Great article, the most interesting part of which is that you can lock your self out of your toothbrush head after three wrong password attempts. I didn't dig into the data sheet for the NFC chip very deeply, but I imagine that it's just the default that the chip ships with. Or maybe Philips really wants that $25 for a new toothbrush head. :-)
EDIT: nope, not the default. From the data sheet, last sentence:
"To prevent brute-force attacks on the password, the maximum allowed number of negative password verification attempts can be set using AUTHLIM. This mechanism is disabled by setting AUTHLIM to a value of 000b, which is also the initial state of NTAG21x."
So Philips went out of their way to secure that toothbrush head. That's reassuring.
I might have misinterpreted the article, but I imagine that if the NFC tag on the brush locks out, the handset is no longer able to write new data to it (no 'brush seconds' can be added to the counter). This suggests to me that the handset will not start blinking and reminding you that you need a new brush, but will be happy to brush to infinity. I cannot imagine that the handset will refuse to brush if it can't write to the brush...
I have a third party brush head for my Philips Sonicare with none of the smart features and no electronics in the head (there's an air gap where they usually are) and it still works fine. This makes me wonder all the more why they put the effort in to secure the head.
Engineer gonna engineer. Someone probably just had the time and misplaced passion for security, and when they explained at the weekly standup that they'd added lockout after three attempts, everybody just nodded and moved on.
This has long been a temptation for engineers. 40 years ago the textbook in the digital electronics class I took at Caltech had a chapter called "The Engineer as Dope Pusher" that talked about it.
It gave as an example clothes dryers. The way most home clothes dryers working back then was you put the clothes in, you turn a dial on a timer to the number of minutes you want the dryer to run, and you press start.
The mechanical timers were very reliable. There hadn't been any substantial improvement in their design in decades because there really wasn't anything to improve. There had been improvement in the materials used, and in the cost, but fundamentally mechanical timers was a solved problem.
If the mechanical timer ever broke the repairperson would have replacements in their van. Even if they didn't have the specific one for your dryer it didn't matter because they all worked pretty much the same. They could just put in another one. Maybe the mounting holes wouldn't be in the right place, but they could easily improvise some way to mount it in your dryer.
The book went on to say that somewhere there is an engineer designing a new clothes dryer, and instead of a mechanical timer that engineer is putting in a digital timer. It has a microprocessor, 7 segment LED digit displays for the time, some buttons for interacting with it (such as setting the time and correcting mistakes), and a power supply. And let's not forget that it has software.
That digital timer has no advantage to the user over a mechanical timer. But it has disadvantages. The interface will be worse. It will cost more. It won't be more reliable and possibly will be less reliable, and if it does need repair the repairperson probable won't have the parts. If they have another brand's digital timer on hand they probably won't be able to adapt it to your dryer.
So why is that engineer designing the new dryer with a digital timer?
Because mechanical timers are boring. Digital electronics was at the cutting edge of consumer engineering then, and so by using a digital timer the engineer got to play with exciting new technology.
Mechanical timers are fine, but digital circuitry is by far going to be more reliable if designed properly. There isn't anything physically moving, so the failure modes are much more restrictive. Also, digital provides advantages with offering variable timing on a dryer, for instance, based on the input of a moisture sensor. Mechanical methods for that are more complicated.
Additionally, I would be very surprised if the digital solution is not cheaper to make. Maybe not when first originally introduced, but nowadays it very likely is.
You're right that repair-ability is hurt in some ways... but the industry has moved to compensate. You can buy boards and replace them. They aren't inherently hard to service, because the form factor doesn't really have limitations.
There is something physically moving: the machine itself. You can't wash or dry clothing without moving it around. Given that the entire machine moves (and on spin cycles, reasonably quickly), you need to make sure your circuitry is capable of handling the strain.
As a homeowner, I wish someone (anyone!) still sold reliable analog appliances that just did their job simply and made repair parts and schematics reasonably available.
Nobody would attach the timer to the actual moving drum, so the worst it has to deal with is physical vibrations from use (which, admittedly, can be quite violent if you have an unbalanced load). There are very few digital circuits that are actually meaningfully sensitive to vibrations. At worst, it's a manufacturing problem to make sure the PCB/solder joints don't crack from vibration.
In comparison, the mechanical timer is physically moving. A clockspring, or some sort of mechanism that physically sets the time remaining. Depending on how it's built, vibrations are a harder problem to solve. Not impossible, obviously, but it certainly adds cost.
Also, for most appliances we deal with today... they usually ARE simple to work on. Simple switches and mechanical contrivances. Parts are typically readily available... even PCBs, although possibly not at great pricing. There's certain appliances where you are basically screwed (fridges come to mind...), but that is mainly in my view because the typical failing part is the compressor. Nobody is rebuilding a compressor themselves.
In a fridge the typical failing part is the plastic shelves in the door. The compressor almost never fails and discarded fridges are a great source of cheap pumps if you need to scavenge them.
Source: The episode of 'The Secret Life of Machines' on fridges. Search it on YouTube.
Maybe for certain models. Personally I've never had a shelf break on any fridge I've used, which makes it sound like that's a user error to me.
On the compressors, there was a vast swath of Samsung and LG fridges that had known defects on compressors causing them to fail. Right now, the ice machines are probably most problematic. If you own a Samsung fridge with an ice maker you know what I mean.
A few years ago I was renting a house that came with a Samsung fridge that provided chilled water / ice. My kids loved the chilled water.
However, our usage of it caused the paint to start bubbling below the dispenser, and the owners of the rental wanted me to replace the door at a cost of ~$800 USD(!).
I argued that we were using the fridge as designed, so we weren't liable, instead they should discuss what looked to me like an obvious design flaw with Samsung.
They disagreed, so we ended up in court. My defence was about 12 pages printed from an appliance review site of people specifically complaining about this paint bubbling.
Easiest win ever, but seriously, how do you put a device that works with water into a fridge and fail to ensure it can't leak under the paintwork?
I do minor appliance repairs on occasion and the current time of manuals, videos and parts availablity feels like a golden age.
Granted, none of my large appliances are younger than 10 years, but I think I could build new ones (expensively) for the all the parts and schematics available, even wiring diagrams.
Yup exactly. And the electronics in a clothes washer allow for a lot more functionality than mech. When they say the "timer" was replaced with electronics, what they really mean to say is "the timer was replaced by electronics, which also allow you to select different temperatures/runtimes and whatnot based on the type of fabric you're washing or how fast you want it to be done, if you want stain removal or extra rinse then you can enable that, amongst other new options".
