Amazon and Google Now Require Continuous Data From Other Smarthome Devices

An anonymous reader quotes CNET: For years, smart speakers from Amazon, Google and Apple have traded data back and forth with other devices in the home. This is how their voice assistants turn on the smart lights. But in early 2019, something changed: Amazon and Google began requiring continuous status-change updates from devices -- requiring, for instance, partnered smart bulbs to send data to Amazon or Google any time they are turned on or off... Before automatic status updates, if you asked your voice assistant to turn on the lights, Alexa or Google Assistant had to ping the smart bulbs to check whether they were already on, receive the status, then send the appropriate command. With status updates in place, the first two steps of that process were excised...

It was a seemingly small change and one that received modest media coverage, but some smart home developers are increasingly uncomfortable with the change... After probing further, it appears that not only do status updates make users and their data more vulnerable to attack, but it also gives these tech giants access to more home occupancy data than ever before. Despite the discomfort of numerous partners, Google and Amazon have shown no willingness to alter course... "[Status update] data gives platforms [like Google and Amazon] a privileged position that no one manufacturer enjoys," said Brad Russell, the Research Director of smart home devices at research firm Parks Associates Inc. While Amazon says it doesn't sell the data it gathers to third parties or use it for targeted advertising, that data is still of tremendous value to the company. In much the same way it can tell how many times per year Alexa users ask for the time, then create a product based on that data, Amazon can now tell where you spend your time in your house, when you're awake and when you're sleeping and countless other life patterns you're only vaguely aware of yourself.

Google, too, profits from this data, though it seems more reluctant to admit it.

So if your network is down then what?

[Joe_Dragon]

So if your network is down then what?
Can they get stuck on or off?

Re:So if your network is down then what?

[E-Rock]

At least some of them. My son got a cool light strip and I was very surprised that there was no manual controls at all. Had to use an app to do anything.

Re:So if your network is down then what?

[Anonymous Coward]

I once bought a Tzumi "smart" Bluetooth padlock because I found it on sale at a local shop. It turned out that in order to use it, you had to install an app, grant it network and GPS permissions, create a remote account and have a constant connection to the manufacturer's server. Every time you unlocked it, the app would supposedly phone home letting the manufacturer know the time and location of activation. I say supposedly because I never even got as far as installing their app. As soon as I found out that was a requirement, I smashed the lock with a hammer (so that nobody else could use it) and tossed it in the trash.

Razer pulls this kind of spying shit for ALL of their products, regardless of whether it's a keyboard, mouse, phone or laptop, they want to spy on you.

Re:

[Bandraginus]

And Tzumi were probably cheering because they made the sale AND then didn't have the ongoing bandwidth costs to support it. Win/win for them :)

Re:

[Calydor]

Even that seems ridiculous. Instead of just turning things off you have to find your cell phone, find the right app, and from there turn off the lamp you've been standing next to all this time. What if your battery died?

remote/cloud is not our friend

[fyngyrz]

The only responsible way to create a smart on/off device, and similar, is to have it communicate ONLY on the LAN / bluetooth.

The whole "but you can manage (device) from anywhere if you have a cloud based system" is a benefit that comes with entirely too many downsides.

When you had old school lights and thermostats, in-home-only was fine. No reason it can't still be fine, but with the added convenience of managing from anywhere in the home, just not anywhere in the world and via multiple third parties, comm

Re:

[Jane Q. Public]

It doesn't have to be that way.

While pretty much all (AFAIK) commercial home automation hubs "call home", which is indeed a major security issue, there are lots of alternatives today.

If you don't mind diving into a little bit of DIY, there are many privacy-centered options today for your local network only. Like Home Assistant [home-assistant.io] and OpenHAB [openhab.org].

Sure, they take more work to set up, but you get the comfort of knowing that nobody at Google or Amazon knows exactly when you turn on or off your vibrator or wha

Re:

[Malays2 bowman]

"At least some of them. My son got a cool light strip and I was very surprised that there was no manual controls at all. Had to use an app to do anything."

  Send it back and tell them it is defective. Which is the truth.

I wonder when the Telemetry Bubble will pop just like the DotCom bubble did 20 years ago?

Re:So if your network is down then what?

[ShanghaiBill]

Why not just use good old fashioned switches

One reason: Wasted electriity.

My AC shuts off if an open-window sensor is triggered.

When my kids go to the kitchen, they leave the lights on. So my smart hub turns them off when there is no motion detected for five minutes.

They also forget to turn the hot tub off after they use it. Sometimes they have left it running for a week for no reason - with a four-kilowatt heater. So my smart hub checks at midnight and if it is on, turns it off.

