That is why I have denied internet access for my robot vacuum cleaner. Xiaomi doesn’t need to know the blueprint of my house, and if it can’t connect to the internet, there’s no need for firmware updates.
I’ll start the thing by pressing the button at the top.
I’m unfamiliar with Xiaomi “smart” products, I assume there is an app to control the vacuum, if it does have an app does it still work for you strictly behind your LAN network?
I live in a prefabricated home that is a different color than my neighbor’s. Can I gift them one of these robots to get a blueprint of their house? It is already easily googled but I feel that making a robot do it keeps them lower on the food chain.
Am I too dumb to understand why sending cartographer data is wrong?
His model is iLife A11 that has Lidar. He probably has an app that is used to control robot and shows cleaning progression. Vac 100% Lidar’d his entire home and sent data to create map in the app.
How in the fuck he thinks it is getting that map? If his ass so smart to find a killswitch and reverse it, how come he doesn’t grasp that map data is sent to a server though which he ca use vac app? Like in what world is it not obvious?
Not even gonna discuss about TOS he signed, or that it is general cheap brand cheap but super smart model for it’s price.
Unless some FOSS firmware and software is installed, that thing most certainly will ping back home every chance it gets.
Sidenote: My TV now is offline cause when it kept calling home (ove 60% of my pi-holes querries of all time was TV), it would freeze due to pi-hole block. Once set offline - issue is gone. I also know my robo vac is pinging, but at the same time if I block it, I’ll lose app controls which I wont do. Sadly, my vac doesn’t support Valetudo.
I think yes, to your first question. Couldn’t it just crunch the lidardata locally to feed into cartographer, I don’t understand why you don’t understand that this is the issue.
Shit I’m scared of my home speakers echo locating my furniture and the size of my domicile
Well, yes, that’s what those cheap “smart” devices do. Or does anyone think cheap smart would fit into that device? Rule of thumb: if a device needs internet access, it is spying on you.
!homeassistant@lemmy.world on a isolated vLAN is my goal for “Smart” devices.
Yes, but some devices simply don’t work without calling home, or have 99% of their brain in a cloud. For those cases, the vLAN does not help.
I know very well why I installed valetudo before I even started my new vac for the first time 😁
I received a Tikom vacuum as a gift and was so sad to see I couldn’t installed Valetudo.
On the plus side, it works with no connection and so it’s only slightly less covenient to just…press the button on the vacuum itself when I take my dog for a walk. Gotta dump the tray from last time anyway
Yeah, I read about iRobot gathering and selling info about apartments like 10 years ago. People still alarmed by this are simply ignorant.
Ignorant of what?
Ignorant of how smart vacuums work and how all connected devices are used to gather personal information that can be sold for profit.
At first I thought ”Well, duh!”, but the manufacturer having a remote kill switch when he network blocked his vacuum from sharing his home map data with them, as well as unprotected root access when connecting to the vacuum… urgh.
The engineer says he stopped the device from broadcasting data, though kept the other network traffic — like firmware updates — running like usual. The vacuum kept cleaning for a few days after, until early one morning when it refused to boot up.
After reverse engineering the vacuum, a painstaking process which included reprinting the devices’ circuit boards and testing its sensors, he found something horrifying: Android Debug Bridge, a program for installing and debugging apps on devices, was “wide open” to the world. “In seconds, I had full root access. No hacks, no exploits. Just plug and play,” Narayanan said.
A few years ago I noticed an annoyance with a soundbar I had. After allowing it onto my WiFi network so we could stream music to it, it still broadcast the setup WiFi network.
While dorking around one day, I ran a port scan on my network and the soundbar reported port 22 (ssh) was open. I was able to log in as root and no password.
After a moment of “huh, that’s terrible security.” I connected to the (publicly open) setup network, ssh’d in, and copied the wpa_supplicant.conf file from the device to verify it had my WiFi info available to anyone with at least my mediocre skill level. I then factory reset the device, never to entrust it with any credentials again.All crappy IoT devices ever made. They aren’t used in bot nets all the time because hackers like the challenge of hacking them so much. Security simply isn’t a priority.
The ‘S’ on IoT stands for security!
There isn’t an s in IoT silly.
Woosh? Either Yours or mine :)
I keep seeing you everywhere and the only reason I won’t block you is because of your username brightening my day every time I see it. Curse you!
Is it just me, or is having ADB exposed physically not that big a deal?
Tend to agree, security is always the goal but if someone is in my house hacking my vacuum, I have bigger issues. The no-notice remote kill is the bigger issue to me.