"Repairability" is becoming slightly nonsense because even as someone who is a programmer, who has done electronics at a hobbyist level myself, I'm not going to be able to fix a lot of stuff purely because you have to become an expert on it, the time investment is too high. As systems get more complex (to the overall benefit of all of us) the value of repairing something yourself vs getting an expert to do it, changes.
I think right to repair is good though, but purely meaning that companies to not intentionally attempt to thwart the repair of their devices and that parts/manuals are available where needed. Even so, this doesn't mean that every phone repair place is going to debug some sub-circuit inside some small part of the newest iPhone - they'll just identify the overall broken module and replace the entire board/module.
Yeah, I’m always skeptical of “it was better in the old days” type arguments (even though I recognize the aesthetic appeal of analog).
People make similar claims about cars, but old cars broke down all the time and new ones are basically appliances that “just work” without the driver needing to know anything. Similar for computers to smart phones (though obviously both digital in that transition)
It wasn’t the old days. At the time the book was written and at the time I took the class mechanical timers in dryers were ubiquitous. Digital was new, expensive, and didn’t offer any advantages for that application.
Eventually digital became cheap, and enabled new features like dryers that had various sensors that could be used to optimize drying, but that was several years down the road.
Back in the "good old days", a car was ready for the junk heap after 50k miles. These days, that's barely broken-in. "But you could fix it yourself!" Who cares when the thing has such a short lifespan? It's really strange hearing people pining for the days of shitty old cars that you needed to constantly adjust the carb, set the points, etc. Insane.
> If the mechanical timer ever broke the repairperson would have replacements in their van
> That digital timer has no advantage to the user over a mechanical timer. But it has disadvantages.
The mechanical timer is known to degrade over time, which is why the repair person has spares in their van. Does the digital timer really have no advantages? Will it ever fail and need to be replaced? How much more does it cost?
Yes, engineers are tempted to use shiny tools all of the time. Evaluating whether or not the tool is right for the job is _hard_. But it feels wrong to say that novelty is the only motivation behind upgrading tools?
The digital timer was made by an engineer, too, who designed it to be a more reliable replacement for faulty mechanical timers. It has both advantages and disadvantages compared to mechanical timers, which is why the engineer made it in the first place?
> The mechanical timer is known to degrade over time, which is why the repair person has spares in their van. Does the digital timer really have no advantages? Will it ever fail and need to be replaced? How much more does it cost?
Surely the expected lifetime of a digital timer is shorter than that of a mechanical timer.
Surely is a very strong statement here. I see no reason that a properly designed electronic timer wouldn't have effectively infinite lifetime, which is not possible with a practical mechanical timer. It has no moving parts (other than switches, which can be substituted for capacitive touch). A mechanical timer has many small mechanical parts and wear points, and can get gummed up over time if it doesn't outright stop functioning.
In practice, cost engineering is going to mean neither is completely reliable, but it should be cheaper to make an electronic timer reliable enough. Especially today, where the cost of a functioning mechanical timer is probably an order of magnitude more than an equivalent electronic timer.
I'm willing to believe that the best electronic switches can last longer than the best mechanical switches, but there's so many more ways for an electronic switch to fail that it's a lot easier for me to trust an off-the-shelf mechanical switch than an off-the-shelf electronic one, especially if the cost of failure of the mechanical switch is just an easy swap in of another one.
Capacitors can die, for example. Anything with a battery backup, the battery can leak and damage components. Electronics are more prone to ESD and water damage than mechanical parts.
Going into the realm of unlikely scenarios, electronics are more susceptible to EMPs.
The thing is: It is moving as there are vibrations. There is a fair amount of acceleration and a high frequency. Then there are temperature cycles as the machinery is not perfectly isolated. There is migration of atoms at contact boundaries. Plenty things move.
What do you mean by "reliable" wrt mechanical timers? I'm pretty sure the clothing dryer is a harsh environment for such a component (moisture and heat can easily cause corrosion and mechanical stress). Also, I guess timing gets less accurate over time. If there are rubbers preventing moisture from entering and oil from leaving, those rubbers will wear out.
Like another commenter said, the timer is segregated from the harsh dryer environment.
But also, some slop in the timing accuracy is just fine. The user doesn't really know how long precisely the drier needs to run to dry their clothes. They just know that if they set this timer to 45 then the clothes come out dry.
I wish there were an easy way to screen these type of engineers out in the hiring process. It's very hard to judge whether a candidate's excitement over new technology is simply showing passion for what they do or a red flag. A certain degree of passion is desirable, but too much is not.
The worst engineers I've worked with are ones who, in their first week, fall behind on their onboarding plan because the company's compiler needs a rewrite.
When I was a kid I thought it would be cool to be an engineer because I was really interested in creating elegant and efficient designs for things that made them simpler and easier to produce. But I didn't end up becoming an engineer...
More likely the toothbrush had to pass a security audit. And the last thing you want to have to explain to management is the DEFCON presentation on toothbrush security flaws. No. You. Don't.
Perhaps some compliance to a too-broad security policy. Like, across the board, all NFC enabled electronics with read/write capabilities must have a password mechanism.
They probably knew it was dumb but implementing it was easier than getting around all the organizational permissions to make an exception.
How long's it going to be before "smart" toothbrushes become the only option? Should I start stockpiling "dumb" toothbrushes now while I still can?
The other day I was trying to buy a pair of bathroom scales and it took me far too long to find one that just, you know, weighed things without also demanding I connect it to the Wi-Fi and download a smartphone app. How is this an improvement?
It isn't that hard at all. I'm calling BS, because it seems like you're exaggerating to make a point that would be big, if true. Except it isn't true.
First, I've owned several wireless connected bathroom scales from high-end to low-end brands. All of them work out of the box without needing or demanding you connect it to Wi-Fi and download an app. Put in batteries, step on scale, and weight is displayed. If you want to use an app, that feature is available, but definitely not mandatory, and I've never seen the device prompt to install an app. One had a removable sticker that advertised the app with a QR download code.
Second, it took me less than 5 seconds to find a non-connected bathroom scale, if you care about that. Maybe I'll assume good faith here, you may be shopping at a super high-end retail shop, or an electronics store that also sells appliances, or an online megaretailer that knows you're into tech and is recommending you smart devices? But when I search for "bathroom scale" on amazon, target, walmart, or home depot, the first result is a basic digital scale that has no connected features.
