Did You Mean Internet of Things (positive) or Internet of Things (derogatory)?

A few weeks ago, a reader wrote in and asked me if there was an easy way to tell the difference between good home automation gear and bad home automation gear. It’s a good question. I love my Home Assistant setup. Everyone in the family uses it, it’s made life more convenient for us all, and we use it to help reinforce positive habits. That said, the Internet of Shit is undoubtedly real and worth talking about. I just wasn’t sure I would be able to break down the different ways that that IoT gear can go bad in a reasonable number of guidelines.

But I figured it was worth trying and once I got into it, I realized that there are some commonalities to the most common failures for connected devices¹ .

And it’s worth saying that this is likely the first version of this list. As people suggest new categories and new and novel fail states, I’ll add them to the web version of the article. Basically, if you let this one age in your inbox for a few days before opening it, you might want to check the web version of this post too.

Without further ado, here are five simple rules to help you distinguish good connected devices from the Internet of Shit

1. Devices Should Not Require Online Services to Work

This is the big one, and you all probably already know it’s a problem. If your home automation gear and other connected devices require online services to work, they’re living on borrowed time. I talked about this with Home-Assistant founder, Paulus Schoutsen a few years ago, and this was his main complaint with the category. His recommendation was simple, avoid any products that require an online service to work. This applies to everything, from doorbells and speakers to smart bulbs and switches. As soon as a company turns those services off, the products are almost always done for. (As a bonus for Home Assistant users, HA displays a globe on Services that require Internet access to function in the HA user interface and on their website.)

While there are a handful of beloved products that dedicated nerds have managed to revive after their manufacturers killed them, but they are rare compared to the piles of remotely disabled gear that people have been forced to truck to e-waste. At the same time, my 13-year-old Hue hub is still going strong, because my Home Assistant install knows how to control it, years after Philips turned off their servers.

It’s worth mentioning that this rule explicitly means that high profile devices from Google and Amazon, like pretty much everything sold under the Nest or Ring labels, fits this category and should be avoided. (Full disclosure: I’m a bit of a hypocrite here, because I actually have a Nest doorbell. Rather than replace a working device with something new, I’ll keep using this one until it stops working. I’m confident that Google will support it for the foreseeable future and I’m ok replacing it with something more open if and when they end up killing that support.)

As an added bonus, using IoT devices that work locally are almost always faster to respond than devices that require some sort of cloud connection. For example, Siri is setup to connect directly to my Home Assistant without a cloud component, and its response time is basically instantaneous. When I try doing the same action through a Google Home device, which requires cloud servers to work, it takes a few seconds to trigger. Doing it right is actually better!

2. Devices Should Not Require Apps for Configuration

This is another important criteria for hardware that should last for a decade or more. Smart light bulbs are a great example here. While light bulbs have used the same physical interface for a hundred years, the app infrastructure to connect and setup your smart bulbs is ever changing. So, if your bulb vendor goes away or your phone provider changes their app ecosystem sufficiently, you can lose access to the apps that you use to configure your smart bulbs. That will leave you with a bunch of smart bulbs that work just like much cheaper not-so-smart bulbs, since you have any way to connect them to your network.

Devices that are configurable using standard protocols, like Zigbee or Matter, are fine because those standards should allow the devices to operate independently of the manufacturer’s app. Typically you configure them using your smart home hub, like Home Assistant. Likewise devices that you can log into a web interface to set up are OK. Browsers may not be trendy, but they are eternal.

3. It’s Not OK for Devices to Collect and Report Unnecessary Data

For some types of smart devices, there’s a certain amount of connecting to online servers and transmitting data that’s necessary for the device to function. Yes, I know I just said not to do this two items up, but if you have a doorbell camera that does face recognition or a smart speaker that accepts voice commands but doesn’t have the horsepower to handle speech-to-text onboard those will need cloud assists to work.

But none of your smart home devices should scan your network to catalog other devices, track your physical address, clock everything you watch on your TV, or track viewer’s presence in or around the TV set. They certainly don’t need to hook into social media, advertising, or data broker services to build a more fully-fledged profile of you as a consumer (derogatory). Think this sounds bad? It is, and it’s exactly what Roku streaming boxes and smart TVs do. Smart speakers are just as bad.

