This article is more than 1 year old

Smart ovens do really dumb stuff to check for Wi-Fi

Pinging search services in the US, China, Russia perhaps not ideal for privacy

This just in: smart appliances are still not a bright idea for those who care about privacy.

The latest word on the subject comes from Stephan van Rooij, a software architect with Smartersoft BV in the Netherlands and a Microsoft MVP in security.

Van Rooij is the owner of two AEG smart appliances – the AEG Built In Combination Microwave (KMK768080B) and the AEG Oven (BSK798280B). As he noted in a write-up this week, these appliances weren't purchased for their connectivity – the fact that they had Wi-Fi was only discovered after they'd been acquired.

Internet-connected devices, van Rooij explained, often check to see if Wi-Fi is available, so they can phone home and do whatever it is they need to do. Companies like Apple, Google, and Microsoft have dedicated endpoints to receive network availability checks.

It checks three public websites every 5 minutes

Van Rooij argued other manufacturers should follow this example and set up their own endpoints so they're not relying on an external site that may be unexpectedly unavailable.

Nonetheless some suppliers looking to verify wireless network connectivity simply query popular public websites, figuring they'll probably be available. According to van Rooij, that's what Electrolux-owned AEG has done.

"AEG chose the easy route, and checks three public websites every five minutes when connected to your Wi-Fi," he said, noting that its smart ovens ping google.com, baidu.cn, and yandex.ru.

Google.com is widely recognized. People in the US and Europe may be less familiar with Baidu.cn, a popular search engine in China, and Yandex.ru, a widely used search engine in Russia. (Incidentally, Yandex had its source code allegedly stolen by a former employee and leaked online as a 45GB archive.)

"I really don't like the fact that my oven connects to China and Russia just to check if it has an internet connection," said van Rooij. "If that is the only thing it’s doing."

This sort of network activity, contacting servers in other countries, is commonplace among smart appliances, not to mention software applications and many of their incorporated SDKs. As noted in a 2019 research paper [PDF] on the topic, "Information Exposure From Consumer IoT Devices," 72 of 81 devices examined were found to send data to third parties.

There's nothing necessarily nefarious about network availability pings, but given the abundance of IoT security vulnerabilities and the needless emission of IP address data to search firms in China and Russia, concern may be warranted.

Van Rooij noticed the network traffic because he uses Pi-hole software to do DNS-based ad filtering. And others who have implemented similar network filtering report being similarly surprised by the chattiness of their kit.

The Register asked the US spokesperson for Sweden-based Electrolux to comment and we've not heard back.

When we spoke to van Rooij, he said that he had just heard back from the manufacturer's press department on Thursday morning, which he had messaged after failing to get a response from customer support. "I couldn't get anyone to talk to me," he said. "Now they're talking."

Van Rooij said he was particularly concerned about undisclosed connections to China and Russia and argued that a connectivity check could be done through the oven's existing undocumented API, which is used to control it remotely – a separate security risk – using a mobile app.

"My suggestion is the oven already has an API in the cloud that should be used to check connectivity," he said.

Asked what he'd like to see happen with these sorts of appliances, Van Rooij referred to his blog post remarks calling for local control over Wi-Fi rather and for making any cloud connection optional.

"I think that companies developing appliances that want to "smartify" should first consider having local control on the current Wi-Fi network, and then make the cloud optional," he said. "You don't buy a device for a year – they last five to 10 years. I'm worried that people may rely on the cloud functionality and these companies don't have the incentive to keep the cloud running for years." ®

More about

TIP US OFF

Send us news


Other stories you might like