Same when I look at what is in stock in stores where I live in San Francisco. If there is a place where retailers would think they only need to stock connected bathroom scales, that would be the place. Nope, plenty of non-connected scales that only need a single button CR battery.
Christ, I make an offhand comment about a trivially minor frustration I had a few months ago and I come back to find that I've summoned the Spanish Inquisition.
I never claimed that it's impossible to buy a non-connected set of bathroom scales; all I said was that it took me "far too long" - by which I mean I wasted maybe five to ten minutes deciding which bathroom scales to buy because the first few ones I looked at turned out to be overengineered piles of Wifi/smartphone-ready bullshit that I didn't want. Looking on Amazon UK now, I see several "non-connected" scales in the search results, so I'm not sure why I found it so difficult last time, but my memories are what they are.
This is, of course, as trivial of a first-world problem as they possibly come, but it felt vaguely relevant to the current discussion, and it's part of a general trend in consumer electronics that I constantly see people on HN complaining about. Sorry you found it so offensive.
> The other day I was trying to buy a pair of bathroom scales and it took me far too long to find one that just, you know, weighed things without also demanding I connect it to the Wi-Fi and download a smartphone app. How is this an improvement?
No. I'm pretty sure it is an exaggeration for rhetorical effect. You have to try really hard to put yourself in a situation where the only bathroom scale you can buy is non-connected. OP is either really intellectually lazy on this or is exaggerating to make a point.
Maybe if you go to an electronics retailer that also sells appliances like Best Buy, that's all you can find. But I live in a very techy area (San Francisco) and my local Target has plenty of non-connected digital scales for sale. For $10 more, you can get the connected version.
I'm just saying that calling someone a liar is a pretty extreme thing, and you should be really certain that they're lying before you do so. I don't see how you can have that level of certainty in this case.
Now, saying that they're wrong is much more supportable and doesn't require you to engage in the tricky business of trying to read someone's mind.
Notice I didn't use the word lie or liar, because the traditional definitions require intent to deceive. We rarely have access to each other's true intentions, so I don't think it is a useful term to use in these discussions.
What I believe is that we shouldn't be afraid of calling out people who casually spout easily disproven bullshit to make their argument. Saying you can only call out someone for being wrong doesn't go far enough. OP was arguing the position that there is too much connected tech, so much that in the future we may not even be able to buy a non-connected toothbrush in the future. I'm also IoT-skeptical, as many HNers are. It's a popular position that we don't want a world where IoT is mandatory. But as evidence, they gave an anecdote about shopping for a bathroom scale. I tried to be intellectually charitable to that position and assume good faith, but it didn't hold up without devolving into absurdity.
That's why I didn't say their anecdote was a lie. I can entertain the logical possibility that someone who sincerely does not want to buy a connected household appliance can go shopping for one and have difficulty finding one to buy. But it just doesn't play out, especially for someone who is on a specialist tech forum like HN and has clearly skeptical views on IoT. I said you have to work really hard to put yourself in a position where you can go shopping for such a scale, but face such difficulty that it took "far too long" to find one that is not "demanding I connect it to the Wi-Fi and download a smartphone app."
If you wanted to make a video of yourself not being able to buy a dumb scale, you could go to an tech-heavy electronics retailer that also sells appliances (like Best Buy, Microcenter) or a boutique high-tech gadgets store (like Sharper Image or Brookstone) and only find connected bathroom scales. I just checked what is in stock in a San Francisco Best Buy and the only scale is an IoT connected on. But that would be twisting the truth, because who in their right mind would check only Best Buy in order to buy a dumb scale. it takes a couple minutes on major retailers websites (Target, Walmart, Home Depot) to show that even if you limit to items in stock in tech-heavy places like San Francisco (if there is a place where retailers might assume their customers don't want dumb scales, it's SF), the first and usually cheapest options are dumb scales.
So let's Occam's Razor this. What is more likely? An IoT-skeptical HN poster actually went out to buy a non-connected bathroom scale and genuinely struggled to do so? Or an IoT-skeptical HN poster had to click or sort through a few different options and actually read product descriptions, then exaggerated this anecdote (or totally fabricated it) to advance their position?
But does that even matter? If they aren't a liar, then they are at best intellectually dishonest, and at worst intellectually incompetent. We don't have access to their mind and so can never know which of these three they are. No matter which of these three they are, any of them is a reason to invalidate their argument and call out their anecdote.
> If they aren't a liar, then they are at best intellectually dishonest
"Intellectually dishonest" is just a polite way to say "liar".
There's no need to go after someone personally when it's sufficient to simply point out that their statement was wrong. Why it was wrong isn't really important.
Hey if you’re going to lie to people, then prepare to be called out about it. Lying for rhetorical effect is still lying. Their intent is obvious in the rest of the post where their disdain for IoT things is clear. We don’t need to see in to the mind’s eye to know this - the balance of probabilities is enough for me.
The other option is for me to assume that the guy is unintelligent and incapable - which do you think that they’d prefer to be characterised as?
I agree with nearly everything you said, but I do think you're making a distinction without a difference regarding using the words "liar" et al.
A better explanation of your position (as I perceive it) might be: I think OP is lying for rhetorical points. The alternative explanations just seem too unlikely to me, and Occam's Razor screams a high likelihood of lying.
My pet peeve with bathroom scales is that it is impossible to find one that actually does what it claims and has accuracy of +-0.1kg. They do show the measurement to 0.1, but just shifting your weight differently can cause a difference of hundreds of grams. Does anyone knlw a scale that actually measures at 0.1kg accuracy?
Is it ever significant to know? Your body weight varies naturally depending on food intake, waste disposal, and even when you last went for a hair cut. If sub-kilo variations are medically relevant, I would expect one to measure more than just weight.
This actually tracks as the Wii Balance Boards needs good sensors to accurately sense how you are shifting your weight. I imagine they use better and more weight sensors than your average bathroom scale.
I have a "smart" scale from Polar that fortunately could be used as a regular dumb scale. I think Polar is really great in this regard. Their watches and other equipment can be used without syncing or connecting to their cloud, but the cloud does provide you extra value if you want to use it.
After a ton of research I got an AccuCheck scale (~$30 on Amazon) which I'm happy with, and at least avoids most of the problems with modern digital scales. Clean minimalist look. Takes 3 AAA batteries.
