our field, to hold not just ourselves, but our whole industry to a higher standard. Thus, discussions such as this one on HN where we point out that IoT devices could cause a world of hurt because of all the make-a-quick-buck hucksters who couldn't be arsed to do due diligience.


> two professions with high ethical standards precisely because they went through the same painful growth the software industry is going through now.

High ethical standards enforced by a court of your peer professionals, who can ruin your career if you break the code of conduct. The last part is, unfortunately, crucial, because ethics can quickly go out of the window when people face monetary pressures.

> It is incumbent upon us, the knowledgeable and ethical practicioners of our field, to hold not just ourselves, but our whole industry to a higher standard. Thus, discussions such as this one on HN where we point out that IoT devices could cause a world of hurt because of all the make-a-quick-buck hucksters who couldn't be arsed to do due diligience.

I strongly agree. And I feel there should be loud naming and shaming of companies with anti-consumer practices like these.

One thing I feel we can teach the general public, though, is the distrust towards the cloud and SaaS model. IoT devices can, and should, communicate point-to-point or in your LAN. If a device needs an Internet connection to work and doesn't have a damn good reason for that, one should avoid it.


Yes. There's this doorbell (400-1500 USD) that connects via internet to a central host, and then notifies you on your smartphone. Seems sort of a neat idea, but a house lasts several decades - is that startup and its server going to be around that long?

http://www.doorbird.com


It also notifies that central host every time someone visits your home, and provides them with video and audio of that person. That doesn't seem like a "neat idea" at all.

"By visiting my front door, you agree to Doorbird's privacy policy"


The doorbell for Serial Criminals who Sell Out to Federal Agents and/or Cartels. (...near you!) etc.

Speaking of planned obsolesence, it would be nice to be able to take a working 40yo. fixed camera and tell it it's a barcode reader and scheduled wildlife counter, or otherwise to take a power profile change, if not also distinct (llvm, CoolWave, Bluetooth 4.1 profile) promise or callback schema. Maybe tell the shakeweight that you're putting it in the closet in a manner than shaking is no excuse to dissipate more than 21mW. Certainly get (MSDS-ish # circumstance) links from devices that deal in goober or tree nut oils or PVC with flame retardant adjuvants, etc. maybe or maybe not explicitly asking things to McGuyver themselves into a bootstrap industry they don't belong to.


Couldn't the same be said about all the other shitty cloud-connected surveillance cameras? Not saying that justifies it, just that this is a bigger problem then just those awful internet of doorbells


Of course it can be. It's all shitty engineering - making roundtrip through cloud with data that should only ever touch your personal devices.


This is exactly why I haven't picked up a video doorbell doorbell yet.

Currently I have a bunch of cheap WiFi cameras, all made by D-Link. The thing I like about D-Link cameras is that when you put them on a WiFi network that isn't allowed to access the internet they still work as expected.

The cameras themselves have all of the smarts to do motion detection and email short recordings, they can also FTP images somewhere or you can use something like Zoneminder to handle things. None of this requires them to phone home or make use of some kind of cloud service.

Of course, D-Link does have a cloud service, but it's not required. To me it seems like the best of both worlds - the easy-to-use cloud service for those who want it, plus the ability to work standalone for those who don't want to use their service.

Why doesn't someone build a video doorbell that works like this? D-Link keeps making and selling these cameras, so clearly there's some kind of market for products that have a cloud service but don't require it.


Well, a doorbell is not exactly a part of the foundation and it is easily replaced. My house from the 1930's has seen several doorbells already.


This isn't limited to the doorbell. It's the doorbell, the stereo system (Sonos), the connected garage door, the alarm, the security cameras, the thermostat, ... they're all dependent on their dedicated app.

When the vendor stops updating the app that goes with a 5-yo product that they no longer sell, at some point that app will no longer work under the new version of your mobile OS (iOS 16? 17?), and you'll have to give up on it.

There's a huge amount of obsolescence coming down the pike in 5-10 years.


> There's a huge amount of obsolescence coming down the pike in 5-10 years.

I think that's okay, overall. These things should all be considered prototypes and shouldn't be expected to last forever. [I also think a certain about of obsolescence is sensible and even good given the potential upsides to maintaining people or teams capable of designing, manufacturing, and supporting specific products or services.]


