At first I thought ”Well, duh!”, but the manufacturer having a remote kill switch when he network blocked his vacuum from sharing his home map data with them, as well as unprotected root access when connecting to the vacuum… urgh.
The engineer says he stopped the device from broadcasting data, though kept the other network traffic — like firmware updates — running like usual. The vacuum kept cleaning for a few days after, until early one morning when it refused to boot up.
After reverse engineering the vacuum, a painstaking process which included reprinting the devices’ circuit boards and testing its sensors, he found something horrifying: Android Debug Bridge, a program for installing and debugging apps on devices, was “wide open” to the world. “In seconds, I had full root access. No hacks, no exploits. Just plug and play,” Narayanan said.
All crappy IoT devices ever made. They aren’t used in bot nets all the time because hackers like the challenge of hacking them so much. Security simply isn’t a priority.
Is it just me, or is having ADB exposed physically not that big a deal?
Tend to agree, security is always the goal but if someone is in my house hacking my vacuum, I have bigger issues. The no-notice remote kill is the bigger issue to me.
The much bigger concern is that the pathway used to send the remote kill command could very easily be utilized by nefarious actors.
To do what, wear out one section of carpet faster than the rest of your house?
If a hacker can get into the device remotely it can be an entry point to your home network.
Remote “kill”
Where does it end? First it wears down your carpets and then we’re in Maximum Overdrive.
It finds a sharp corner to rub against and hones itself into a stabby bot.
It could overcharge and overheat the battery, leading to explosion or at least fire.
It is not good. But in most cases just adb doesnt grand root access. That’s just bad.
A few years ago I noticed an annoyance with a soundbar I had. After allowing it onto my WiFi network so we could stream music to it, it still broadcast the setup WiFi network.
While dorking around one day, I ran a port scan on my network and the soundbar reported port 22 (ssh) was open. I was able to log in as root and no password.
After a moment of “huh, that’s terrible security.” I connected to the (publicly open) setup network, ssh’d in, and copied the wpa_supplicant.conf file from the device to verify it had my WiFi info available to anyone with at least my mediocre skill level. I then factory reset the device, never to entrust it with any credentials again.Name and shame, what make and model was it?
It was a TCL Alto 9+.
A quick internet search reveals that this issue was known about at least three years ago.
Another model, the 8i was reported to have a root password of “12345678” - which is partially how I got the idea to start seeing if I could gain root.
TCL
The Chinese company that steals corporate secrets (I kicked a bunch of their devs once when they were trying to take pictures of prototypes and copy source code on USB keys) and send everything to China? Who would have thought.
Since I dont see it mentioned, the company is
iLife
iLife makes vacuums that map your house and can be remote controlled
Just so we are clear. You should all up your name and shame game.
For real. It’s wild how often people don’t just straight up call out bad corps.
Could ya be sued, perhaps?
o7 thank you for your service
All modern robot vacuums do this. Amazon and Zillow actually buy that data too.
Implying the vast majority of roombas aren’t doing this
There’s no safe “opt-out” for people who cannae be arsed to vacuum lol
Oh crap. I had one. It committed suicide off the stairs
Maybe for the best.
iLife A11 smart vacuum
In addition, Narayanan says he uncovered a suspicious line of code broadcasted from the company to the vacuum, timestamped to the exact moment it stopped working. “Someone — or something — had remotely issued a kill command,” he wrote.
“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”
In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”
They kill switched it remotely. Yikes.
All IoT devices do this to keep you from blocking their data collection. They won’t work reliably without a regular ping home. They lock up if they can’t phone home frequently enough.
Tapo’s sockets don’t - in fact they explicitly have a ‘local only’ function. All you lose is control outside your home network.
Tuya on the other hand will start leeching off the fucking Bluetooth of your pairing device if you hobble them.
tapo cameras do. mine all went offline and factory reset themselves after not having internet access or even accounts for several months, all at the same time.
Haven’t experienced that one - but your statement was “all iot devices do that” (emphasis mine)
And i haven’t even touched on Zigbee…
Haven’t had one yet. Block all IOT devices from internet all work fine.
Well, yes, that’s what those cheap “smart” devices do. Or does anyone think cheap smart would fit into that device? Rule of thumb: if a device needs internet access, it is spying on you.
