We Asked Appliance Manufacturers How Long They’ll Keep Connected Devices Secure. Many Couldn’t Tell Us.

Connected appliances—such as voice-controlled microwaves, refrigerators with touchscreens and online ordering, or Wi-Fi–connected washing machines—are growing in popularity. But unlike with smartphones or computers, we’ve seen little precedent when it comes to expectations for support and updates to such devices. Plus, appliances are expected to last for at least a decade, and they’re a pain to replace. Committing to security updates is the least a company can do, so we reached out to every major appliance company to see how long they planned to issue updates for their smart appliances.

Over the years, we’ve seen a handful of small-time hacks on connected appliances. LG had a vulnerability that allowed hackers to gain access to devices using fake accounts, a refrigerator was hacked to send out spam emails, and a different fridge, from Samsung, left Gmail credentials open to attack. Once, The Atlantic built a fake web-connected toaster just to see how long it would take before someone tried to hack the thing (less than an hour).

Smart appliances have possibly been used as part of a botnet to send out spam emails and run distributed denial of service (DDoS) attacks. It’s not difficult to take things a step further and picture a flashy worst-case scenario with an oven turning on in the middle of the night or a fridge’s temperature being cranked up to spoil food. But less-conspicuous threats are more worrisome, especially when you consider that appliances might have the credentials for your private accounts, from Google Calendar to your Wi-Fi password. As companies add more smart features, it’s increasingly important that they make sure their smart appliances stay secure.

We don’t currently recommend any appliances because they have smart features, but we do have some picks we recommend despite them. For example, our current favorite washing machine (the LG WM3900H) suffers from inconsistent Wi-Fi connectivity, but the washing machine is great without it. Overall, the iffy user experience these appliances provide doesn’t breed confidence in the security practices their makers have implemented for them.

According to Wirecutter senior staff writer Liam McCabe, who has covered appliances since 2011, “Appliance brands tend to design the mechanical and electronic components inside their appliances to last for 10 years of average use,” but companies rarely list how long they’ll provide software support for a connected appliance. Just like your smartphone, these devices need updates over time to address potential security issues, ensure compatibility, and add features. A connected fridge isn’t worth spending extra money on if its operating system isn’t receiving updates, and it’s certainly not worth that investment if it ends up leaking your Google account details.

We asked each of the major appliance companies how long they guaranteed security updates for their connected devices. GE (and its various brands), Samsung, Bosch, and Electrolux seem on board for long-term support, but several other companies didn’t want to go on the record with any commitment, and others never replied to our emails. The following update and support policies should be an important part of your buying decision when it comes to any smart appliance. Take them under as much consideration as you would a warranty or customer support.

• GE/Café/Haier/Hotpoint/Monogram: “We started using WiFi in our appliances in earnest in 2012. We have the ability and infrastructure to update those units from a security perspective. We plan to have security updates for units up to 10 years with high confidence. As our owner’s demands change, so will we and our flexible update system gives us the ability to meet those needs and support longer time periods as requested. We place a high priority on security in our system and in the development process. Our processes are centered around security by default, security by design, yearly third party penetration tests and transparency. Earlier this year, we were the first household appliance brand to achieve Gold level IOT security verification from UL.”
• Samsung: “Samsung takes the security of its products very seriously, and our products and services are designed with security in mind. Security updates for Samsung Smart Appliances are available to all customers in the U.S. for the warranty period, and even beyond the warranty period for critical security vulnerabilities.”
• Dacor: “All of Dacor’s smart devices are Wi-Fi-connected, which allows for OTA updates as necessary. Due to this feature, regardless of the specific warranty period for a specific customer, if the product platform has further security updates, it will be automatically pushed to them via Wi-Fi.” (Dacor also noted that its software runs on the Samsung platform and should receive the same updates as any Samsung appliance.)
• Electrolux/Frigidaire: “Electrolux intends to make every reasonable effort to provide support and security updates for connected products for the duration of the product’s life, subject to evolving best practices, and adoption of new technology and standards.” (Electrolux told us that “product life is longer than the warranty period for all of our products.”)
• Bosch: "Security is a top priority at Home Connect and BSH Home Appliances. The technical implementation of Home Connect is constantly reviewed and kept up-to-date. Whenever necessary, security updates are promptly provided free of charge by the Home Connect service. Consumers can find details on this subject in the terms of use of the Home Connect app."
• KitchenAid: “Unable to provide a response at this time.”
• JennAir: “Unable to provide a response to your question at this time.”
• Whirlpool/Maytag: Did not respond.
• Miele: Did not respond.
• LG: Did not respond.

Even if a company is good about issuing security updates, you should do a few simple things to protect your appliances. We’ve walked through how to lock down your home’s smart devices before, and those tips remain useful here:

• Properly set up your Wi-Fi network (better still, use a guest network for your connected devices).
• Change the default password for the device (and use a password manager).
• Enable automatic updates on any appliances connected to the internet.

In addition to security issues, there are privacy concerns to consider. Connected appliances can collect a variety of data about you. For example, GE’s privacy policy notes that its SmartHQ platform collects names, location, sensory data, and more. Some of that makes sense, as in using water sensors to make sure a washing machine is operating properly, but unless you take the time to read a company’s privacy policy, you may not realize how much data these appliances collect. Companies can turn that data into a customer profile for internal or external marketing. Then they sell the profile off or trade it to third parties for a range of uses, including for the purposes of selling you extended service contracts.

This is a level of data collection and data transfer that we usually see with free web services or accounts—think weather apps or free-to-play games—and aside from the data that’s required for smart devices to function, it’s more data collection than you might expect from appliances that cost hundreds of dollars. GE is not the only data-hungry company: Samsung, Electrolux, and others all seem to collect similar amounts of information. If you’re not comfortable with that, don’t connect your smart appliances to the internet.

By never connecting your smart appliance, you will likely sacrifice some features—such as push notifications that alert you when a laundry cycle finishes, voice commands on cooking appliances that help you avoid getting your chicken-slime-covered hands all over the touchpad, or maintenance reminders that help you keep your appliances running smoothly—but if you don’t find those features useful, it’s a safer bet to ignore them.

As it becomes harder for shoppers to avoid appliances that don’t have some sort of “smart” feature jammed into them, companies should better outline their plans for supporting them. Until they do, consider skipping those extra features unless you’re willing to take it upon yourself to lock down your home network as best as possible and then remain vigilant about the security of your appliances.