It claims 0.1 lb accuracy, and seems pretty repeatable, but I haven't tested it for accuracy. These digital scales have multiple sensors (this one has 4), so it makes sense that individual sensors may give different readings as you shift your weight around - not sure if there's an exact science to combining the 4 readings into the single one that is displayed.
0.1lb is ~0.5kg so same precision as parent. 0.1kg is 0.22lb, or literally glass half full of water, or slightly less than two Medium eggs, or 2/3 an empty glass itself, or 2/3 an iPhone, etc. 0.1lb/0.5kg/500g is about 16 fluid ounce in water, so it's probably a good balance point.
A lot of bathroom scales are too "smart" and display recent cached weights rather than real measurements each time, in order to appear more consistent. Accuracy on some is also very bad if you store scales vertically (e.g. propped against wall) as that requires step-on, step-off re-calibration which people forget to do.
I'm not sure you can even buy "just works" dumb mechanical scales any more.
I hope that this is a warning to time travelers from the past and not a friendly welcome to time travelers from the future that are looking back on simpler times.
Even with such a toothbrush "lockout", criminals could still go on to put other people's toothbrushes in their mouths.
This type of deviant behavior came to a screeching halt when Crest released their breath-activated toothbrush defense system (BATDS) in 2028. BATDS enabled devices deliver a non-lethal shock to the perpetrator, rendering them unconscious. While BATDS was immediately deemed illegal in most countries due to disputed claims that it caused significant brain damage throughout a large control group, it remains popular in single family households in the US.
Wouldn't this open them to an DoS attack? Set your flipper to fire off bad password attempts at the store and now the entire aisle of toothbrush heads are silently disabled.
It’s 5-something in the morning and I can’t stop laughing at the mental image of some guy cackling maniacally in the toiletry aisle while DoSing toothbrushes.
I think a better write up would have front loaded that aspect.
Even titling it "How I locked myself out of my smart brush" or similar. If he wanted to be creative it could have had a Film Noir start but even in a technical write up you should start with interesting aspects.
I kind hoped the conclusion would be that you could unlock hidden features in the brush head, increase the torque and reset the head so that you don't have to replace it.
But alternatively, since the head has an NFC tag, could you use it for stuff like a partnership with Marriott (open your hotel door with your toothbrush, so much convenience) or with transit companies to charge your monthly transit pass?
Possibilities of an NFC-enabled toothbrush head are infinite. The future truly is fascinating.
Right!?! NSFW features like the Oral-B brush has, where you can order a special brush that helps you relieve certain stress in the bedroom. With the modified Sonicare firmware, the brush won't stop after 2 minutes but keeps "brushing" until, well, you're 'done'...
Reminds me of the time I bought a lamp plug-in dimmer on Amazon, and I noticed that my "personal massager" was one of the "frequently bought with" items.
My wife and I had a lot of fun that night! Turns out the "personal massagers" work a lot better that way.
Mine doesn’t just blink; it keeps doing this annoying fast vibrate/noise whenever I stop brushing. So I was reading the article really hoping for an easy jailbreak at the end.
From the sounds of it, three wrong password attempts (from a phone or similar) could accomplish this? That should stop the toothbrush from being able to add extra time to the head
I have it as well and at this point used the same head for 5 months. There's no visible deterioration and I exceed the recommended brushing time by doing 5 instead of 3 minutes.
Why exactly is the head only good for 3 months?
Brushing your teeth for too long can have bad effects on your dental health[1][2]. The heads loose their strength over time and if you replace that with pushing harder, you might also overbrush.
You probably don't brush correctly: you need to apply sufficient pressure on your teeth so the bristles can scrub the enamel well enough. Or else there is no way your head has no visible deterioration after 5 months at 5 min per brushing.
It's not only a matter of aesthetics but bacteria etc. Your brush head collects a sh*tload of food waste (which you don't see with your eyes) and remains a bit wet after usage. Perfect substrate for some living organisms. If you have a microscope, feel free to have a closer look.
There's a $35 edition of that toothbrush today, I got a similar one at $25 (iirc) on some Black Friday. $10 heads are an issue when $5 toothbrushes exist.
The difference between using a tongue brush and an electric toothbrush (vs just manual brushing with and without a tongue brush) was so stark that I've never for a moment felt like £40 for a toothbrush with an annual cost of £11.20 for toothbrush heads has ever not been worth it.
The tag is used to change the cleaning mode of the toothbrush automatically, to match the type of head you inserted. This makes very easy to change heads durring the same session.
It is also used to register how long you used that head. A warning is shown when the head should be replaced. After a few warnings you will no longer get them, just the led to replace the head remains on. You can continue to brush your teeth without any problems. What I've found is that the warning comes at the right time, you really feel a decrease in cleaning efficiency around that time.
You can use heads without the cip and they work. You just have to select the proper mode from the handle manually. Or not.
The early versions have a defect where when you push to insert the head, you also push to open the handle. With time, water will get in and the toothbrush will stop working. Not sure about the latest versions.
The bristles wear out. Their heads wear out but they also become soft from all the vibration so they dont't push as hard on the teeth. Also gunk might accumulate depending on how careful you rinse it.
Still better than a manual brush even in that state.
No, it doesn't appear so. It seems the bristles do wear out somehow, to me it appears that they simply become less stiff over time. The change to a new brush head is noticeable.
This should be relatively easy to verify. One could take a new brush head and forward its counter to the limit, directly comparing it to a new unmodified brush.
This is a good question, but people are pretty sensitive to pitch changes, I think we would detect the motor slowing down.
It would be super easy to reveal as well. A family member with the same toothbrush, your head finishes first. Motor slows down, pitch goes down. Compare the two. Replace the old head, now they're the same. Scummy practice revealed. Scandal.
That said. I'm not totally sure on the mechanism that all electric toothbrushes use.
It's much harder to detect subtle amplitude changes.
A few years ago I reverse engineered my Oral-B (Braun) toothbrush in order to change the color of the brush (handle) to one of my liking, without being constrained by the pre-set colors available in smartphone app. (Which I think now also requires you to log in)
I'd like to skip the whole "smart" toothbrush phase and go straight to the "smart ass" toothbrush, which razzes me about my sugar intake and gossips with the toaster behind my back.
As a bachelor who lives alone, it would actually be very motivating if I overheard my appliances making hushed comments about how I "look a little more plump than usual."
