One man's robot vacuum was constantly communicating with its manufacturer, sending a detailed 3D map of his house halfway across the world.
  • Washedupcynic@lemmy.caEnglish
    2·
    2 hours ago

    So not only was the robot vacuum sending data without his permission, the moment he stopped that data from being sent to the company, the company remote bricked his device.

    Seemingly more curious than ever, Narayanan now had no reason not to tear the thing apart looking for answers, which is exactly what he did. After reverse engineering the vacuum, a painstaking process which included reprinting the devices’ circuit boards and testing its sensors, he found something horrifying: Android Debug Bridge, a program for installing and debugging apps on devices, was “wide open” to the world.

    “In seconds, I had full root access. No hacks, no exploits. Just plug and play,” Narayanan said.

    Through a process of trial and error, he was eventually able to connect to the vacuum’s system from his computer. That’s when he discovered a “bigger surprise.” The device was running Google Cartographer, an open-source program designed to create a 3D map of his home, data which the gadget was transmitting back to its parent company.

    In addition, Narayanan says he uncovered a suspicious line of code broadcasted from the company to the vacuum, timestamped to the exact moment it stopped working. “Someone — or something — had remotely issued a kill command,” he wrote.

    “I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”

    In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”

  • ΞVΞ🌸@evecodes.com
    4·
    4 hours ago

    This has been known for years ever since somebody stumbled upon pics of their home being sent back to the manufacturer. So anyone who doesn’t know by now just hasn’t been keeping up with the news.

    An instance years ago of iRobot smart vacs that took pics of a woman on her toilet, among other pics and they ended up on forums and social media. Unfortunately, all smart devices communicate with their manufacturers on the cloud, which employees can get access to, so until all companies are forced to end-to-end encrypt all their data, we take a huge risk in trusting these employees to keep it safe. You’re always taking a chance.
    A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?