At first I thought ”Well, duh!”, but the manufacturer having a remote kill switch when he network blocked his vacuum from sharing his home map data with them, as well as unprotected root access when connecting to the vacuum… urgh.
The engineer says he stopped the device from broadcasting data, though kept the other network traffic — like firmware updates — running like usual. The vacuum kept cleaning for a few days after, until early one morning when it refused to boot up.
After reverse engineering the vacuum, a painstaking process which included reprinting the devices’ circuit boards and testing its sensors, he found something horrifying: Android Debug Bridge, a program for installing and debugging apps on devices, was “wide open” to the world. “In seconds, I had full root access. No hacks, no exploits. Just plug and play,” Narayanan said.
All crappy IoT devices ever made. They aren’t used in bot nets all the time because hackers like the challenge of hacking them so much. Security simply isn’t a priority.
Is it just me, or is having ADB exposed physically not that big a deal?
It is not good. But in most cases just adb doesnt grand root access. That’s just bad.
NO! It’syour device, you should have root! The fact that the manufacturer gives their product owners root is a good thing, not bad!
I will die on this fucking hill.
I agree with you. But granting root straight from adb with 0 auth is not good.
But on this threat model? Why would it not be good?
It has to physically accessed on the PCB itself from what I gather.
There are 2 “threats” from what I see:
-
someone at the distribution facility pops it open and has the know how to install malware on it (very very unlikely)
-
someone breaks into your home unnoticed and has the time to carefully take apart your vacuum and upload pre-prepared malware instead of just sticking an IP camera somewhere. If this actually happens, the owner has much much bigger problems and the vacuum is the least of their worries.
The homeowner is the other person that can access it and it is a big feature in that case.
-
yes and no… i agree with the sentiment, but with root you can extract wifi credentials and various other secrets… you shouldn’t be able to get these things even when you have physical access to the device… the root access itself isn’t the problem
If I broke into your home, why TF would I carefully take apart your robot vacuum in order to copy your wifi credentials‽
Also, WTF other “secrets” are you storing on your robot vacuum‽
This is not a realistic attack scenario.
you’re on programming.dev so i assume you know that secrets is a generic term to cover things like your cloud account login (whatever form that may take - a password, token, api key, etc) for the robot vacuum service and you’re being intentionally obtuse
it’s a realistic attack scenario for some people - think celebrities etc, who might be being targeted… if someone knows what type of vacuum you have, it’s not “carefully take apart” - it’d take 30s, and then you have local network access which is an escalation that can lead to significantly more surveillance like security cameras, and devices with unsecured local access
just because it doesn’t apply to you doesn’t mean it doesn’t apply to anyone… unsecured or default password root access, even with physical access, is considered a security issue
Listen, if someone gets physical access to a device in your home that’s connected to your wifi all bets are off. Having a password to gain access via adb is irrelevant. The attack scenario you describe is absurd: If someone’s in a celebrity’s home they’re not going to go after the robot vacuum when the thermostat, tablets, computers, TV, router, access point, etc are right there.
If they’re physically in the home, they’ve already been compromised. The fact that the owner of a device can open it up and gain root is irrelevant.
Furthermore, since they have root they can add a password themselves! Something they can’t do with a lot of other things in their home that they supposedly “own” but don’t have that power (but I’m 100% certain have vulnerabilities).
Since I dont see it mentioned, the company is
iLife
iLife makes vacuums that map your house and can be remote controlled
Just so we are clear. You should all up your name and shame game.
o7 thank you for your service
All modern robot vacuums do this. Amazon and Zillow actually buy that data too.
Implying the vast majority of roombas aren’t doing this
There’s no safe “opt-out” for people who cannae be arsed to vacuum lol
Oh crap. I had one. It committed suicide off the stairs
Well, yes, that’s what those cheap “smart” devices do. Or does anyone think cheap smart would fit into that device? Rule of thumb: if a device needs internet access, it is spying on you.
!homeassistant@lemmy.world on a isolated vLAN is my goal for “Smart” devices.
Yes, but some devices simply don’t work without calling home, or have 99% of their brain in a cloud. For those cases, the vLAN does not help.