It's a toothbrush. Why does it need all this tech and an app?
It's better to think about sustainability.
I had an Oral B IO electric toothbrush. The retail price is nuts and the brushes are expensive and can't really be recycled. Imagine millions of these out there slowly rotting.
I gave up on the IO and bought this one instead. Simple design and battery lasts longer too.
Analogue/manual toothbrush is like 1-2 Euro. Product You are promoting is 85Euro. Assuming my normal toothbrush lasts 3 months for 85 Euro I have backup for 21 YEARS. Spare ones are for ~5.6 EUR piece.
I will stay with using my hand ;-)
Electric toothbrushes are more efficient at removing plaque and help to avoid gum disease.
If your immune system doesn't react so aggressively to plaque then yes manual tooth brushes are cheaper and you have many sustainable options in this space, i.e. toothbrushes with a wood handle etc.
This is a nice idea. The problem is longevity. I'd be willing to bet this product disappears after a few years (best case scenario) and you are left with no ability to buy new heads and end up binning the brush. So net net you probably waste more than buying a Philips/Oral-B brush that likely has 10+ years of support for brush heads, which have a far lower environmental impact than replacing the brush. In terms of cost, if you buy the well known brands when they are on sale, they're generally pretty cheap. I'll admit they do try to sting you if you buy at RRP.
Some electric toothbrushes really are better than a manual one. Very light pressure and let the super high cyclic rate do the job.
I love my sonicare. The only thing I would change is the 2 minute shutoff. I have all of my wisdom teeth and never had braces, so I need more time for a good job, but the actual cleaning performance is great. I literally had a hygenist say "Your home care is excellent".
I don't know if it needs this much tech, but if people will buy it, they're gonna make it.
I guess this is one of the downsides of ubiquitous cheap electronics --- DRM everywhere. A similar thing happened relatively recently with label printers: https://news.ycombinator.com/item?id=30420918
All my tries to guess to one-way function for generating the passwords failed.
In case anyone else wants to try having a go at this (without inspecting the firmware): ignoring the first and last two bytes of the UID, we see that 79 is farther from EC and D7 in a similar way that FF is far from 61 and 67, and EC and D7 look closer together too. I wonder if they used "real" crypto or just a simple XOR/shift/add/sub cipher.
(Unfortunately they've requested the schematics/block diagram/functional description to be kept "permanently"[1] confidential, and the inside photos are difficult for me to make out the part numbers on the MCU and other components.)
[1] I wish those who have been leaking secrets about our government would've gone after stuff like this instead of things like the NSA...
I’ll never forget when my damn sonicare toothbrush app warned me about my iPhone being jailbroken. Had to have been a troll by the creators of the app since not even some of my banking apps had that warning.
When I rooted my android phone a few years back, all of my banking apps worked (I had to use magisk hide for some I think) but the only app that would not work was the Macdonalds app... Not that I needed it, I never go there, but I thought it was funny that their app was more "secure" than some banking apps.
As a security professional, I often get asked whether adding a root check is advisable. My general recommendation is to go ahead and implement it, but with a focus on data collection rather than taking action. For instance, you can log if a user is using a jailbroken or rooted device, without interfering with their experience. The responsibility for running a secure operating system lies with the users themselves, not the application. Applications that attempt to restrict how users utilize the app can be likened to malware.
Now, there might be instances where a business executive argues in favor of DRM or ensuring that certain coupons are limited to specific regions. In such cases, its sometimes suggested as a requirement to verify if the app is running in a simulated environment or is rooted. However, I can assure you that if you lock some kind of value behind this check and then rely solely on the operating system to provide this level of security, there will eventually be clever hackers who find ways to bypass the protection. The same principle applies to business-to-business apps that demand extensive control. In such situations, you need to rely on other software solutions or provide dedicated hardware. It's important to refrain from attempting to take ownership of my device, considering it's already under the control of Apple or Google anyway... /sarc. If you require stronger guarantees, I suggest reaching out to them.
I wouldn't be surprised if the apps did notice, but didn't take any action because it might be a hairy legal problem if they get between you and your money.
> that the tag is configured to permanently disable all write access after three wrong password attempts
Why is this kind of thing legal? For how many politicians and activist groups claim to care about the environment, why hasn't anyone introduced a bill to ban intentionally turning useful equipment into waste? Any legitimate security needs would be fulfilled just as well by doing a full wipe and factory reset instead.
For starters, my experience says that, unlike an HP printer, your toothbrush still works just fine[0] if you ignore anything that tells you to replace the head.
[0] At least as fine as a toothbrush with a worn-out head is going to work.
I don't really mean about the toothbrush. I mean, why is it legal for NXP to make chips that permanently brick instead of just factory resetting when too many wrong passwords are tried?
Because it's a feature customers ask for? What laws do you want written? How "secure" am I allowed to make my product before the Feds come a-knockin'?
And what does a "factory reset" accomplish? The hacker trying to get company IP (or whatever the password is protecting) gets three more attempts at it after the reset?
Finally, and I'm not saying this makes it okay, but e-fuses are common as dirt these days. I don't know that you're going to get that toothpaste back in the tube.
Aren't switches to temporarily bypass emissions controls in cars illegal, despite being a feature customers ask for?
> What laws do you want written?
I want all e-fuses to be banned, as well as any other means for manufacturers to permanently reduce, restrict, or remove functionality from products after they've been sold.
> How "secure" am I allowed to make my product before the Feds come a-knockin'?
If the one you're trying to make it "secure" against is the product's owner, then I'd say "not at all" would be a fine answer.
> And what does a "factory reset" accomplish? The hacker trying to get company IP (or whatever the password is protecting) gets three more attempts at it after the reset?
The point is that the factory reset would delete the company IP.
> Finally, and I'm not saying this makes it okay, but e-fuses are common as dirt these days. I don't know that you're going to get that toothpaste back in the tube.
Wasn't asbestos also as common as dirt before it was banned?
> Aren't switches to temporarily bypass emissions controls in cars illegal, despite being a feature customers ask for?
So you'd propose that we bans switches? You're saying that a microcontroller should never have a certain feature because you don't like how it has been implemented by a single company. Then you propose that nobody should have this feature ever because someone once used it to turn on a light reminding you that it's time to change your toothbrush head (and then let you brush your teeth normally with no further interruption).
I don't think your analogy holds up, nor have you thought through what you propose.