Well, not many things remain the same in a house over several decades. Yes, such a doorbell is more or less an expensive toy that likely will cease to work within half a decade, but normal doorbells tend to break once a decade as well.


And I just visited a building that is several centuries old, and gained admission by using a solid iron knocker on a big wooden door, both of which are original.

Not all technological changes are advances.


I'd like to go further and require the seller to pay for insurance to give an extended server life in the event the company folds OR release code for public servers that work all advertised features of the device.


Simple rule: I buy it, I own it and it should not need an external service to operate. If it does then I'm not buying it.

None of those grafted on services for me, I really have yet to see anything that was so compelling that I would give up and consent to essentially renting a device and having an account with some service to make it useful.

That way you also don't need to warn anybody about the lousy security, I'm 100% convinced that those companies that are exploited are merely the tip of the iceberg, that for each of these there are a vast multiple that were exploited but never found out and that the remainder also isn't as secure as they should be.

Running a secure service with devices in the field is hard, harder than I give most companies credit for and those companies that could pull it off (Amazon, Apple, Google, Microsoft and a couple of others) are usually the ones that I would trust even less with my data because of their ability to add it to the pile they already have.


> Simple rule: I buy it, I own it and it should not need an external service to operate. If it does then I'm not buying it.

I do for a few things. I pay T-Mobile so I can make phone calls with my cell phone. I also pay Netgear for some Arlo cameras.

I'm more willing to get devices that have external services if the company offering them will likely be around for the life of the device. For my phone, I'm happy if T-Mobile lasts two years and for Netgear, I'm counting on around 5 years.


Strongly with you on that. I too avoid both hardware and software that uses external services as much as I can. Every day this becomes harder, though. For me it's not even about security - it's about reliability (having the stuff work off-line), longevity (not losing a device or software because a startup reaches the end of its incredible journey) and plain old respect for good engineering. Shuttling bits around half of the planet to move them between devices that are physically next to each other is just shitty engineering.


> Simple rule: I buy it, I own it and it should not need an external service to operate. If it does then I'm not buying it.

That's a good rule, but good luck opting out once most manufacturers no longer give you an option.


> That's a good rule, but good luck opting out once most manufacturers no longer give you an option.

The irony is that this is Hacker News and so many people building those things hang out here. If we want to make a difference, we have to start making a difference.


Well, I strongly hope those many people involved in these things can feel the peer pressure here, and subsequently push for changes at their workplaces.


Surely the idea of overt, explicit labelling about the risks of using these devices is to create the possibility of competing brands using their better security/privacy as an advantage, and thus promote more secure and private products?

I've long advocated the basic idea from the article here, but in a much more blunt way, with explicit warnings about the potential consequences:

Identity theft is the fastest rising crime in COUNTRY.

The average victim loses $X permanently and takes Y months to get their life back.

THIS PRODUCT DOES NOT MEET PRIVACY STANDARD Z SO YOU ARE MORE LIKELY TO BECOME A VICTIM IF YOU USE IT. COMPETING PRODUCTS MAY BE AVAILABLE.

(Or something along those lines. You get the idea.)


>Surely the idea of overt, explicit labeling about the risks of using these devices is to create the possibility of competing brands using their better security/privacy as an advantage, and thus promote more secure and private products?

Which is more likely, that companies will actually create more secure devices, or that companies will simply label their insecure devices as required knowing full well that most consumers will ignore the labels? How many people read the TOS for anything they sign up for? How many Hacker News users, who should know better, read the TOS of anything they sign up for? Do people stop smoking because we put cancer warnings on cigarettes? Some, maybe, but enough for cigarette makers to make their products healthier?

It seems to me that the most likely result of labelling IoT devices would be to consumers and businesses to accept that lack of safety as an acceptable tradeoff for whatever features the device offers.


Do people stop smoking because we put cancer warnings on cigarettes?

It's hard to separate effects, but certainly here in the UK where we now have aggressive labelling restrictions on packets and visible displays in shops and strict limits on smoking in most public places, smoking seems to be much less of a problem than it used to be. In particular, culturally among younger generations, social smoking is no longer the norm in the way that perhaps it was for their parents or grandparents.

I see no reason that similarly explicit labelling requirements for dangerous IoT devices couldn't help, particularly if also combined with restrictions on use in contexts that could affect others.