Then don’t buy those devices. If you have any excuse as to why you “can’t do that”, then there’s zero point in complaining. I’m not saying your complaints are invalid, and companies should be held accountable and criticised. But as long as people buy privacy violating products, companies will continue to violate privacy.
Very valid and true point, but that requires companies to openly admit that they’ve made their devices to not work if it can’t phone home, and no company is gonna do that. At best, they’ll tell you it needs internet access, but even then they’ll probably downplay it.
Either that or some poor sacrifice will have to be the guinea pig and buy the thing to test it and tell others. Ah, I guess Consumer Reports could do that at least.
Thankfully there are groups to replace boards or flash some devices. I need to keep better bookmarks to plug them.
Yeah, I read about iRobot gathering and selling info about apartments like 10 years ago. People still alarmed by this are simply ignorant.
Ignorant of what?
Ignorant of how smart vacuums work and how all connected devices are used to gather personal information that can be sold for profit.
At this point, if you buy a smart thing you have to know it’s spyware.
My home assistant isn’t spying on me. My Zwave devices are not spying.
I wish I was so naïve
Home Assistant is open source and self-hosted and doesn’t require internet to operate. The z-wave devices connect directly to the device running Home Assistant. If you want Home Assistant to be private it absolutely can be.
True asf
On paper all of this stuff is a great idea that would make our appliances more functional.
In reality, the best case scenario is that it’s sold to our corporate overlords so they can slap an ad on your refrigerator and sell you more plastic waste.
Worst case, it’s sold to ICE or some other fascist regime.
deleted by creator
readies my fourteen-pound lump hammer
“Never sit down to program without a crowbar close at hand.” -Stanislaw Lem
Wait till you find out what your wifi can do.
Sure “can” do but isn’t.
aw he got in my head
Was referring to this sort of bullshit. https://www.xfinity.com/hub/smart-home/wifi-motion
I used to be on a mailing list where American companies offered money to people in the third world for menial manual tasks. Like sending pictures of random crap from different angles and such. One time I got an email offering 4 of these things and $100 and all I had to do was put one of them in my home and use it for a week and give the other 3 away. Goes without saying they’re clearly a privacy nightmare.
Yeah that issue has been around for at least a couple years now. Luckily my robovac doesn’t have WiFi or bluetooth
It has a clock display for time?
Why would anyone need a moving clock?
I meant on the station to schedule cleanups, e.g. recurring ones. Useful if the noise distracts you and you want it done when you’re not home kinda thing
That makes more sense.
To display time?
Nope. Just blacknwhite bezel face cover with a start button
I live in a prefabricated home that is a different color than my neighbor’s. Can I gift them one of these robots to get a blueprint of their house? It is already easily googled but I feel that making a robot do it keeps them lower on the food chain.
He’s going to have a heart attack to find out that the floor plan to most houses are available online and have been for a long time.
With possibly objects in the house identified?
Sure. Including pictures of people shitting.
Yeah, but without the correlation that this particular fella is living there. That vacuum might’ve been the missing link in someone’s data collection.
Houses renovate doesn’t mean it’s accurate.
Sheeesh, his fucking mobile phone mapped and photographed his house long ago.
I wasn’t aware about this with regards to mobile phone tbf. I know you are spied upon on your phone camera, but mapping the house with the phone? Do you mean like Dark Knight stuff?
Your phone camera is not spying on you.I mean this stuff is not hard to prove why doesn’t one of these people who think this prove it.
Mapping like that is probably mostly done through bluetooth and wifi triangulation.
So my Bluetooth is triangulation with what. The signal bouncing around.
Other bluetooth devices in your area
Do you have any source on this? I have never seen a similar article about phones sending a 3D map of your home to the manufacturer.
In case anyone’s interested, there’s actually open-source self-hosted robot vacuum firmware for select models
This is great, but outside the security aspects of things. What else can this firmware do that I can’t with say, the roborock? Am I giving up functions?
Unfortunately you’ll have to do your own research, I only know this exists and have never used it because my vacuum is incompatible.
I mean, UCSC researchers used WiFi to detect a human heartbeat.
Yes and who’s doing that with your wifi. They had to set it up.