> You're saying that a microcontroller should never have a certain feature because you don't like how it has been implemented by a single company.
It's not the implementation. I don't want hardware to ever be able to permanently make itself less useful, no matter how it's done or what it's being used for.
You're making an argument that PROM, WORM, efuses, etc all shouldn't be allowed to exist. They're used for all sorts of features, not just security. You might do well to apply the lesson of Chesterton's Fence before you call for a ban on things you don't actually understand.
For legitimate cases of write-once media, it should be legal if and only if it's separate from the rest of the device and easily replaceable (e.g., a socketed chip or a DVD+R). Anywhere that write-once media is permanently attached to something else, it inevitably ends up being used for evil.
> I want all e-fuses to be banned, as well as any other means for manufacturers to permanently reduce, restrict, or remove functionality from products after they've been sold.
One thing, I can think of, are hardware-based security devices that disable themselves after recognizing break-in attempts.
> I want all e-fuses to be banned, as well as any other means for manufacturers to permanently reduce, restrict, or remove functionality from products after they've been sold.
I am in opposition to this stance. What you're (rightfully) concerned about is when companies do bad things with these mechanisms. But the mechanisms themselves not only have no ethical/moral problems, but are also really useful for all sorts of things that entirely unobjectionable.
Many security applications, situations where you're providing equipment to others and want to make sure it's not modified, etc. It's not that hard to come up with legitimate uses for this.
In any case, that sortof doesn't matter. Even if there was no legitimate use for them, that doesn't in and of itself mean they should be illegal. You should at the least demonstrate that their existence is causing great societal harm.
> Many security applications, situations where you're providing equipment to others and want to make sure it's not modified, etc. It's not that hard to come up with legitimate uses for this.
Why isn't just making sure the expected private key didn't get wiped a good enough way of making sure it's not modified?
> You should at the least demonstrate that their existence is causing great societal harm.
Okay, how about that it destroys the secondhand CPU market? Once you use an AMD CPU in a Lenovo computer, it blows e-fuses to keep you from ever using it in any other brand of computer: https://news.ycombinator.com/item?id=29958247
> Why isn't just making sure the expected private key didn't get wiped a good enough way of making sure it's not modified?
What's to stop someone from extracting and restoring the private key?
> Okay, how about that it destroys the secondhand CPU market?
Sure, then how about addressing that issue rather than proposing to outlaw an entire mechanism entirely? We have a lot of things that can be misused, but (generally) only in extreme cases do we outlaw the tech itself. More usually, we have laws targeting the misuse of the tech.
> What's to stop someone from extracting and restoring the private key?
Isn't the whole point of these chips that you can't extract the private key, so that if it gets wiped, it's definitely gone forever?
> Sure, then how about addressing that issue rather than proposing to outlaw an entire mechanism entirely? We have a lot of things that can be misused, but (generally) only in extreme cases do we outlaw the tech itself. More usually, we have laws targeting the misuse of the tech.
But this particular technology doesn't seem to have any legitimate uses.
I'm inclined to take the common HN position of "trying to lock people out of modifying their own stuff is bad", however there are plenty of situations in which someone who is not the owner might access an NFC tag and try to make it do things the owner does not want it to. Bricking it seems like the nuclear option, but it's not inherently evil to offer the option of NFC tags that are both tamper-resistant and tamper-evident.
Because NXP makes this chip compliant with ISO/IEC14443, meaning it can be used in payment cards. EMV requires shit like this in their credit card NFC and I'm thankful for it.
> they take control away from the actual owners of devices
Only if they're used that way. They don't take control away from the actual owners of the devices if its the owners who put them in there, for instance. Again, I think you're conflating the existence of a mechanism with the abuse of the mechanism. If you were just railing against the abusive uses, I'd be behind you 100%.
I just don't see why we should outlaw a common and useful mechanism entirely, rather than outlaw certain uses of that mechanism.
I'm curious but will totally forget to report back in a few months when mine wears out. I'm... not sure, but somewhat confident that it starts to limit the more aggressive brushing modes once its "worn out", although it's possible it was just gummed up internally with toothpaste residue. Last time I changed the head on mine (Philips Sonicare), it definitely felt significantly more powerful with the replacement head.
I think it's just that the bristles are all nicely aligned on a new head - after a while they start splaying, so pressure is going in more directions over a larger area.
Me, dumb: I change my Sonicare toothbrush head whenever it tells me to. I haven’t had a cavity in 8 years.
You, a clever toothbrush-hacking genius: haha, the head is new again!
This is neat, and I find the process of reverse engineering the Sonicare toothbrush fascinating, especially sniffing the NFC communication, but please change your toothbrush head every three months.
Yes, I realize I might be in the minority here, but isn't this actually great use of a smart device?
Not having to keep track of brush head changes, awesome! One less thing to worry about, as the device is smart enough to tell me when it's time for a new one.
> isn't this actually great use of a smart device?
You don't need anything to tell you when it's time to change your toothbrush. You can tell by feeling it, or in the extreme, by just looking at it. There's no need to track anything.
I've pondered it myself, for me it comes down to whether the company has implemented it in an ethical way or simply as a way to maximise profits. In this case I feel like they aren't being malicious, but I've only used the brush with compatible brushheads for about half a year (was using up my old ones from an older model first).
Bit meta, wanted to say this is one of the interesting posts on HN in a while. Good work on the author's part, following their curiosity, writing it up in an understandable way for the rest of us. They weren't successful in the end but still got far.
Hacking the NFC comms is fun and all, but it turns out you can just rip out the orange flatflex PCB under that metal ring with a screwdriver and the brush doesn't care :)
Stops it from beeping at you when your allotted product lifetime is up though.
That's exactly why they did this. They can lock out 3rd party vendors and also force you to buy new heads at an interval of their choosing all in the name of "ensuring quality".
It runs normally without a head attached, so they must not be doing this yet. The architecture authenticates the body to the brush, which is the reverse of what you would do to lock out brushes. (A third party brush can get the password from the body and say "yup, that's definitely the password" and then the body thinks it's genuine. Meanwhile, a third-party body could use genuine brushes because a brush can't mechanically make itself not work. So there just isn't any lock-in here.)
The main feature this seems to be used for is to put the body into "whitening" mode if you use a whitening brush.
Keurig did the same thing with their later models. The coffee I used (SF Bay pods) just shipped a widget that tricks the Keurig into accepting the pod. I drink cold brew now, but I wonder if that cat & mouse is still happening.
