An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That’s when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn’t consented to. The user, Harishankar, decided to block the telemetry servers’ IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after. After a lengthy investigation, he discovered that a remote kill command had been issued to his device.
One aspect to consider is exactly what data these devices are exfiltrating from your network. You usually can’t see the contents of the telemetry sent, but given that a LOT of smart devices have cameras and/or microphones, do you really trust that your IoT devices are not sending back audio and or video recordings of the inside of your house?
I’m sure theres more than a few programmers here that secretly work on crap like this at work.