I know people are going to be upset about the "can't upgrade the firmware" bit. But, where this story goes wrong is that a toothbrush has firmware to upgrade. Things like this are some of the reasons I avoid 'smart' devices (e.g. doorbells, toothbrushes), when lower tech ones work perfectly well. I cannot imagine needing an app for my toothbrush.
I guess I'm lucky. I've only had to reboot mine a couple times since I've owned it (over 2 years).
Incidentally, my TV is the only "smart" gadget I have beyond a phone, tablet, and some laptops. There's significant value in being able to run Netflix and other apps on the TV.
When toothbrushes start coming with LED screens, then maybe I'll upgrade. :P
I think a dumb TV and a small, physically connected network device is optimal. I mean, I just discovered that my TV phones home once a day for software updates, and this cannot be turned off! The tendency for these devices to include microphones, and phone home with information about what you're watching...not to mention that Roku's software has an indelible adspace on a device I paid for. It's all just really disgusting, and it is insane how quickly everyone has sold themselves out, and with such enthusiasm.
> it’s insane how quickly everyone has sold themselves out
I’m old enough to remember the culture of ‘90s internet. It was already clear that the original “anarchic” tendencies were on their way out, and mobile/IoT has been the nail in the coffin.
> I think a dumb TV and a small, physically connected network device is optimal.
I wish this would be a possible choice but I don't think anyone make dumb TVs anymore. I've searched recently to find a new 4k tv and couldn't find any. So I finally bought a smart one...
A lot of people are perfectly happy with their Firestick, Apple TV or Chromecast. It really felt like such a waste to have to buy a TV with software I will never use.
There are still some dumb TVs in the very low price segment, with questionable panels of course, or im the signage segment, very expensive, of course.
I recently bought a 2018 Samsung TV that I fully expected to use with some extra device, but it turns out the software isn't even that obnoxious (closest thing to an unremovable ad is the linear TV guide in the source selection). It has YouTube, Netflix (which can't play 4K on Linux), and can play modern formats reliably and quickly through DLNA/UpnP.
I do have my concerns about its security - maybe it's already part of a bot net. Feature updates are out of the question anyway, so let's see when I'll have to get a secondary device.
I don't know the others, but the Tizen platform seems relatively light weight. While other systems (Android in particular it seems) can take a long time to cold boot this one only needs a couple of seconds.
Some don't actually turn off, nor do they restart when you turn them on. You notice for the first time that they have never been actually off the first time you experience a bug and freezes and then you unplug it and after you turn it on you see that every app takes longer to start and look slightly different due to some unattended background upgrade.
Many TVs go into a power-saving mode when you press the "power" button now, rather than truly turning off. They usually require the plug itself to be pulled or a trip deep into the settings menu to find a "full restart" option in order to get it to truly power cycle.
Same here. I have a Vizio that was rock solid when I first got it - I don't use any of the TV's native apps/OS, but heavily leverage the built-in Chromecast and Airplay functionality.
It randomly updated the firmware at some point, and has been flaky ever since. At some point it'll (anywhere from a few days to a few weeks), it'll simply stop showing up on the network for both Chromecast and Airplay. And requires a hard restart to get working again.
How did you go about even initiating that? My bulbs are acting weirdly (don't remember the last light intensity, stuff like that) and I didn't even know updating them was a possibility
Parent was asking about lights from Phillips. The software update for that is initiated by the Phillips app one presumably has installed on their phone.
I feel like this video is an excellent example of why “dogfooding” can be so important. I’d bet that back at GE, the engineers had a programmable power supply, or some micro that automated this reset process. I’d also bet that on paper, the reset process looks pretty straightforward.
I’d love to have been in the room when they realized they needed to make a public facing video.
> I cannot imagine needing an app for my toothbrush.
The problem is if all toothbrushes become 'smart'. Then you won't have the choice of buying a simple toothbrush. Seems like the trend today is the put chips into everything. Toothbrushes, light bulbs, shoe laces and eventually humans.
It could be unrelated to a prior jailreak - I had installed the iOS 14 Beta and my banking software insisted my phone had been jailbroken. Fortunately it allowed me to 'Accept the risk' and continue.
I think the most likely scenario is that there is a third party library or service to detect jailbreaks and it is faulty.