It can’t be far off that they ship a BLE or Wifi enabled Sonicare that reports your best brushing habits to the app that then posts it on Facebook for philipPoints you compete with your friends on… oh shit… what have I done!?
Anyhow, blocking unofficial heads is just an OTA firmware update away.
Although the points don't go to Facebook - you get "rewards" for them. Eg:
> Pair one or more brushes to our iOS or Android app, then you’re all set. quip’s Bluetooth® Smart Motor will automatically store your routine, no phone needed! To check your brushing stats and the points you’ve earned, tap the app.
> Earn bonuses for never missing a beat! Redeem points for rewards you’ll love
The Sonicare App already reports your brushing areas and how long you brush and other metrics. It wouldn’t be hard to add a “post to FB feature” (but let’s hope they don’t).
Also, how would you know? I have an IOT product that can delta OTA, so only the bytes of the firmware that change are sent to the device, I can do firmware updates that are crazy fast. ESP if it’s just something like turning a feature on.
locking down heads will hurt what market share philips still has far more than it hurts their consumers. there are alternatives, and even a locked brush is an alternative - it still works, and actively pisses off the user.
people skip brushing their teeth for all sorts of reasons. (yes you do. stop lying. your dentist doesn’t believe you, either.)
It has already happened. Philips has designated 3x months for a single toothbrush lifespan, which may or may not be the case (depending on one's toothbrush using habits) as the head clearly does not annihilate automagically after three months. For the sake of the conversation, let's say the recommendation is valid.
Where it gets more interesting, though, is actually not at Philips but at shops that sell replacement heads. Sale assistants do go out of their way to actually lie to their customers and tell them that a single toothbrush head will last, like, many-many-many months. And when asked at the next shop visit about why the toothbrush started yelling three months after replacing it, they will blink their eyes and literally inform the customer of «having never heard before about it from any other customers». The situation happens on a regular basis, and the only recourse that works with such people is brushing the pesky flies aside and politely ignoring them. Since not every customer can or does that, the ink business of electric toothbrush replacement heads prospers.
All I know is that I absolutely never, ever, ever want my toothbrush to be "smart."
We need to stop putting firmware in things that don't need firmware. Not everything needs a chip or intelligence. The rampant abuse of this kind of thing leads to shitty products and an uptick in electronic waste.
I bought one of these toothbrushes almost two years ago.
It really makes a difference:
- The connection to my phone helps coach me in making sure I'm brushing my teeth properly. Bad habits sink in easily, and my various dentists all point out that my teeth and gums are much, much healthier. Given that I am cursed with some bad oral genetics, it's "money well spent" for me.
- The counter helps remind me when to change my toothbrush head. I used to be much lazier about changing it; again; because bad habits easily sink in.
Could someone figure out how to do this without an NFC chip in the toothbrush? I hope so! The toothbrush heads cost much more than traditional "dumb" manual toothbrushes. I don't want to have to spend big bucks just to have good personal hygiene.
That's not the same, because it's gradual, as opposed to a beep / notification.
When things change gradually, I tend to ignore the change.
To put it in a different context, I've had the fadeout brush heads for years, but I had to get in the habit of changing my brush head when I went in for a dental cleaning because otherwise, I'd just keep using it forever.
I disagree. For a toothbrush, the chips are a problem. If nothing else, manufacturing chips is very bad for the environment. We shouldn't be putting them in things that don't need them.
If we were talking about the climate problem, you would be right. But your comment is a goal shifting, because I replied to the problem of abuse of the firmware in the chips. Abuse can't happen with free software.
I don't see a problem really. What's wrong with being able to fine tune, e.g., how strong the vibration is? Maybe my teeth are more sensitive than usual. Or between 'sensitive' and 'normal'.
How about when the blue part goes away, as documented? :-) I've used a Sonicare for, what, ten years or more? And I don't think I've ever seen an indication that the NFC is communicating anything to me. That's not to say that it isn't, but if I'm going to ignore something[0] and replace the head when I damned well please, I just ignore the blue part of the bristles. I could probably adjust my behavior to ignore whatever flashing LED the NFC sets off, but after so many years I'm just going to continue ignoring what I always have.
[0] I'm either easy on toothbrush heads, or Philips is lying, because when the indicator says "buy a new head" it still has plenty of life IMO. Bristles straight and tall, just like a new one, but no blue left being the only difference between that and new. So I ignore it and get a new one when the bristles go a little wonky.
Probably depends on which body you are using. In mine it both flashes a tiny LED and does an extra little buzz-buzz buzz-buzz signal with the ultrasonics when you turn it on (or off, can't recall which) when the head has 'expired'. Continues to work fine, though.
You might be interested in this YouTube video from Applied Science with electron micrographs of 'new' and 'worn' toothbrush bristles - there is a very marked invisible change that happens: https://www.youtube.com/watch?v=cwN983PnJoA
Could be. My wife presses so hard, I hear the motor bog down. "JFC, honey, let up a bit", to no avail. She's constantly replacing her heads. I literally can't remember the last time I popped a new one on mine. I could easily believe it's been six months (and, yeah, it's about due).
It's mostly bad for your gums. The plastic bristles and abrasives in toothpaste aren't meaningfully wearing healthy tooth enamel in the amount of time most people spend brushing.
a dental hygienist told me to hold it with just the thumb and forefinger.
I can't quite manage that, but if you look at how drummers hold their sticks, it's never in a fist. Their arms wouldn't last through one show like that.
So if you at least take your little finger off it, the amount of pressure goes down.
> "Reversed, the way the weight of the stick meets the head is just insanely loud. It makes your drum project so much more, if that’s what you want. That’s when you’ve really got to stretch your arms out, because the weight of the stick makes for a lot of wear and tear on your forearms."
OT but said that I was brushing too hard and told me that holding the brush at the tip (so that you have less physical leverage on it (instead of gripping it like you would some other appropriately shaped bodily appendage)) will result in the right amount of pressure.
Pressing too hard likely makes it much less effective. With the Sonicare brushes you're supposed to let the vibration do the work, and just like holding the cone of a speaker still you're not getting the vibration that does the job.
the SonicCare has this "quad-pacer" feature where every 30 seconds it makes a sound to remind you to change quadrants of your mouth, and after 2 minutes it shuts off.