Failing that, I personally have no problem with powerful regulations that pose an existential threat to businesses that are deliberately and flagrantly cavalier with security or privacy in the online era (and I write that as someone who is typically very cautious about regulatory over-reach and unintended consequences).


>I personally have no problem with powerful regulations that pose an existential threat to businesses that are deliberately and flagrantly cavalier with security or privacy in the online era (and I write that as someone who is typically very cautious about regulatory over-reach and unintended consequences).

To me, that combined with a campaign of education and raising consumer awareness might be more effective.


Such a campaign would be helpful, I agree.


Most of those Edison 170V DC products saw adaptation. (Their net service proved some adaptability.) Doorbells that offer both stealth and wireless stealth rolls and declared their adherence to ADnD (WoTC) v4.4 and a major faction (Lawful Wyrmic Faction? Fire Zero (Adherent, Vacancy)) sound a bit better right there. Company changing to DnD v. 5.2? Escrows a key (to open base.h ROM, to a VM, something with relevance.)


> Simple rule: I buy it, I own it and it should not need an external service to operate. If it does then I'm not buying it.

While this sounds like a wonderful idea (and one I would subscribe to), it doesn't address the fundamental problem with IoT security.

Most operating systems have updates made available on a monthly, weekly, or even daily basis, in order to keep them secure. Mostly, we know how to do this, the operating system generally auto-updates, and the people producing the OS keep up to date. This is necessary because the time from discovery of a bug to exploitation of a bug can be very short.

IoT devices rarely have this. A Meile washing machine should last 20 years, but there is no way I'm leaving a computer with a 20-year old OS on the internet. That's just asking for trouble. There's also the point that OS makers generally have a clue about computing security, but IoT makers generally do not.

A computer with no way of updating the OS for security (i.e. an IoT device) has a usable lifespan of maybe a couple of months. If you're lucky.


Well, but that's the point: don't connect it to the Internet. 99% of the IoT stuff should never ever have to work outside of your local network (including VPNing to your phone if you're outside).


This is all good stuff, but actually raises another important question for our new wave of technologies: how do/should we regulate products where some form of after-sale updates is necessary to maintain proper function?

For example, in my country, it is typically the merchant who sells you a physical product who will be on the hook under consumer protection legislation if the product fails to meet acceptable standards somehow. It's implicit that they would in turn try to recover any losses from their own suppliers later, but that's not the end customer's problem, and the merchant is the one who loses out if they don't have such a recovery mechanism available.

However, that's hardly fair if there's a third party involved (the developer of some software component within the product) who can update it in whatever good or bad ways they want without any knowledge or consent on the part of the merchant. It is particularly unfair if that third party is also a relatively large or even monopoly supplier and can dictate more-or-less arbitrary terms to merchants selling their products, who typically do not benefit from a baseline of legal protections against exploitation in the same way that end customers do.

In short, our entire framework of consumer protection and product liability laws has been built around the model of a linear supply chain resulting in a single point and time of sale, but that model simply doesn't apply any more in many cases.


While this is still possible (usually) when buying physical goods, it is getting to be nearly impossible for software. Good luck buying professional grade graphics or video editing software without getting signing away any agency over the software.

In fact, depending on how you view "intellectual property" laws, anything that isn't public domain could be considered a "grafted on service"


Like with the various hardware bits that I use this would probably cause me to get stuck in the past at some point in time. Fortunately for me my tools are free (text editor, compiler) but I can see that in some professions you are now forced into buying a subscription for software where you'd much rather just pay for a license and the occasional update. Congratulations at becoming a dairy cow, even so this article was about IoT and there most services feel grafted on without any kind of improved functionality, in the case of software-by-subscription (which I think is a fairer name that software-as-a-service) one could argue that the distribution model has changed but the functionality is roughly what you pay for. Not that there aren't obvious drawbacks to software 'in the cloud'.


> it should not need an external service to operate. If it does then I'm not buying it.

And how do you know, pre-purchase, whether it does?


> And how do you know, pre-purchase, whether it does?

By requiring a warning label on it, as the title suggests. Doesn't seem like such a silly idea now, does it?


Jacquesm said it as if he already followed this rule and everyone could choose to do so. But there being no warning labels makes that kinda hard...

> Doesn't seem like such a silly idea now, does it?

I never said that.