Ten bucks says that by you 'accepting the risk' your accounts are now flagged as not be covered for any losses that the bank 'says' are due to hacking as per some legalese in one of their 100 page agreements.
Just saying this sounds tinfoil hat to me, but I would seriously consider changing banks. I would not want to hold any account, especially credit cards, for a bank that has allowed me to opt to ignore a security risk
Oh, my bank did this as well (maybe even the same bank). I didn't think anything of it except I chuckled a little bit and felt sorry for them that it looked like a significant amount of people suddenly got jailbroken phones.
There is speculation in the replies to this tweet that the stronger sandboxing could be triggering something. It could also be leftover jailbreak files as he didn't do a full restore (or used backups from when it was jailbroken).
Out of curiosity are you with BoA? That was the bank mentioned in the thread w/ a similar detection after the 14 upgrade.
From the HN headline, "I can’t upgrade the firmware of my toothbrush because I once did jailbreak" I thought he had done a jailbrake on his toothbrush, which, honestly, I was much more interested in hearing about.
Turns out he needs to use his phone to update his toothbrush, and being such a security sensitive device as a toothbrush is, Philips won't allow that update to be done on jailbroken devices.
Then let me get ahead of it for you: the future from now is going to be even stupider. I know that hardly seems possible, but trust me, it's even worse than you imagine.
The problem is Philips have been burned by all the stunt hacking done on their bulbs and IOT in general. They're damned if they do and damned if they don't.
If they _do_ all the stupid security things they get this.
If they _don't_ do all the stupid security things they get sensational headlines where stunt hackers use drones to infect all the lights in an office building.
Philips had a security assessment on their app for all the obvious reasons. [I am simplifying, it may be part of their standard development process at this point to add these things].
That assessment came back with (among others) the findings:
xyz.124: No app obfuscation: our testers were able to reverse engineer the app and...
xyz.125: No jailbreak detection. During the assessment...
I've seen apps that _really_ don't need these things come back with these findings in reports from supposedly big, reputable security firms. That is partly because the findings are _right there_ in the methodology and pre-written, and it's low effort for the tester to paste them in and pad out their report. There is also the argument that its better to tell the customer they don't have those things and let them decide whether to accept the risk.
If you don't have engineers who can push back on "not applicable" security findings (or you have a team priority to reduce risk at any cost) then this is what happens.
It is also remotely possible that the app "needs" these things because the firmware is unsigned and they are concerned about stunt hackers posting on twitter about the funny or mildly nefarious things they can do with the brushes.
Jailbreak detection is not an exact science so you will inevitably get outcomes like this.
I get your point about preventing low level hacks, but isn't
> If they _don't_ do all the stupid security things they get sensational headlines where stunt hackers use drones to infect all the lights in an office building
Kind of beside the point? If you do the right security things you can ensure only the right person gets acceses, i.e. the owner of the device.
SDLCs in huge corporates tend to produce slightly crazy outcomes.
There are 3 reasons I know of to implement jailbreak detection. Two "real" ones and one process related.
The first is that you have implemented security controls "on the client" somewhere. In which case you need to take some control away from the user to avoid circumvention.
The second is that you cannot really tell the difference between compromise and jailbreak; that is, you are less confident that actions on the device reflect the true intent of the owner. This is why, for example, banking apps can be touchy about jailbreaks.
The third is what I believe is happening here: You got burned at some point for the other 2 reasons, it's now part of your corporate IOT security standard to add it to every app.
Sadly the cognitive cost of deciding the "perfect" set of security controls for your toothbrush app is higher (and riskier project-wise) than just following the corporate standard. So team implements feature.
43 comments
[ 0.19 ms ] story [ 103 ms ] threadIncidentally, my TV is the only "smart" gadget I have beyond a phone, tablet, and some laptops. There's significant value in being able to run Netflix and other apps on the TV.
When toothbrushes start coming with LED screens, then maybe I'll upgrade. :P
I’m old enough to remember the culture of ‘90s internet. It was already clear that the original “anarchic” tendencies were on their way out, and mobile/IoT has been the nail in the coffin.
I wish this would be a possible choice but I don't think anyone make dumb TVs anymore. I've searched recently to find a new 4k tv and couldn't find any. So I finally bought a smart one...