None of this is done with Amazon Alexa or Google Home. In fact, the last time I checked, neither device is even capable of this sort of "smartness". They are actually rather stupid devices, with no exposed API. Instead, I use a Python script on a Raspberry Pi that talks directly to the switches.

Re:So if your network is down then what?

[AmiMoJo]

I've been looking at building something like this but using a Raspberry Pi Zero W to do presence detection with Bluetooth. The down side is you need your phone's Bluetooth turned on all the time, the upside is that it works where IR doesn't e.g. the hot tub or kitchen.

You can also connect those wireless window sensors and the like to a Pi using RTLSDR to receive the signals. I might try to use a dedicated 433MHz receiver though because the RTLSDR solution is quite high power and those cheap dongles aren't amazingly reliable. If you go that route either find some sensors that have already been reverse engineered or expect to do a little bit of detective work.

Re:

[NathanWoodruff]

I use OPTO-22 modules [alliedelec.com]. You can find them MUCH cheaper elsewhere, this was only place I could find that lists them all. Use this switches with a G4 PB24 board [ebay.com]. I then wire the light switch to the input module so the light switch does basically nothing other than turning on the input module. The computer then turns on the output module which in turn turns on the light. This way with the computer connected to the internet, you can turn on and off basically anything in your home. You would have to write a very

Re:

[AmiMoJo]

I was looking at some commercial wifi switches that you can load open source firmware on to. I forget the name now, can dig out some notes later.

Re:

[rho]

If you're really interested in saving power, look into the ASRAE requirements. Lutron has a bunch of stuff that works with this.

Basically all lights are LED (not retrofit bulbs, but native LED fixtures), everything is on an occupancy sensor, if you have lots of windows there's a daylight sensor to allow daylight harvesting, and in some areas half the receptacles shut off when the occ sensor detects the room is empty for 30 minutes. There are other requirements for HVAC, but you likely won't be able to take

Re:

[AmiMoJo]

Thanks, I will have a look at that, it sounds interesting.

Re:

[Stan92057]

Seems to me your the problem not the kids. Where are you that you don't tell your kids to make sure the lights off and why do YOU allow a hot tub to run for a week unnoticed? Lights left on. They don't do it because you don't require them to do it. That,s your fault

Re:

[ShanghaiBill]

you don't tell your kids to make sure the lights off

Have you ever interacted with any real children?

Guess what? They often don't do what they are told.

I am sure if I beat them often and severely, they would eventually learn to turn off the kitchen light.

But to be honest, I prefer to spend $30 on the Raspberry Pi.

Re:

[Stan92057]

Yes 2 kids and 4 grand kids. Ya takes a little work but its sooooo rewarding..

Re:

[Oligonicella]

I just taught my kids how to do those things. Then again, I was a horrible parent and actually corrected her behavior when they didn't.

Re:

[Calydor]

A common expression here to get people to remember to close the door after them is, "Were you born on a train?"

The ONLY thing you're teaching your kids is to never pay attention to what they're doing because The Cloud will pick up after them.

Re:

[steelshadow]

Why not just use good old fashioned switches

One reason: Wasted electriity.

My AC shuts off if an open-window sensor is triggered.

When my kids go to the kitchen, they leave the lights on. So my smart hub turns them off when there is no motion detected for five minutes.

They also forget to turn the hot tub off after they use it. ...

They make switches to do this. My house already had sensor switches in a number of places, such as bathrooms and closets. You can manually turn the light on and off but if there's no motion after a while it will turn the light off anyway. There's no need for internet/intranet connected devices to do this.

Re:

[ShanghaiBill]

My system does not rely on the external internet. The only reason my internal intranet would go down is if the power goes out, in which case the switches aren't going to work anyway.

So the only practical difference between my system and yours is that yours is more expensive and less flexible.

Re:

[ufgrat]

You're right. There's nothing smart in your house.

Then you get off your fat backside....

[Viol8]

... bin the internet of shit bulbs and go buy some normal ones , then make the effort to use a switch to turn them on and off.

This stuff really should operate locally...

[ZorinLynx]

The fact that we have to send data back and forth across vast geographical distances to offsite servers to make our smart home stuff work is absurd. All this should be operating purely on the local subnet with the Internet only required to control your devices from outside your home.

This whole needing the Internet and company's servers to work thing is what has kept me away from deploying more smart devices in my home. So far I only have Philips Hue lighting, which operates locally.

Re:

[Anonymous Coward]

So far I only have Philips Hue lighting, which operates locally.

Does it? Have you confirmed that the Hue bridge (which connects Zigbee to Wifi) doesn't require an internet connection itself through your router? i.e.: will it still work when connected to just a private Wifi network with no external access?

Re:This stuff really should operate locally...