Usually there is something to be found on the internet about whatever it is that you are about to purchase and this most of the time is pretty accurate about hidden online components that ought to be disclosed but aren't. For instance the Nest, when I first heard about it I was interested, when I realized it is tied to a service I decided not to buy it. Ditto smart doorlocks and other clever IoT stuff that seemed attractive until I found out that it requires 'always on' internet and is hard or even impossible to upgrade besides not being clear about what data is being sent to the mothership.

My navigator is an elderly TomTom, my phone an old Nokia and so on. I seem to be stuck in stuff that is now a generation or two behind the times but I've yet to be convinced that the 'new' stuff is better in a way that outweighs the privacy and security risks.


It's usually on the box, because manufacturers think the cloud is a feature, not a problem.


Also sums up my philosophy, at least ideally. (I dread the next time I have to buy a car...)


(I dread the next time I have to buy a car...)

I agree.

Personally, I actively do not want OTA updates, or much of any remote communication to or from my car at all, that isn't 100% isolated from all the essential vehicle control, safety and security systems.

I can tolerate the idea of a vehicle-initiated automatic emergency call system, or a remotely activated but otherwise independent tracker device as an anti-theft measure. These have a clear and beneficial purpose for me as the owner/driver, and if strictly limited to that stated purpose they pose minimal privacy, security or safety concerns.

Anything beyond that, I would rather do without. And I'll maintain my current car indefinitely rather than buying any of the current generation of might-work-or-might-kill-you stuff. The lack of effective regulation and oversight in the auto industry was scary when it was just mechanics, it became more scary when software started to eat the industry, and it's just plain terrifying in the new, connected era.


A little ironic: I tried to share this article on the #offbeat Slack channel at my work, but the automatic preview image Slack generated for it (from the top cover image of the article, which you can't really see most of, unless you view the image separately) is a (pretty NSFW) fake front-of-the-box for a "We-Vibe" IoT vibrator: "We can see how kinky you are". Not what I was planning to share with my coworkers. I'd recommend the author to change the cover image, or at least feature the whole image prominently front-and-center if that's really what they want to do, so people don't accidentally share it inappropriately like I did.

Good article though, and I definitely agree that these issues with IoT devices should be made more prominent.


I sort of wish Slack had a way to disable the preview image feature; I've run into this several times where a reasonable, work-safe article was processed into a picture not-so-suitable for Slack.

It mostly seems to be cases like this one, where the first image is concealed or contextualized in the article but treated like a normal header image by Slack. I think one that got me worst was a piece responding to someone else's content. Slack simply pulled the quoted text and picture at the top - which looked like sharing the original article, instead of a response to it.


An X shows up next to the preview/unfold when hovering, and allows you to delete the preview, at least in the full desktop app.


Haha, same on FB, tried to see how to change it, in the end just went for the vibrator image without any text around it (because it is cropped of). Living on the edge.


It would be interesting to have a word for devices that is sort of like 'organic' for food.

It would indicate that the device is self-contained and has no connectivity.


I totally agree with the idea. However, the "has no connectivity" bothers me. It's OK for devices to have connectivity as part of their feature set. I'd be very unhappy if my iPad couldn't connect to the Internet at large. However, it requiring even occasional connection to some specific service in order to perform its functions is the red flag.


"Independent"?

I see some suggesting "no connectivity" but that would just sound like a negative thing. Typically you list features, not things it doesn't have. Sure, if you pause to think about it, we (on HN) would all figure out the benefit. But many people might not pause nor figure it out.

Independent also doesn't sound exactly right, but perhaps it's just that nobody ever used it to describe this before and I'd need to get used to it.

Edit: "Dependency-free" is not as common a word and means the same thing. That might be a little better.


> It would be interesting to have a word for devices that is sort of like 'organic' for food.

> It would indicate that the device is self-contained and has no connectivity.

"Well-designed"?


>"Well-designed"?

Very good one.

A good candidate would have been "smart", but unfortunately it is already taken to mean the opposite.


I use "dumb". Sure, it sounds negative, but when used in context it's easy to understand for anyone that knows about "smart devices".


No "E.T.-Phone-Home".


Unfortunately, "organic" today mostly means overpriced crap for eco-freaks that's about as bad or even worse[0] than regular food. Hell, sometimes the same companies makes both regular and "organic" stuff.

But I get your point. Now I would like to have some "smart" devices, though, so beyond your label for self-contained devices I kindly ask for a label for devices that stay on local network.