!homeassistant@lemmy.world on a isolated vLAN is my goal for “Smart” devices.
Yes, but some devices simply don’t work without calling home, or have 99% of their brain in a cloud. For those cases, the vLAN does not help.
Then don’t buy those devices. If you have any excuse as to why you “can’t do that”, then there’s zero point in complaining. I’m not saying your complaints are invalid, and companies should be held accountable and criticised. But as long as people buy privacy violating products, companies will continue to violate privacy.
Very valid and true point, but that requires companies to openly admit that they’ve made their devices to not work if it can’t phone home, and no company is gonna do that. At best, they’ll tell you it needs internet access, but even then they’ll probably downplay it.
Either that or some poor sacrifice will have to be the guinea pig and buy the thing to test it and tell others. Ah, I guess Consumer Reports could do that at least.
valetudo.cloud/
Thankfully there are groups to replace boards or flash some devices. I need to keep better bookmarks to plug them.
There’s a version of every device that doesn’t phone home. I switched to HomeAssistant a couple years ago now, and I think all of my stuff is finally local as of a few months ago, including my robot vacuum.
Yeah, I read about iRobot gathering and selling info about apartments like 10 years ago. People still alarmed by this are simply ignorant.
Ignorant of what?
Ignorant of how smart vacuums work and how all connected devices are used to gather personal information that can be sold for profit.
I know very well why I installed valetudo before I even started my new vac for the first time 😁
This is the way. It works great, I’ve been running it for years.
This article just screams rage-bait. Not that I am against making people aware of this kind of privacy invasion, but the authors did not bother to do any fact checking.
Firstly, they mention that the vacuum was “transmitting logs and telemetry that [the guy] had never consented to share”. If you set up an app with the robot vacuum company, I’m pretty sure you’ll get a rather long terms and services document that you just skip past, because who bothers reading that?
Secondly, the ADB part is rather weird. The person probably tried to install Valetudo on it? Otherwise, I have no clue what they tried to say with “reprinting the devices’ circuit boards”. I doubt that this guy was able to reverse engineer an entire circuit board, but was surprised when seeing that ADB is enabled? This is what makes some devices rather straight forward to install custom firmware that block all the cloud shenanigans, so I’m not sure why they’re painting this as a horrifying thing. Of course, you’re broadcasting your map data to the manufacturer so that you can use their shitty app.
The part saying that it had full root access and a kill-switch is a bit worse, but still… It doesn’t have to be like this. Shout-out to the people working on the Valetudo project. If you’re interested in getting a privacy-friendly robot vacuum, have a look at their website. It requires some know-how, but once it’s done, you know for sure you don’t need to worry about a 3rd party spying on you.
Just checked out Valetudo. Gotta love the FOSS community. Can I ask if you’ve used it? If so, which vacuum did you set it up on?
I have a friend who set up a Dreame L10s Ultra. I helped them solder the breakout board, and was there when they flashed the new firmware. Relatively straight forward! Just follow the guide on the website and you should be good.
The robot is now accessible only on the local network, and they got it working in Home Assistant. The only feature that is missing now is direct camera view, which the original robot had. Basically, you could get a live feed of the robot’s camers at any time. Looked fun, but it was not necessary.
Thank you for the information!
I commented elsewhere, but I once had a soundbar that just had a no password ssh login. It was one of those ‘connect to your WiFi’ to stream music through models and for whatever reason, after connecting it to my WiFi, it continued to broadcast the publicly joinable setup network.
SSH was open to both the unsecured and secured networks, so anyone within WiFi distance of the device could have gained root control of it. Or if I had a sufficiently weak network setup, anyone online could have taken control of it.
At this point, if you buy a smart thing you have to know it’s spyware.
My home assistant isn’t spying on me. My Zwave devices are not spying.
I wish I was so naïve
Home Assistant is open source and self-hosted and doesn’t require internet to operate. The z-wave devices connect directly to the device running Home Assistant. If you want Home Assistant to be private it absolutely can be.
True asf
“Someone — or something — had remotely issued a kill command,” he wrote.
“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”
In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”
Treasonous malware.
