We all do it blindly… thinking only about the benefits and conveniences that come with connecting all of our things to our networks and devices. From Alexa and Siri to our dishwashers and refrigerators and watches and phones. Get home, connect to our secure Wi-Fi with it's complex password and yay, away we go!

We fully expect these things to do what they're supposed to do. We expect Siri and Alexa and "Okay Google" to respond to our requests (generally with Wikipedia excerpts) and if we're lucky actually manage our devices or perform other tasks. We expect our watches to tell the time and track all of our bodily functions. We expect our dishwasher to notify us when it's time to *sigh* put the dishes away. This is why we purchased these items. This is what we expect of them, and in general, they deliver.

Our firewalls and Wi-Fi passwords protect the edges of our networks. They (hopefully) prevent unauthorized access from the ooey gooey inside of our networks, and we expect those protections to be effective (hopefully). But once something is inside of our network it's a free-for-all. For the most part (there are exceptions), everything can talk to everything… everything can see everything… everything knows everything that's happening. Once something is in, it's in and for most of us, that's just how it is. We protect the edge, but nothing is held back once you're inside.

And so we buy our neat little gadget and we grant it complete access to our private, protected little world so that it can do what we expect it to do.

But is that all it's doing? Remember… your dishwasher now has access to your entire network. Sure, it does it's job of connecting to your nifty app and singing to you when the dishes are done… but how do you know that's all it's doing? How do you know it's not doing more than advertised? Remember: In today's world, YOU are the product. We have seen manufacturers go to extreme lengths to sell "you" to analytics companies and marketers. To some degree we accept this. Maybe we assume these devices take advantage of us by capturing how we use them or what we explicitly grant them access to… but we don't seem to think about what we're implicitly granting them access to when we connect them to our network.

Most, but not all, resources that we access today use encryption to protect what we do with those services. For example, your bank (for all that is holy, please) takes huge steps to ensure your connection is secure. Even today's search engines protect your searches from spying eyes. This protection only applies after your connection to that resource has been established.

There is much, much more to see on your network:

• Your other devices - In many cases we expect devices to find out about each other. This is especially true for things like home automation tools. If they can't see each other and they can't talk, they couldn't do their jobs. Remember however… Once inside, everything can see everything. The dishwasher can see your TV, your remotely controlled fan, your light switch, your automatic window blinds, everything. Once inside, it's trivial for these devices to not only see that each other exists, but what their capabilities are, the manufacturer and model, and potentially even what commands or actions are being sent between them. This may seem innocuous… but to a product manufacturer or marketer, knowing what other devices you're using can be invaluable.

• Your internet requests - Yes, in most cases the information you exchange with a service is encrypted… but that is only after you have established a connection that that service. The simple fact that you are connecting to that service is frequently plainly visible. Before your computer can secure it's connection with google.com, it has to find out where the heck google.com is to begin with. The simple act of your computer asking the internet "Hey, where is google.com" can frequently captured. Even if your computer or application uses newer, more secure methods of doing these lookups, the actual address itself simply cannot be obscured. The underlying address that "google.com" points to is always plainly visible and that process of turning the address into the name is trivial. Again, what marketer or manufacturer wouldn't absolutely love to have this information?

• Your Wi-Fi information- The simple act of connecting a device to your Wi-Fi network provides the device the name of your network, and this information can be used for anything. Mobile devices are notorious for capturing your Wi-Fi network name and associating it with a location… but most also capture and send all of the other network names it can see near you, whether you've connected to them or not. The simple fact that your mobile device can even see the names of your neighbor's Wi-Fi network is sent off to your service provider or phone manufacturer.

…and we have no idea where any of this information may be going. Most of our home network gateways have few limitations on what these devices inside of our network can talk to outside of our network. The wireless gateway provided by your internet service provider likely prevents things from getting into your network, but has almost no limits on what can get out. The wireless mesh system we've purchased online is generally the same: Block anything from getting in, but allow anything to get out.

Your dishwasher, refrigerator, home automation device, television, smart speakers, could be talking to… anything, anywhere, owned by anyone. These devices could be capturing all of this information, and there are no limits to where this information could be going and what could be being done with it or by whom. Somehow, we believe but we don't know… and this belief… this trust… is completely unfounded. In fact, this trust has been frequently violated, and yet we continue as though these behaviors have never happened.

There are ways to decrease this, but no way to block it. More advanced network firewalls such as pfSense/OPNsense can significantly reduce the amount of information being sent beyond your network (and I am definitely a fan). These tools can block specific devices, specific services, and specific geographic regions. I see NO justification for any of my devices to talk to Russia or China regardless of their functionality. These firewalls also frequently have additional plug-ins that can prevent specific types of communication as well. For example, ZenArmor is available as a plug-in for OPNsense and can manage the types of traffic and services being communicated with. MaxMind GeoIP is enables these devices to understand geographic regions and control access to specific nations or locations. Suricata is also integrated into these platforms and can detect invalid or potentially nefarious communication and block those behaviors. Note that I am not advocating/advertising these services, I'm simply saying they exist. There may be others that are better for you or better in general. Caveat emptor.

Even the best of these tools can only do so much. Once a device or a path or a region has been allowed and a device connects to a remote resource, it can send any information it wants. Remember that once a connection has been established, it is frequently encrypted. Although there are ways to observe and respond to this traffic, they are rarely used and can potentially cause problems in their own right.

Look… I'm not saying don't use these things. They are useful, valuable, cool, fun, whatever. What I am saying is that we shouldn't blindly trust these devices to be limited in what they do. We have to acknowledge the truth that they can be doing anything… and should perhaps take reasonable actions to limit that possibility. If you don't care, cool… You're allowed to make that decision.

But we can at least think about it.