--

[0] - industrial pesticides are better than "pesticides" that still let you claim the "organic" label.


"no connectivity" sounds fine to express that. "unconnected" maybe.

But IMHO such devices aren't the problem. I can't think of many (any?) devices where I'd want an unconnected one and can't get it. The problem are connected devices that come with unexpected extra connections (networked camera that wants to talk to cloud service etc). Maybe "service-less" for that?


DRM free?


offline?


"Offline Ready"


Botnet free


Fat free.


Z-wave and encrypted ZigBee controlled products work pretty well for in-home automation. Communication is encrypted between devices.

The problem can be the Z-wave/ZigBee controller which may very well require Internet and Cloud access to "phone home."

I avoid using IoT devices that I can't re-program or if nothing is available except some proprietary/cloud driven device I isolate them into their own little network space, so they can't attack the rest of the network or "phone home" unless I let them. Sometimes, that isn't possible and that's when 30 day return privileges come in real handy.

The ability to trace the packets coming off of most IoT devices is fascinating and sometimes scary. A lot of devices are like the recent OnePlus smartphones that record and send most everything to their "true master" the manufacturer of the device. At least, with a Oneplus you can fix that, by reflashing the phone.... which is not true of most IoT devices being sold today.

Have you noticed that BestBuy seems to only sell IoT devices that will "phone home?"


You gotta have a link for what you said about the OnePlus.


There was a post on /r/Android about it [1], but it seems like you can toggle this off by disabling device analytics in the settings.

[1]: https://www.reddit.com/r/Android/comments/75ev0z/oxygenos_is...


I read about proposal to prominently put expiration dates IoT devices, to show how long it will be servered with security updates. That could be interesting and also raise awareness.


Not really. Don't forget that for the longest time home routers shipped broadcasting the default SSID with no password. Now they come preconfigured with a locked-down SSID and password (though the management interface is still usually behind admin/admin or an equivalent). Security isn't on most people's minds -- it has to be built into the product from the get-go to get the largest reach.


It wouldn't change a thing, at least not in any meaningful fashion. People want the latest whiz-bang thing and these devices are marketed to those who have the barest understanding of technology.


Interesting idea. I wonder how this would look like on commercial software packages :-) Yeah I'm an oldschooler that remembers buying software and games in actual physical boxes!!!


I sometimes buy hard copies of games simply because I dreamed of having a PlayStation or a gaming PC as a kid, but my parents couldn't afford either, so I never got the chance of collecting anything related to PC games. Unfortunately, most of them only come with a small piece of paper inside with a steam activation code written on it. I remember when games contained entire manuals in the box.


No lie, I still have games in physical boxes, and none of them phone home or require any sort of Internet connection to function. Almost as if they designed for http://offlinefirst.org/ instead of the other way around . . .


>Yeah I'm an oldschooler that remembers buying software and games in actual physical boxes!!!

Old enough to remember also printed, well written, exhaustive manuals coming with them? ;-)


If there is such a warning, it should be along the lines of:

"This device is inherently insecure and could be remotely operated by persons unknown anywhere in the world."


Also: "This device collects data to be processed by the vendor and possibly resold to third parties."

Also maybe they should be honest and just write: "This device will stop working at any time the company behind it gets bought and/or decides to abandon the product line."


WARNINGS:

WARNING: This product warps space and time in its vicinity.

WARNING: This product attracts every other piece of matter in the universe, including the products of other manufacturers, with a force proportional to the product of the masses and inversely proportional to the distance between them.

CAUTION: The mass of this product contains the energy equivalent of 85 million tons of TNT per net ounce of weight.

HANDLE WITH EXTREME CARE: This product contains minute electrically charged particles moving at velocities in excess of five hundred million miles per hour.

CONSUMER NOTICE: Because of the "uncertainty principle," it is impossible for the consumer to find out at the same time both precisely where this product is and how fast it is moving.

ADVISORY: There is an extremely small but nonzero chance that, through a process known as "tunneling," this product may spontaneously disappear from its present location and reappear at any random place in the universe, including your neighbor's domicile. The manufacturer will not be responsible for any damages or inconveniences that may result.

READ THIS BEFORE OPENING PACKAGE: According to certain suggested versions of the Grand Unified Theory, the primary particles constituting this product may decay to nothingness within the next four hundred million years.

