Are there IoT devices that send data home despite blocked internet connection (with the detour via bluetooth on the phone)?

Question

I am increasingly buying IoT aka smart devices for my household.

All these devices need to be connected to WLAN and proprietary app (via bluetooth on iPhone). I do this initial step, but then block the internet access for the IoT device in OpenWrt router.

I can then control the device on the local network via app on iPhone, but hopefully avoid the device calling home and providing personal data to the manufacturer.

My iPhone has an internet connection and a Bluetooth connection to the IoT device.

Could the device theoretically send personal data to the manufacturer via iPhone/Bluetooth? Is this done in practice? Are there any manufacturers that are able to outsmart a blocked internet connection?

Answer 1

Could the device theoretically send personal data to the manufacturer via iPhone/Bluetooth?

Well, if the device sends data to your app, and your phone is connected to the internet (and doesn't restrict the app by other means), I don't see why they could not simply relay this data to their servers.

Whether it is actually done in practice will very much depend on your actual device.

On the question of "outsmarting" a blocked internet connection, you can see that it can be done if you leave some holes in it.

If you have a firewall, bypassing it would not be considered as trivial - if configured properly. An idea would be to tunnel the traffic by piggybacking it on another legitimate one (for instance, funny ideas like using DNS requests that are not blocked, or even ICMP packets to smuggle data). But for a company to rely on such techniques would most likely have non-negligible drawbacks on their reputation.

Another thing, even if you decide to use the app whilst disabling internet on your phone, the app could potentially perform some uploading on the background once the connection is restored.