If he blocked the data collection how did it get the kill command?
Outgoing vs Incoming
Am I too dumb to understand why sending cartographer data is wrong?
His model is iLife A11 that has Lidar. He probably has an app that is used to control robot and shows cleaning progression. Vac 100% Lidar’d his entire home and sent data to create map in the app.
How in the fuck he thinks it is getting that map? If his ass so smart to find a killswitch and reverse it, how come he doesn’t grasp that map data is sent to a server though which he ca use vac app? Like in what world is it not obvious?
Not even gonna discuss about TOS he signed, or that it is general cheap brand cheap but super smart model for it’s price.
Unless some FOSS firmware and software is installed, that thing most certainly will ping back home every chance it gets.
Sidenote: My TV now is offline cause when it kept calling home (ove 60% of my pi-holes querries of all time was TV), it would freeze due to pi-hole block. Once set offline - issue is gone. I also know my robo vac is pinging, but at the same time if I block it, I’ll lose app controls which I wont do. Sadly, my vac doesn’t support Valetudo.
I think yes, to your first question. Couldn’t it just crunch the lidardata locally to feed into cartographer, I don’t understand why you don’t understand that this is the issue.
afaik the lidar data is crunched locally, then sent to the remote server for easy consumption
when those vacuums are flashed with valetudo, they can still make the map with lidar without internet connection
Exactly. So it’s pure surreptitious data exfiltration. They only reason they send the data back is because they can, and there is value for them.
On paper all of this stuff is a great idea that would make our appliances more functional.
In reality, the best case scenario is that it’s sold to our corporate overlords so they can slap an ad on your refrigerator and sell you more plastic waste.
Worst case, it’s sold to ICE or some other fascist regime.
Worst case, it’s sold to ICE or some other fascist regime.
Every single government that has a contract with Palantir for Gotham or even whatever the fuck they’re doing with the UK NHS data, is reason enough to know this kind of shit is a bad idea. The entire existence of Palantir makes this kind of shit a bad idea by default.
Even if they’re not using lavender or where’s daddy (yet), I do not want them to have a detailed layout of my home, in addition to all the other information already being collected.
If the day comes when any government needs to crush civil unrest, Palantir gives them an easy button to weaponize your data against you.
Wait till you find out what your wifi can do.
Port Scanning blocker was eye opening to how many websites just wanted to check in on me.
Oh, damn! Thanks for reminding me to add that extension since I reinstalled my browser.
So how are they port scanning yiubif your behind a firewall.
Your browser is the trojan here. Install the plugin ‘Port Authority’. Then browse to ebay or IMDB for a demo.
aw he got in my head
Sure “can” do but isn’t.
Was referring to this sort of bullshit. https://www.xfinity.com/hub/smart-home/wifi-motion
That is why I have denied internet access for my robot vacuum cleaner. Xiaomi doesn’t need to know the blueprint of my house, and if it can’t connect to the internet, there’s no need for firmware updates.
I’ll start the thing by pressing the button at the top.
I’m unfamiliar with Xiaomi “smart” products, I assume there is an app to control the vacuum, if it does have an app does it still work for you strictly behind your LAN network?
It does have an app, but I’m not using it. It also doesn’t work, because it can’t find the vacuum on the network.
The device has 2 buttons: “turn on/off” and “find home”, those are the only two I need.
A vacuum doesn’t need internet access.
Did a little digging, not sure if you’re someone who self hosts (or owns Homekit enabled devices) but Homebridge appears to offer plugins for Xiaomi smart vacuums this will give you more “smart” functionality without the cost of exposing it to the internet.
Shame they don’t offer that flexibility natively.
It would be nice if it had Bluetooth or something to control from the app. There’s no reason I’d want to run the vacuum outside a defined schedule when not at home, so the only useful feature of an app is local config.
The app talks to the servers, the servers talk to the robot
It’s Xiaomi, of course the app will not work without internet access
Talkie Toaster is here. “Howdy-doodly-do, how’s it going?”
readies my fourteen-pound lump hammer
“Never sit down to program without a crowbar close at hand.” -Stanislaw Lem
Does anyone want any toast?
Download the toaster app so you can make toast from anywhere!
