Smart Appliances Could Expose Your WiFi to Hacking Risks

Earlier this year, Consumer Reports researched how long appliance companies like GE, LG, and Samsung tell their customers they’ll keep their appliances’ software updated. This is important because security experts are constantly finding and fixing vulnerabilities in software—along with supplying new features—that’s why your phone and laptop get regular updates for years after you buy them.

The CR researchers looked for this information on 19 major brands that make smart appliances, and found that only three of them—Fisher & Paykel, GE, and Vissani—tell their customers how long they’ll keep updating their products’ software. The rest of the brands either don’t promise to update their software at all or don’t say how long their software support will continue.

Fisher & Paykel and GE (both subsidiaries of Haier) offer the longest support timelines. Both say they will keep the software on smart appliances current for five years from the appliances’ launch date or two years from the date of purchase, whichever is longer. That’s better than what their competition does, but American consumers expect typical large appliances like refrigerators and dishwashers to last much longer. Americans who had purchased large appliances in the past two years expected them to last an average of 10 years, according to a nationally representative survey (PDF) of 2,160 U.S. adults who had made such purchases, conducted by CR in the summer of 2023.

It’s possible that some or all of the companies CR looked at really will supply security updates for years longer than they are saying, but there’s no way to know that. And for some perspective, this isn’t the way the world’s top tech companies operate. If you buy an iPhone 16 this fall, Apple says it will keep it supported with software updates until 2031. Google says its new Pixel 9 phone will be supported for the same length of time—seven years.

Now, does it really matter if your washing machine has a software vulnerability? According to CR’s security experts, the answer is yes. Steve Blair, CR’s privacy and security test program leader, has found vulnerabilities in a number of consumer products over the years. “The problem isn’t primarily that a criminal is going to harm your appliance. But once they’ve got control of the appliance, they can probe your WiFi network and attempt to infiltrate other, more sensitive devices in your home.” Your appliance could also, potentially, become part of a botnet used by criminals to launch attacks on other computer systems.

It’s easy to think this kind of attack won’t happen to you, but Blair says it’s more likely than you might think. “There are various actors basically waiting for vulnerable systems to be identified that they can exploit en masse,” he says.

“Negligence in addressing security vulnerabilities in software is bad practice, especially when you expect major appliances to work for 10 to 20 years,” says Justin Brookman, CR’s director of technology policy. “It exposes you, your devices, and your personal information to attack by malicious actors, and you shouldn’t have to take that risk.”