[JaredOfEuropa]

Yes, Hue operates locally. The app (or your smart home hub) can connect directly to the hub, and works when your internet connection is down. There are also several smart home hubs that work the same way. I use the Vera hub, which offers remote access through their gateway server, but it’s entirely optional.

Local connectivity should be your number 1 consideration when you buy any piece of smart home equipment. And even if a device does offer remote access, I prefer to disable it, firewall the device, and have my hub handle that.

Re: This stuff really should operate locally...

[NoMoreACs]

Appleâ(TM)s HomeKit is Local, too. The only exception is HomeKit video; which is (free) iCloud-based, and end to end encrypted, with Apple not having the key.

Re:

[dunkelfalke]

Zigbee generally doesn't need an internet connection and AFAIR it is even possible to connect the switches directly to the bulbs bypassing the hub altogether.

Re:This stuff really should operate locally...

[gweihir]

Naa, if this was all local, how would a) black-hats ever hack you and b) Amazon and Google ever profile your life?

In other news, the more tightly coupled a system is, the less reliable and secure. Any good engineer hence avoids doing that.

Re:This stuff really should operate locally...

[rtb61]

So it simply needs a law. Does it need to send data to the people who sold it, to provide a benefit to the customer, no, then ban it. Simply start issuing bans on server connections on device that should be only locally controlled and locally updated and only expressly with the owners permission.

Re:

[dwywit]

That solution of yours is a bit at odds with your sig.

Correction, it's completely at odds with your sig.

Re:

[RotateLeftByte]

How else can the likes of Google and Amazon keep tabs on the validity of the various subscriptions they'll clearly be selling very soon for this 'tat'?
It needs to phone home and if you have not paid your subscription the device in question is disabled. Don't pay for a month and it gets bricked.

That is clearly the sort of society these companies want us to accept soon (there is no later for them)
Pay $$$ for the device
Pay $$$ each month to keep it active.
Result is one happy Google or Amazon. They have you by

Clown World

[Malays2 bowman]

Seeing this idiocy played out makes me feel like the world is just one big cartoon. Not a very funny one at that.

Re:

[gweihir]

Oh, yes. The problem is, ultimately, the customer.

Re:

[JaredOfEuropa]

Companies like Google will argue that requiring all data to be sent to them is necessary. They may argue that it helps them “offer an improved experience” as they often like to say. And it may even be true: perhaps they come up with a machine learning supported cloud hub which will learn your habits and manage your house accordingly, with minimum effort on your part. They need the data for that, and the law does not say anything about having to make certain parts of their service optional (i.e.

Re:

[gweihir]

Nothing simple here. Credibly faking a "benefit to the customer" is very easy. This is not something a law can solve.

Re:

[AmiMoJo]

Why do you think people buy these things? They like being able to control their home remotely, even when far away.

It's the same reason I like cars with connected services. I like being able to see the status of the car, enable the AC or unlock the doors remotely. Those are all useful services to me.

Of course I'm aware that there are security issues to consider. But so far they seem manageable. With the home stuff I have a separate network for that gear and the firewall only allows outgoing connections to sp

Re:

[Oligonicella]

While I personally view the IoT as amazingly stupid and wasteful, in no way would I support making it *illegal* for a device to work this way. If you want to be spied on, so be it. I don't, but go for the surveillance, dude.

Re:

[gweihir]

Well, the main problem with IoT is insecurity. It is still far too easy to build a bot-net from cheap IoT things.

Incidentally, without explicit opt-in and default-off, this behavior is already illegal in the EU toe to the GDPR.

Re:

[LynnwoodRooster]

My SmartThings setup does not require an Internet connection; it uses one to allow control/monitoring from anywhere, but the few times my Internet's been down, the system still works.

Re:

[Z00L00K]

And this is why I keep to normal physical breakers on the wall. Only when there's a hard to locate power outlet that I sometimes have to cycle because I have to reboot a device I have a radio-controlled switch on it, but it's still local. Of course a neighbor might be able to hack it, but the worst thing that will happen is that I will have to unplug the switch and deal with crawling on the floor each time I need to restart that device, which only happens a few times per year.

Re:

[Malays2 bowman]

And this is rapidly getting more prevalent and absurd. And this is already pissing people off.

Either I have full local control of the device (without using an "app"), or they can go fuck themselves.

Re:

[Anonymous Bozo]

Modern app appers app other apps using apps, NOT LUDDITE local control! Apps!

Re:

[DontBeAMoran]

Even the Philips Hue is going too far. I'm sticking with my Philips SceneSwitch [techhive.com].

Santa Claus has nothing on Amazon and Google

[Anonymous Coward]

"He sees you when you're sleeping. He knows when you're awake. He knows if you've been bad or good. So be good for goodness sake." Words by Haven Gillespie, 1934.