THIS IS A 100% MATTER PRODUCT: In the unlikely event that this merchandise should contact antimatter in any form, a catastrophic explosion will result.

PUBLIC NOTICE AS REQUIRED BY LAW: Any use of this product, in any manner whatsoever, will increase the amount of disorder in the universe. Although no liability is implied herein, the consumer is warned that this process will ultimately lead to the heat death of the universe.

NOTE: The most fundamental particles in this product are held together by a "gluing" force about which little is currently known and whose adhesive power can therefore not be permanently guaranteed.

ATTENTION: Despite any other listing of product contents found hereon, the consumer is advised that, in actuality, this product consists of 99.9999999999% empty space.

NEW GRAND UNIFIED THEORY DISCLAIMER: The manufacturer may technically be entitled to claim that this product is ten-dimensional. However, the consumer is reminded that this confers no legal rights above and beyond those applicable to three-dimensional objects, since the seven new dimensions are "rolled up" into such a small "area" that they cannot be detected.

PLEASE NOTE: Some quantum physics theories suggest that when the consumer is not directly observing this product, it may cease to exist or will exist only in a vague and undetermined state.

COMPONENT EQUIVALENCY NOTICE: The subatomic particles (electrons, protons, etc.) comprising this product are exactly the same in every measurable respect as those used in the products of other manufacturers, and no claim to the contrary may legitimately be expressed or implied.

HEALTH WARNING: Care should be taken when lifting this product, since its mass, and thus its weight, is dependent on its velocity relative to the user.

IMPORTANT NOTICE TO PURCHASERS: The entire physical universe, including this product, may one day collapse back into an infinitesimally small space. Should another universe subsequently re-emerge, the existence of this product in that universe cannot be guaranteed.


Just a sidenote, this is not original content and no source is mentioned. From a quick ddg search, this seems likely to be the original (1991):

https://stuff.mit.edu/people/dpolicar/writing/netsam/warning...


You forgot “WARNING: This product contains chemicals known to the State of California to cause cancer and birth defects or other reproductive harm.”


Do not taunt happy fun ball.


CORRIGENDUM: G·m1·m2 / r² isn't inversely proportional to r, but inversely proportional to r².


I get the humor value, but isn't this just elitism from the software folks? Should we add similar warnings to websites of startup companies? Or during the installation of pretty much every single OS?

I saw some folks recommending punitive damages against IoT companies that ship this insecure junk. Well how about prosecuting software devs who introduce security vulnerabilities?


Urm, you know, people got used to IoS. Telling other people how to make their choices is telling other people what to do. It's not always nice, and frankly, never actually works.


> It's not always nice, and frankly, never actually works.

It works and is profitable. Just ask any advertiser. And it is nice. It increases corporate profits. What could be nicer than that? /s


People also got used to smoking. Telling people not to smoke might not have been nice, but it definitely has been working.


I know this is sarcasm!


Sure, but Microsoft starts first with same label on Windows 10.


If we follow Troy's line of reasoning, then we would need to add these warnings to phones, tv's, websites, credit cards -- just about anything that contains data about you.

I guess the main point the author is trying to make is that data can get compromised, and some people might not be aware of that.

Nothing new or groundbreaking.


> If we follow Troy's line of reasoning, then we would need to add these warnings to phones, tv's, websites, credit cards -- just about anything that contains data about you.

I honestly don't see a problem with requiring this and enforcing it with the corporate death penalty. Need I mention Equifax?


We need UL listing for security on IoT devices.


Ugh, hey Troy, thanks for making the post NSFW with that featured vibrator image...was it really necessary to make the point of the article?


I shared it on #general and nobody complained.


[flagged]


So you're allowed for browse for vibrators at your work place? Interesting.

He could've used any other image from the post as the featured one.


NOTE: This packet is sold by wait, not by volume. Packed as full as practicable by modern automatic equipment, it was delayed the full net wait indicated. If it does not appear full when opened, it is because contents have been compressed during shipping and handling.

http://www.directionsforme.org/item/315569


weight...

> This package is sold by weight, not by volume. Packed as full as practicable by modern automatic equipment, it contains full net weight indicated. If it does not appear full when opened, it is because contents have settled during shipping and handling.

Not entirely unreasonable note, but nothing to do with IoT




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: