THE INTERNET OF THINGS SUCKS: How I upgraded my water heater and discovered how bad smart home security can be.

Being a home automation nerd, and thereby a Home Assistant enthusiast, I searched for a better way. I found an unofficial Rinnai component and installed it, and then I had real control. I could set recirculation to run on whatever schedule I wanted, triggered by anything, at any temperature. If I wanted to start hot water flowing on winter mornings as soon as the bedroom lights came on, but only if the moon was in Aquarius, I could do that (and I am not joking). The future felt warm, but not too warm, and on-demand. . . .

The calls Control-R made to Rinnai’s servers were “very basic,” Barbour said. Digging into the undocumented API calls, Barbour saw something he didn’t think was real: You needed only a registered email address to retrieve information, or change settings, on a connected water heater.

“I thought this was crazy until another GitHub user reached out and we started collaborating and came to the same conclusion. You could control any Rinnai water heater that was connected, as long as you knew the registered account’s email address,” Barbour wrote me.

Bottom line: “Knowing only your email address, I can set your water heater’s temperature to very cold or scaldingly hot. I can put it into recirculation mode continuously so that it uses lots of gas… I can see your home street address that you have entered into the Control-R app when you registered your water heater.”

No thank you. And this kind of thing is, sadly typical, for “connected devices.”