How Smart Appliances Could Expose You to Hacking Risks

Earlier this year, Consumer Reports researched how long appliance companies like GE, LG, and Samsung tell their customers they’ll keep their appliances’ software updated. This is important because security experts are constantly finding and fixing vulnerabilities in software—along with supplying new features—that’s why your phone and laptop get regular updates for years after you buy them.

The CR researchers looked for this information on 19 major brands that make smart appliances, and found that only three of them—Fisher & Paykel, GE, and Vissani—tell their customers how long they’ll keep updating their products’ software. The rest of the brands either don’t promise to update their software at all or don’t say how long their software support will continue.

Fisher & Paykel and GE (both subsidiaries of Haier) offer the longest support timelines. Both say they will keep the software on smart appliances current for five years from the appliances’ launch date or two years from the date of purchase, whichever is longer. That’s better than what their competition does, but American consumers expect typical large appliances like refrigerators and dishwashers to last much longer. Americans who had purchased large appliances in the past two years expected them to last an average of 10 years, according to a nationally representative survey (PDF) of 2,160 U.S. adults who had made such purchases, conducted by CR in the summer of 2023.

It’s possible that some or all of the companies CR looked at really will supply security updates for years longer than they are saying, but there’s no way to know that. And for some perspective, this isn’t the way the world’s top tech companies operate. If you buy an iPhone 16 this fall, Apple says it will keep it supported with software updates until 2031. Google says its new Pixel 9 phone will be supported for the same length of time—seven years.

Now, does it really matter if your washing machine has a software vulnerability? According to CR’s security experts, the answer is yes. Steve Blair, CR’s privacy and security test program leader, has found vulnerabilities in a number of consumer products over the years. “The problem isn’t primarily that a criminal is going to harm your appliance. But once they’ve got control of the appliance, they can probe your WiFi network and attempt to infiltrate other, more sensitive devices in your home.” Your appliance could also, potentially, become part of a botnet used by criminals to launch attacks on other computer systems.

It’s easy to think this kind of attack won’t happen to you, but Blair says it’s more likely than you might think. “There are various actors basically waiting for vulnerable systems to be identified that they can exploit en masse,” he says.

“Negligence in addressing security vulnerabilities in software is bad practice, especially when you expect major appliances to work for 10 to 20 years,” says Justin Brookman, CR’s director of technology policy. “It exposes you, your devices, and your personal information to attack by malicious actors, and you shouldn’t have to take that risk.”

Don’t connect a smart appliance to WiFi unless you really like the added features that you’ll get. One-fifth of Americans own a smart appliance, but only 7 percent of Americans own a large smart appliance and use its smart features, according to another nationally representative survey (PDF) by CR of 2,084 U.S. adults conducted in October 2022. That’s not to say no one should connect these products—getting alerts when your washer is done might be a feature you value, and one that’s worth the trade-off.

If you do connect smart appliances, put them on a different WiFi network from your computers, tablets, smartphones, etc. Even if the appliances network is compromised, criminals won’t be able to probe the devices on your more sensitive network. Many WiFi routers allow you to set up a secondary network, but you could also set up a second router in your home.

Not sure if you already have smart appliances on your WiFi network? The telltale sign is usually some button, such as “Smart Grid” on my smart refrigerator, that doubles as a WiFi button (shown below). But you have to notice the small “*WiFi” text underneath “Smart Grid,” and then press and hold the button for a couple of seconds to enable WiFi. If you discover an appliance has WiFi and weren’t aware of it, the appliance’s WiFi radio is likely off, but you can check by pressing the button to turn it on. If the WiFi turns on, simply press the button again to disable it.

There is one change on the horizon from the federal government that could help solve the problem.

The Federal Communications Commission is trying to make the manufacturers of smart appliances and devices more transparent about their security practices and software support. To do this, the agency is creating the U.S. Cyber Trust Mark, which is essentially a digital nutrition label for connected devices that will disclose whether a product meets cybersecurity standards, and how long the manufacturer will support it. Similar to the Energy Star program, the mark is voluntary, and it doesn’t require manufacturers to disclose their support time frames. However, the hope is that manufacturers will adopt the mark and then disclose the information to differentiate their products. Consumers could then take software support into account when making purchasing decisions.

Consumer Reports has been a longtime supporter of the initiative and has proposed rules and designs for the mark.

If the Cyber Trust Mark is widely adopted, smart appliances could become more secure products that you can confidently connect to your home WiFi network. Until then, you might want to refrain from pressing that *WiFi button.