And that’s without getting into the data tied to ultrasonic and short-range radar presence detection or devices that use inaudible ultrasonic waves to communicate with each other, even across air gaps. There are even some advanced/hypothetical hacks that can jump between devices using ultrasonic comms.

There isn’t an easy way to scan your home network for offenders, unfortunately. The tools you use to find out when a badly behaved device are snooping on your network are designed for people with a deep understanding of how networks work. That means the easiest way to check in on your stuff is to look them up on a privacy watchdog’s site. I like the Mozilla Foundation’s privacy reports for devices, they tend to do a good job breaking down the actual problems with specific products without sensationalizing non-issues and with a no-nonsense analysis of what the vendor’s privacy policy allows them to do with your data. I also really like that they pair the data the vendors are allowed to collect with the worst that can happen if you or that vendor get hacked. My only complaint with the Mozilla offering is that they update infrequently, and tend to hit only the most popular products.

There are a handful of vendors that aren’t harvesting every spec of data that they’re able to at every opportunity. Mozilla’s generally recommends Apple hardware as safe, with positive looks at the Apple TV and HomePod Mini.

4. Is It Easily Repairable?

Part of making things that serve users means making them repairable. That means replacing the hardware that is likely to fail over a reasonable lifespan, which usually means that you need to be able to replace the battery for any battery-powered devices.

I love the iFixit Repairability Index for computers, phones, tablets, and other devices. While they don’t specifically list a top-level category for home automation stuff, they do include repair guides for a large number of smart speakers, screens, and other IoT stuff. You just have to search for them.

5. Does it create a potential privacy nightmare for you?

There’s a whole category of devices that can be fine if used properly and a nightmare if used carelessly.

The classic example of this is the smart lock. Sure, anyone who locked themselves out of their house at 2AM and had to wait an hour for a locksmith to show up, open the door, and charge you a few hundred bucks can see the obvious benefit of a lock that you can open without a key. But if you pair a smart lock with a voice assistant that’s placed too close to the front door or window, you can end up in a situation where a random stranger can unlock your house by yelling “Alexa, unlock the front door” at a bedroom window.

Using Internet-connected cameras inside the house is also a big no-no for me. I have a few cameras setup around the perimeter of my house, to help deter porch pirates and catch video of the critters that love to dig up my backyard, but none of those cameras face private areas, windows, or places people wouldn’t have a reasonable expectation of privacy. (If a malicious actor got access to videos of the skunks and gophers in my backyard, it wouldn’t cause me any problems.)

There’s two reasons for this. The first is that video that isn’t available outside my LAN is much less subject to leaks. While I know Google is going to use whatever data I grant them access to to sell me stuff, they have a pretty good track record with leaks of users’ personal data, unlike Amazon, which has has a series of problems, including one where contractors passed customer’s video around on an open network share inside their office.

When you’re adding new tech to your home, it’s worth taking a few minutes and thinking about the potential threats that whatever you’re adding will expose you to. How can you ameliorate that threat? In my Smart Lock example, you could just disallow access to locks from your voice assistant (this is the default for most smart locks I’ve tested now). If you add presence sensors that track your movement inside your home, how could a malicious user who gains access to your HA install use that info? Too much paranoia is bad, but too little is worse.

What’s Next?

For next week, I’ve been thinking about the default settings quite a bit. I’ve had to use a few fresh Windows installs lately, and the difference between my cleaned up version of Windows and the new out of the box Windows is grim. I think about the data that shows that something like 90% of users never change default settings, and I wonder if there’s anything we can do to help those folks out. If you have ideas, please smash reply and let me know!

This week’s recommendation is Doc Burford’s kick ass game design blog. Doc’s one of the most thoughtful people writing about games today, and every time I read one of his posts, I come away with a brain full of fresh ideas.

1  To come up with this list, I researched dozens of high profile IoT failures over the last decade or so. This was a very hot topic at the dawn of the Internet of Things, but it’s cooled in the intervening years, so I also dug through the Twitter archives for the Internet of Shit account, which provided a constantly updated list of thousands of failures. I pulled the failures that seemed to indicate systemic or common problems and slotted them into appropriate categories or added new categories as needed.