This is just a huge

[oldgraybeard]

data grab by the big players. They are thinking that by doing it now(virus) no one will notice and they can get all 3rd party devices to include them 24/7/365 so they can market sell and make even more money.

I fail to see why anyone would have one of those devices in their homes. They are just there to route money to the big players.

The big players are monopolies and will need to be dealt with.

Just my 2 cents ;)

Re:

[oldgraybeard]

It is funny because trusting reported status is sure to cause issues which means in the end they will go back to pinging the devices to "know" the status for sure. And they will get to collect all the additional juicy profitable data because, ah oh we just have not gotten around to not requiring/gathering it..

Just my 2 cents ;)

Re:

[oldgraybeard]

Which reminds me that everyone with resources should have their home/personal/business server which is the central player in their lives.
Your devices should just talk with your base server(whatever)(which is under your control)(encrypted by you) and the base is the dissemination point.
The concept of installing a untrusted apps(others apps) on your device(is a security breach) and then sending all your data through said untrusted app(any you do not control) is a foolish design in the real world. The whole

Re:

[AmiMoJo]

Seems like there would be a decent market for something like that if it existed. The problem seems to be that any new local protocol won't be well supported by device manufacturers.

Maybe someone could build a router with this functionality that did a MITM attack on the connections to the cloud. It depends if the device manufacturers security is decent enough to notice that kind of thing happening.

I suppose the alternative is to make the devices as well, but it's hard to win when you don't offer consumers mu

Patent encumbered until recently

[Bandraginus]

That "something changed in early 2019" was the expiry of patent held by Lutron Electronics for "Instant Update": 5,905,442 titled "METHOD AND APPARATUS FOR CONTROLLING AND DETERMINING THE STATUS OF ELECTRICAL DEVICES FROM REMOTE LOCATIONS"

Basically it covered the status update where a smart device could send the status back to a controller, rather than it have to be polled. This held back its adoption by the Z-Wave community for years.

So Google and Amazon *couldn't* implement this automatic status updates because it was too costly to build into the devices themselves. However, now that the patent has expired, it seems like these giants are going for the data jugular!

Re:

[ludux]

Yet again patents hold back penalize and punish progress.

Re:

[Anonymous Coward]

For fucks sake stop spamming this drivel.

Not a smart device

[NotEmmanuelGoldstein]

... requiring continuous status ...

Needing a computer a 1,000 km away, to switch-on a light hanging 5 metres away, is far from smart.

Is a Clown device

[Malays2 bowman]

"Needing a computer a 1,000 km away, to switch-on a light hanging 5 metres away, is far from smart."

  Think about this for a second....this fits perfectly well in a comedy routine!

Libre Home zero information leak

[LibreHome]

https://librehome.com/blog/lib... [librehome.com]

Re:

[NathanWoodruff]

Or you could stuff this [blitzwolf.com] in the back of the gang box and wire it into the light switch yourself and turn your lights on/off from anywhere in your house. No internet connection needed.

A fool and his privacy are soon parted

[taylorius]

If you let (sorry, PAY) Google or Amazon or some other data warehousing megacorp. to be a man in the middle between you and turning your lights on, or opening your front door - you need your bloody head examined.

5G Warfare Enabled

[AlbertFennigan]

So obviously your phone can be used as the target... the this is obfuscation for in-home tracking so they can hit you with 5G accurately anywhere in the house.

no smart stuff

[sdinfoserv]

It's pretty easy, stop buying "smart" stuff. Don't put an Alexa or other personal spy assistant in your home. It adds zero value to your life and hands every bit of your daily activity and personal behavior to a corporate oligarch. Vote with your wallet and they will change overnight.

always listening

[sad_]

it's already established that these devices are always listening and continously sending audio back to HQ, how does this additional bit of data come as a surprise to anyone?

people pay willingly for a continious spying device, collecting data (even when not interacting with it), providing immense value for the data gathering companies, all with very little benefit to the user. you must admit that is pretty amazing to accomplish.

luckily nobody is forcing you (yet) to actually buy and use these devices.

Another reason NOT to use this crap

[JustAnotherOldGuy]

Just another reason NOT to use Alexa, Google Home, or any of this crap.

If you need a wifi connection, an app, and a user account with a corporation to turn a light on and off, you done fucked up.

And remember kids, "patch your lightbulbs [slashdot.org]".

You were all warned

[Rick Schumann]

..and you bought all this crap anyway.
There's still time: e-waste all of it and take back some of your privacy.

Re:

[mschaffer]

You are just shouting into the wind. You really underestimate how ignorant the average consumer is.