Pioneering research has discovered how smart devices talk to Android apps and each other to share data that allows them to know who enters a home, when, and how much they earn
The best solution IMO is don't let your smart devices have access to the internet. Put them on a VLAN, block them at the firewall, whatever method you prefer. Accessing your home network remotely is one thing, but your air conditioner doesn't need to INITIATE a connection to the outside world.
That's what I did 🙃 Unfortunately, some devices do not work at all without a connection to the manufacturer's cloud, this also needs to be taken into account.
Oh, I could make it worse if you’d like? That tool isn’t made for just the bulbs I got at Costco, it’s made for any device in the Tuya ecosystem. What’s Tuya? They’re a Chinese white-label manufacturer that makes smart devices that other companies can slap their brand on. They’ll throw you together an app too, but all of the API calls go through their infrastructure. Bonus, they also make security cameras that send footage to their servers, and smart locks too. They’re literally everywhere, but I’m in Australia so that’s where I’m basing this list:
I mean, there are still plenty of ways to have smart things that don’t communicate with the internet. Ikea’s stuff is all zigbee, they don’t have wifi at all. You can get one of their hubs to control from your phone, or they sell remotes with zigbee you can pair directly to control a set of bulbs. They never have to see internet at all.
Yeah. As well, if you want to upgrade to a Home Assistant setup down the line, all you need is a $50 Zigbee USB adapter. If you’re more tech-savvy then you can also buy bulbs from somewhere like https://www.athom.tech that come pre-flashed with open source firmware. Either ESPHome, Tasmota or WLED are available. These are wifi, but everything is local, and you can block them on your router without issues. ESPHome is what I have running on the bulbs I rescued.
Good link for that site. Currently shopping bulbs for my just recently arrived home assistant green and hard to find consistent information on best bulbs to be using. Love that these are flashed with open source already but I think due to the amount of bulbs I need and their location I'll be better suited with Zigbee. Will definitely check this place for future devices as I build out the system.
I have flashed all the bulbs and ceiling lights in my house and they work locally on FOSS firmware now 😉 It is not a big deal. I have very poor soldering skills, and I did this anyway.
A long while ago, my first foray into smart home stuff was a Phillips Hue system. I used to use it exclusively offline, but I got deeper into smart home stuff and wanted to add some integration into my system. I don’t remember what anymore, but it meant setting up a Hue developer account, so I signed up. Gave them my email address. Stopped using the integration, moved, reset the hub, used it offline for years.
This February I logged into the hub for some reason. I think an accessory wasn’t working and Hue user docs said to log in or some such nonsense.
Five days ago, I got an email from Amazon. They told me that one of the batteries in a Hue switch was running low, and they helpfully provided me with a link to buy new ones. Their page for the device indicated that they were being updated with its battery percentage every 4-8 hours - and that I had authorized Alexa access to my Hue system in February.
I checked the Hue app, and it indicated no apps or services connected to my account.
Logged into the Hue website, dug into my settings, and there were a dozen app’s and services that had been “authorized” to access my account - none that showed up in the app.
Every smart device that has been on my network - devices that I never integrated with Hue (on purpose!) were all happily showing very recent access times to my data. Systems I don’t have accounts to anymore. I revoked access, of course.
Three days ago Amazon emailed me to let me know a different device needed a battery, and showed that Hue had shared the battery level of the device with them that day - 2 days after I revoked access.
Yeah… all their products are getting trashed, reflashed, or used with zigbee hubs I’ve built.
You should never fully trust ANY device on your network. Even if it's not collecting your personal information and sending it off to who-knows-where, there could always be a zero-day exploit just waiting for someone to find it.
You're home router shouldn't have any open ports to exploit, or if you do, you better know what you're doing. That has nothing to do with device integrity behind the WAN port.
Those ports are closed when the session is disconnected provided they have been open via NAT upnp rules and even then you'd need to know what the random high 5000 port is open on your target and that's even assuming that the router they are using is vulenerable to whatever exploit you're trying to run.