My new washer-dryer (not as much fun as the telephone) has bluetooth ,and I can monitor and control it with an app ('Homewhiz')..
...that connects to a cloud server 'somewhere'.
...for which the app suppliers want: my location and access to my microphone, camera and contacts - and the app won't install or run if you start denying access.
Nope, not happening.
I wish I was more of a hacker/programmer because I'd like to do some protocol sniffing and create a connector for Node-Red so that I could link the appliance to my home automation system without becoming a personal data asset for the manufacturer.
Yep. My comment was more along the lines of 'connectivity can be fun/useful, but sometimes there's a privacy trade-off'.
I'd consider myself 'aware' rather than 'paranoid', but if we extrapolate for a minute....Some function or app on the phone (or distant cloud service) can recognise the MAC address of the Fisher price phone's bluetooth PHY and, coupled with GPS info, we have a location where there's possibly a young child (or an older one in their home office!). Maybe, worse case, your targeted ads contain more children's toys.
Regular apps can't typically access the MAC address of the connected device. Additionally, with BLE (& Bluetooth 5?) the MAC address is required to rotate regularly as part of the spec (IIRC even while connected but certainly the broadcast address).
BLE has a privacy feature that enables MAC address rotation, but it isn't a requirement. Apple products and Android phones use the privacy feature, but other than that most products don't. The possibility of tracking someone via the MAC address of their Bluetooth devices is very real.
But you are correct that regular apps can't address the MAC address of connected Bluetooth devices, so the tracking vulnerability that OP is suggesting isn't really possible.
Yeah, but someone in your home
might have a rogue phone app installed (or not even that, I bet companies like Xiaomi already so this with their smart home stuff) that scans bluetooth devices and sends the addresses so that they can be data mined.
The description seems to say that you can dial out on the toy, but it connects via Bluetooth to the mobile device to do so:
"Connects to your mobile device with Bluetooth® wireless technology to make and receive calls through your existing phone plan—no additional line required (Compatible with IOS and Android™ devices)"
Phones should have fake permissions for this kind of thing. Suuure you can read my SMS. Oh, I never get any SMS? Well that's how it is. Mine my contact info? Oh, look at that, I have no friends.
Assuming it's a built-in iOS/Android feature, hopefully app review would catch apps trying to circumvent the fake permissions, and the risk of blocking real users would probably discourage them (I almost never use SMS unless it's for a verification code, and I have no reason to keep those messages).
iOS has this with the photo album permission at least. You can select to only reveal a select subset of your photos to an app. I assume Android has something similar.
I would hope this is just using bluetooth headset profile, and doesn't require anything like that. It really doesn't need anything else with the feature set as described.
> I wish I was more of a hacker/programmer because I'd like to do some protocol sniffing and create a connector for Node-Red so that I could link the appliance to my home automation system without becoming a personal data asset for the manufacturer.
Without knowing the App, but the location permission could be required for Bluetooth 4.X LE to work. That still doesn't justify why a dryer needs your phonebook.
> for which the app suppliers want: my location and access to my microphone, camera and contacts - and the app won't install or run if you start denying access
Could these things be virtualized? And provide a fixed location, silent sound, and an empty contact list to whatever applications you don't trust?
Yes, if you run an android version with root there are frameworks for doing this. That said, some apps detect when things are too static and won't necessarily work even with these workarounds.
This should be built into the operating system. Didn't Android (or maybe it was iOS) add a feature recently where you can set your camera to be a black screen unless you explicitly give permission to the app even if you gave permission to the app earlier?
I agree, but I doubt it will happen. It was already a battle to get the permissions in android as fine-grained as they are. Even though they are fine-grained now, the permissions don't mean anything when every app demands that you give it everything it asks for (even though it clearly does not need them to work).
I haven't kept up with it, it needs a rooted phone and Xposed Framework, and some apps don't like that and stop working.
But in an older version of this app, you can set it to prompt you for any activity the app wants to do, e.g. read clipboard or phone status, where you can say "Allow/deny always, allow/deny for 10 minutes" etc.
Why did you buy that washer and dryer? Surely there were non-"appified" versions available? You appear to hate the idea, but you just told that manufacturer that that's what you wanted.
...that connects to a cloud server 'somewhere'.
...for which the app suppliers want: my location and access to my microphone, camera and contacts - and the app won't install or run if you start denying access.
Nope, not happening.
I wish I was more of a hacker/programmer because I'd like to do some protocol sniffing and create a connector for Node-Red so that I could link the appliance to my home automation system without becoming a personal data asset for the manufacturer.