A lot of people are perfectly happy with their Firestick, Apple TV or Chromecast. It really felt like such a waste to have to buy a TV with software I will never use.
I recently bought a 2018 Samsung TV that I fully expected to use with some extra device, but it turns out the software isn't even that obnoxious (closest thing to an unremovable ad is the linear TV guide in the source selection). It has YouTube, Netflix (which can't play 4K on Linux), and can play modern formats reliably and quickly through DLNA/UpnP.
I do have my concerns about its security - maybe it's already part of a bot net. Feature updates are out of the question anyway, so let's see when I'll have to get a secondary device.
I don't know the others, but the Tizen platform seems relatively light weight. While other systems (Android in particular it seems) can take a long time to cold boot this one only needs a couple of seconds.
It randomly updated the firmware at some point, and has been flaky ever since. At some point it'll (anywhere from a few days to a few weeks), it'll simply stop showing up on the network for both Chromecast and Airplay. And requires a hard restart to get working again.
I'm terrified of the day we figure out energy storage to just have like 30 years built in energy store in these devices.
This video about reseting a GE bulb shows how you reset a device with "one" button. I love it.
https://www.youtube.com/watch?v=1BB6wj6RyKo
I’d love to have been in the room when they realized they needed to make a public facing video.
The problem is if all toothbrushes become 'smart'. Then you won't have the choice of buying a simple toothbrush. Seems like the trend today is the put chips into everything. Toothbrushes, light bulbs, shoe laces and eventually humans.
I think the most likely scenario is that there is a third party library or service to detect jailbreaks and it is faulty.
Just saying this sounds tinfoil hat to me, but I would seriously consider changing banks. I would not want to hold any account, especially credit cards, for a bank that has allowed me to opt to ignore a security risk
Out of curiosity are you with BoA? That was the bank mentioned in the thread w/ a similar detection after the 14 upgrade.
Turns out he needs to use his phone to update his toothbrush, and being such a security sensitive device as a toothbrush is, Philips won't allow that update to be done on jailbroken devices.
But also, why the heck does the toothbrush care whether my phone is Jailbroken in the first place?
If they _do_ all the stupid security things they get this.
If they _don't_ do all the stupid security things they get sensational headlines where stunt hackers use drones to infect all the lights in an office building.
Philips had a security assessment on their app for all the obvious reasons. [I am simplifying, it may be part of their standard development process at this point to add these things].
That assessment came back with (among others) the findings:
xyz.124: No app obfuscation: our testers were able to reverse engineer the app and...
xyz.125: No jailbreak detection. During the assessment...
I've seen apps that _really_ don't need these things come back with these findings in reports from supposedly big, reputable security firms. That is partly because the findings are _right there_ in the methodology and pre-written, and it's low effort for the tester to paste them in and pad out their report. There is also the argument that its better to tell the customer they don't have those things and let them decide whether to accept the risk.
If you don't have engineers who can push back on "not applicable" security findings (or you have a team priority to reduce risk at any cost) then this is what happens.
It is also remotely possible that the app "needs" these things because the firmware is unsigned and they are concerned about stunt hackers posting on twitter about the funny or mildly nefarious things they can do with the brushes.
Jailbreak detection is not an exact science so you will inevitably get outcomes like this.
> If they _don't_ do all the stupid security things they get sensational headlines where stunt hackers use drones to infect all the lights in an office building
Kind of beside the point? If you do the right security things you can ensure only the right person gets acceses, i.e. the owner of the device.
There are 3 reasons I know of to implement jailbreak detection. Two "real" ones and one process related.
The first is that you have implemented security controls "on the client" somewhere. In which case you need to take some control away from the user to avoid circumvention.
The second is that you cannot really tell the difference between compromise and jailbreak; that is, you are less confident that actions on the device reflect the true intent of the owner. This is why, for example, banking apps can be touchy about jailbreaks.
The third is what I believe is happening here: You got burned at some point for the other 2 reasons, it's now part of your corporate IOT security standard to add it to every app.
Sadly the cognitive cost of deciding the "perfect" set of security controls for your toothbrush app is higher (and riskier project-wise) than just following the corporate standard. So team implements feature.