I swap toothbrush heads 4-5 times a day (a couple times per brushing session) and one of my major issues until now was that I didn't know how long I had used any individual toothbrush head and when to replace them (I didn't start using all of them at the same time). With per-head usage tracking this is much easier... I wasn't expecting it, but I'm glad Phlips is considering and supporting my use case.
I replace brush when I feel it's the time. Every time after I replaced it, the difference is bigger than expected. I should replace it earlier. Maybe I should buy this Philips.
Good article from an intellectual curiosity perspective. I use the Philips Sonicare brushes, although I've been using 3rd party heads for years due to the cost difference (3X cheaper). Philips obviously wants to deter people like me from this behaviour. I see they no longer sell non-RFID heads, even when the old brushes lack this feature. Yet more e-waste as they try to nudge customer upgrades.
I just want to point out that resetting the timer is a really, really, bad idea.
My toothbrush heads are usually very worn when my toothbrush tells me to change the head. (And I honestly suspect I should change them before the toothbrush tells me to.)
Anyone remember the old hole punches that would let you turn cheaper, low-density floppies into high-density floppies? A lot of those floppies ended up having data loss.
I've owned several of these toothbrushes - it's worth pointing out that they work just fine with 3rd party heads with no chips in them. At least, the 2 models I've owned do.
Something bizarre I noticed about these Philips toothbrushes is that they fail on a reliable schedule. I owned 3 of the "4100" model and they all failed after exactly 13 months! What's crazier, is that they all failed in the exact same place. There's a metal piece that protrudes outside of the case where the heads attach. Inside the case, this piece clamps to the part that creates the vibrations using a single screw through a cast zinc/nickel block. On _all_ of my brushes, this block cracked right through the screw hole.
What's cool is that the vibration motor uses a magnet of similar strength of hard drive magnets, so now I have some nice strong magnets on my refrigerator.
I really don't think that permabrick after N incorrect attempts should ever have been considered as a sane feature. That allows denial of service extremely easily.
What needs security just enough that it can't just be unencrypted, but also can't afford real security (like long passwords or public keys)?
TFA does not suggest the head is bricked, the internal counter just stops updating. TFA does not even specify what the handle does in that situation. Supposedly it just keeps working with no issues.
I own an IT company in a town (Yeovil, UK) on an acre plot with a roughly four acre plot next door. We have a fair few busy roads adjoining our place - A30 and A37.
I have deployed Home Assistant on a laptop with a fair few dongles (Zwave/Zigbee etc) but its built in Bluetooth has noticed loads of toothbrushes - Oral B. I also see lots of some sort of plant auto water thingies and loads of lights.
Our office is next to a roundabout that sees at least 30,000 cars a day on one side. I've turned off the car integrations and several others because HA went a bit mad.
I see a lot of data that I don't want to without trying and it gets in the way. I do encourage people to stop leaking.
Now that the industrial design and manufacturing are figured out, Philips could do a number of additional things with NFC. (Especially with network access, possibly through an app, and more securely with a different NXP chip.)
"But I wouldn't know when to replace my brush-head without this smart toothbrush with it's embedded electronics in a piece of plastic to track on time, contributing to further e-waste in a way that we all know will lead to planned obsolescence the second that Braun decides they need to prop up revenue in a bad year".
I mean, we have entire app ecosystems now that are basically just "hey, have some self control and put your phone down", so I'm not sure why this surprises me.
i've been using sonicare toothbrushes for 10+ years and the only difference i have noticed with the "smart" version is horrific battery life. amazing innovation! :\
I'm curious to see, but I don't think the algorithm for calculating the password from the identifier would be very sophisticated. Assuming they didn't want to add costs to prevent easy retrieval of any secret key from the device, a complex algorithm would be kind of a waste.
I mean, even something as simple as `md5("very-long-secret-only-phillips-knows" + uid)[:4]` would be effectively unguessable. Not hard if you have the code for the firmware, but nigh-impossible otherwise.
The Sonicare app lets you download the latest firmware blob. So all you'd do is intercept it and find the function responsible for generating the password.
The app has the firmware embedded in it (resources/assets/firmware), not sure if it actually downloads a newer one or if it updates with the app. It does seem to be encrypted or compressed somehow tho.
It does seem to be for the more expensive diamondclean series tho I guess the brush checking would be similar. Didn't find any decryption in the APK, it just transfers it as is. Must be hidden inside the firmware as well. I don't think there's any way to get the firmware except dump it from the chip :/
I'm still trying to figure out why people need a battery powered toothbrush over a conventional one, let alone one that needs apps and verifiable replacement heads.
I'm surprised this is the only comment that critizies the fact that now the brush head contains not just plastic but also a microchip. That can't be good for recycling. Not to mention the wasted resources during production of the chip.
I agree with another commenter who said enjoyable read.
I’m normally all about hacks and whatnot, but I found myself much more drawn to the idea of scanning the toothbrush head after brushing to be able to automatically track brush time. No password required.
This is crazy interesting but I didn't quite understand, when the timer runs out the head doesn't work anymore or you just get an LED notification to get a new one, to me at least there's a big difference in the two!
Depending on the model, it usually blinks an LED and vibrates a pattern to let you know it's time for replacement. It's definitely not a hard lockout or anything.
The brush heads for advanced models also tell the brush which cycle to use and which intensity to vibrate at (e.g., for tongue cleaning brushes vs normal brushes).
This was an enjoyable read. My GE fridge uses RFID for keeping track of when to change the water filter. This isn't really an area I'm familiar with but I'm curious how much I would be able to figure out with the right tools.
In GE's defense, limiting the amount of time you can use a water filter for is probably a good idea considering what the filter media fills up with if you do nothing.
The OEM filters cost like 2-4x what a suitable generic costs. Would have been cheaper for GE to add a software feature to warn you after 6 months and allow you to reset it.
There is a much simpler solution, buy the bypass plug which has the rfid chip in it for about $50, cut a chunk of plastic with the chip off being careful not to harm the antenna, and tape it to the inside of the fridge in the same area. Only downside is you have to use your brain to replace the filter with a compatible one every once in a while, and it says “not filtering” on the front panel when you dispense water or ice.
EDIT: nope, not the default. From the data sheet, last sentence:
"To prevent brute-force attacks on the password, the maximum allowed number of negative password verification attempts can be set using AUTHLIM. This mechanism is disabled by setting AUTHLIM to a value of 000b, which is also the initial state of NTAG21x."
So Philips went out of their way to secure that toothbrush head. That's reassuring.