Gizmodo has an article on a hacked coffee-maker, which was hacked because it had a completely insecure method of getting updates, and when not paired with a Wi-Fi network, broadcasts its own network anyone could join. What went wrong, and how do you protect yourself against such shit?
One response is to say, “don’t buy smart devices, and don’t connect devices to your internet.”
Or just …don't connect your coffee maker to the internet
— Adam Singer (@AdamSinger) September 28, 2020
That doesn’t work in this example. The reason the coffee maker was able to be hacked was because it wasn’t connected to the internet, and default behavior was to broadcast an open network when not connected.
That’s great for Vizio TVs that tracked what you watched. But it isn’t a plan for all devices.
What can you do?
Only buy devices that work on LAN (the local area network inside your house) without internet access.
Consider only buying devices that don’t require signing up for accounts with the manufacturer of the device.
Consider using a router to block internet access to devices that work on LAN without internet access.
And as a matter of convenience, buy devices that work the way users expect. Smart lightbulbs require the smarts to be in the bulb and won’t work smart if the wall switch gets turned off. Placing the smarts in the wall switch is better, because it will work as people expect, with the smart connection as an added benefit.
What’s that actually mean? What devices can I use?
Amazon
This is where it gets difficult. Amazon Alexa allows some control of devices with offline Amazon Echo devices. Quoting from Amazon:
To manage the Local Voice Control setting in the Alexa app:
- Select the Devices
icon. - Navigate to your Echo device with a built-in smart home hub.
- Select Local Voice Control, and then toggle the switch to turn it On or Off.
icon.Actions Available with Local Voice Control
If your Echo with a built-in smart home hub is not connected to the Internet, you can use your voice to:
- Control compatible smart home devices, including switches, lights, and plugs, that are connected directly to your Echo device.
- Ask for the time or date.
- Stop or cancel alarms, reminders, and timers that were set before your Echo device went offline.
- Control the device’s volume.
Alexa also responds to the inquiry, “What can you do offline?”
To confirm if your compatible smart home device is directly connected to your Echo device with a built-in smart home hub, go to the Alexa app:
- Select the Devices icon.
- Navigate to your smart home device.
- Select the settings icon, and then review the Connected Via information.
What are those local-only Amazon compatible devices?
They’re going to be devices connected directly to the Amazon Echo device. That means Zigbee based switches, lights, and plugs that are paired with an
- Echo Plus (1st Generation)
- Echo Plus (2nd Generation)
- Echo Show (2nd Generation)
Google is much more difficult. None of your Google Home / Google Assistant smarthome devices can function without internet.
Apple HomeKit
Apple HomeKit is the name of the standard for iOS compatible home automation devices. The on iOS that most people use to add and control accessories is named Home.
A device that works with HomeKit requires its own app for firmware updates, but for just installing and initial configuration, many accessories can use Apple’s Home app and never need to download or create an account with a manufacturer.
How can a device not use the internet but still be accessible when you’re outside the home? Apple has a hub concept, where if you use an AppleTV, HomePod, or iPad in the home, that device acts as a hub to make your LAN devices available when you’re not on your own Wi-Fi.
Trust
In order to use an Apple Home hub, you have to trust Apple. Which is okay, many people do. But what if you don’t trust your HomeKit accessories?
Like, what if you got a smart plug from some seller off aliexpress, and it works, but requires signing up for an account, and you just generally don’t trust it? You could unplug it and forget about it, but that would suck from a sunk-cost standpoint.
Or, you could firewall it so that it can’t get to the internet, and only works on your local network, using a HomeKit compatible router.
What if you’re a real geek
It is possible to buy Sonoff devices that by default require an eWelink app and account to work with Google Home and Alexa, and reprogram them using open source firmware to work only with Apple HomeKit.
They don’t call home, and they work very reliably.
Conclusions: what should you do
In order of devices that are both geared towards your privacy and security, and work without internet access:
If you have an iOS device, use HomeKit compatible devices. If the device doesn’t exist for what you want to control, you can make it with an ESP8266-based Sonoff device.
If you don’t have an iOS device (or if you do, but prefer Amazon Alexa for some reason) you can put an Amazon Echo+ into offline mode and use Zigbee-based devices that will pair directly with the Echo+. These are switches, outlets, door locks and a motion sensor.
If you have Google Assistant and Google Home, you’re out of luck.
Basically, the safest thing for smart devices is to use Apple HomeKit. The second safest thing is to use an Echo+ in offline mode with Zigbee accessories.