The much bigger concern is that the pathway used to send the remote kill command could very easily be utilized by nefarious actors.
To do what, wear out one section of carpet faster than the rest of your house?
Remote “kill”
Where does it end? First it wears down your carpets and then we’re in Maximum Overdrive.
It finds a sharp corner to rub against and hones itself into a stabby bot.
It is not good. But in most cases just adb doesnt grand root access. That’s just bad.
NO! It’syour device, you should have root! The fact that the manufacturer gives their product owners root is a good thing, not bad!
I will die on this fucking hill.
I agree with you. But granting root straight from adb with 0 auth is not good.
yes and no… i agree with the sentiment, but with root you can extract wifi credentials and various other secrets… you shouldn’t be able to get these things even when you have physical access to the device… the root access itself isn’t the problem
At first I thought ”Well, duh!”
There was an ARS article years ago about it…
iLife A11 smart vacuum
This article just screams rage-bait. Not that I am against making people aware of this kind of privacy invasion, but the authors did not bother to do any fact checking.
Firstly, they mention that the vacuum was “transmitting logs and telemetry that [the guy] had never consented to share”. If you set up an app with the robot vacuum company, I’m pretty sure you’ll get a rather long terms and services document that you just skip past, because who bothers reading that?
Secondly, the ADB part is rather weird. The person probably tried to install Valetudo on it? Otherwise, I have no clue what they tried to say with “reprinting the devices’ circuit boards”. I doubt that this guy was able to reverse engineer an entire circuit board, but was surprised when seeing that ADB is enabled? This is what makes some devices rather straight forward to install custom firmware that block all the cloud shenanigans, so I’m not sure why they’re painting this as a horrifying thing. Of course, you’re broadcasting your map data to the manufacturer so that you can use their shitty app.
The part saying that it had full root access and a kill-switch is a bit worse, but still… It doesn’t have to be like this. Shout-out to the people working on the Valetudo project. If you’re interested in getting a privacy-friendly robot vacuum, have a look at their website. It requires some know-how, but once it’s done, you know for sure you don’t need to worry about a 3rd party spying on you.
I am assuming the individual described in the article is based in the US, but nevertheless, many countries do not allow spying, fraud and criminality as long as you have a TOS that says you are allowed to do so.
This is a very provincial manner of thinking and shows how deeply tolerance of corruption and criminality dominates the American mind.
Same with the kill switch, it is essentially a fraudulent scheme, a criminal activity.
Americans are conditioned to do a lot of things without thinking about it, but if they ever really stopped to consider it, they’d be outraged.
For instance, those heart-tugging ads for St Jude’s Children’s Hospital. It’s a great thing they do, taking in cancer kids, and covering all the expenses, even housing and food. They show grateful parents crying, because their kids have a chance because of the charity of St Jude and the viewers, and viewers shed a tear and donate.
It never occurs to anyone that in almost every other country in the world, such a place wouldn’t be necessary. Their cancer kids would simply be taken care of. No pomp about it, no commercials begging for donations, curing cancer kids is just business as usual.
But in America, your kid will just DIE unless you’ve got good health insurance (which is about to get a LOT more expensive), a lot of money, or hit the charity lottery.
But that never occurs to Americans watching that ad. They will dig into their pockets to send money to St Jude, before they will give money to a progressive candidate to change our health care system so it doesn’t require tear-jerking marketing to operate.
It never occurs to anyone that in almost every other country in the world, such a place wouldn’t be necessary.
Yep. It reminds me of this .
Every heartwarming human interest story in America is like “he raised $20,000 to keep 200 orphans from being crushed in the orphan-crushing machine” and then never asks why an orphan-crushing machine exists or why you’d need to pay to prevent it from being used.
I would say this is true of most (all?) countries/cultures.
My issue with this thread’s OP was the portrayal of some US TOS scheme as having legitimatcy. It does not, it’s just a local criminal/corruption scheme (every country has them to one degree or another).
Just checked out Valetudo. Gotta love the FOSS community. Can I ask if you’ve used it? If so, which vacuum did you set it up on?
I commented elsewhere, but I once had a soundbar that just had a no password ssh login. It was one of those ‘connect to your WiFi’ to stream music through models and for whatever reason, after connecting it to my WiFi, it continued to broadcast the publicly joinable setup network.
SSH was open to both the unsecured and secured networks, so anyone within WiFi distance of the device could have gained root control of it. Or if I had a sufficiently weak network setup, anyone online could have taken control of it.
Talkie Toaster is here. “Howdy-doodly-do, how’s it going?”
Does anyone want any toast?
readies my fourteen-pound lump hammer
