Since I dont see it mentioned, the company is
iLife
iLife makes vacuums that map your house and can be remote controlled
Just so we are clear. You should all up your name and shame game.
Man Alarmed to Discover His Smart Vacuum Was Broadcasting a Secret Map of His House
Submitted 3 weeks ago by themachinestops@lemmy.dbzer0.com to technology@lemmy.world
https://futurism.com/robots-and-machines/robot-vacuum-broadcasting
Comments
87Six@lemmy.world 2 weeks ago
eronth@lemmy.dbzer0.com 2 weeks ago
For real. It’s wild how often people don’t just straight up call out bad corps.
AdolfSchmitler@lemmy.world 2 weeks ago
o7 thank you for your service
muusemuuse@sh.itjust.works 2 weeks ago
All modern robot vacuums do this. Amazon and Zillow actually buy that data too.
FosterMolasses@leminal.space 2 weeks ago
Implying the vast majority of roombas aren’t doing this
There’s no safe “opt-out” for people who cannae be arsed to vacuum lol
sommerset@thelemmy.club 2 weeks ago
Oh crap. I had one. It committed suicide off the stairs
Wiz@midwest.social 2 weeks ago
Maybe for the best.
fistac0rpse@fedia.io 3 weeks ago
iLife A11 smart vacuum
bytesonbike@discuss.online 2 weeks ago
In addition, Narayanan says he uncovered a suspicious line of code broadcasted from the company to the vacuum, timestamped to the exact moment it stopped working. “Someone — or something — had remotely issued a kill command,” he wrote.
“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”
In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”
They kill switched it remotely. Yikes.
muusemuuse@sh.itjust.works 2 weeks ago
All IoT devices do this to keep you from blocking their data collection. They won’t work reliably without a regular ping home. They lock up if they can’t phone home frequently enough.
Auli@lemmy.ca 2 weeks ago
Haven’t had one yet. Block all IOT devices from internet all work fine.
Evotech@lemmy.world 2 weeks ago
More likely it killed itself after not being in contact with home base. Since it worked fine elsewhere
ExLisper@lemmy.curiana.net 3 weeks ago
Yeah, I read about iRobot gathering and selling info about apartments like 10 years ago. People still alarmed by this are simply ignorant.
Clanket@lemmy.world 2 weeks ago
Ignorant of what?
ExLisper@lemmy.curiana.net 2 weeks ago
Ignorant of how smart vacuums work and how all connected devices are used to gather personal information that can be sold for profit.
Treczoks@lemmy.world 3 weeks ago
Well, yes, that’s what those cheap “smart” devices do. Or does anyone think cheap smart would fit into that device? Rule of thumb: if a device needs internet access, it is spying on you.
Landless2029@lemmy.world 2 weeks ago
!homeassistant@lemmy.world on a isolated vLAN is my goal.
Treczoks@lemmy.world 2 weeks ago
Yes, but some devices simply don’t work without calling home, or have 99% of their brain in a cloud. For those cases, the vLAN does not help.
Zwuzelmaus@feddit.org 3 weeks ago
I know very well why I installed valetudo before I even started my new vac for the first time 😁
glimse@lemmy.world 2 weeks ago
I received a Tikom vacuum as a gift and was so sad to see I couldn’t installed Valetudo.
On the plus side, it works with no connection and so it’s only slightly less covenient to just…press the button on the vacuum itself when I take my dog for a walk. Gotta dump the tray from last time anyway
Ruthalas@infosec.pub 2 weeks ago
This is the way. It works great, I’ve been running it for years.
andrew0@lemmy.dbzer0.com 3 weeks ago
This article just screams ragebait. Not that I am against making people aware of this kind of privacy invasion, but the authors did not bother to do any fact checking.
Firstly, they mention that the vacuum was “transmitting logs and telemetry that [the guy] had never consented to share”. If you set up an app with the robot vacuum company, I’m pretty sure you’ll get a rather long terms and services document that you just skip past, because who bothers reading that?
Secondly, the ADB part is rather weird. The person probably tried to install Valetudo on it? Otherwise, I have no clue what they tried to say with “reprinting the devices’ circuit boards”. I doubt that this guy was able to reverse engineer an entire circuit board, but was surprised when seeing that ADB is enabled? This is what makes some devices rather straight forward to install custom firmware that block all the cloud shenanigans, so I’m not sure why they’re painting this as a horrifying thing. Of course, you’re broadcasting your map data to the manufacturer so that you can use their shitty app.
But it doesn’t have to be like this. Shoutout to the people working on the Valetudo project. If you’re interested in getting a privacy-friendly robot vacuum, have a look at their website. It requires some know-how, but once it’s done, you know for sure you don’t need to worry about a 3rd party spying on you.
Alphane_Moon@lemmy.world 3 weeks ago
I am assuming the individual described in the article is based in the US, but nevertheless, many countries do not allow spying, fraud and criminality as long as you have a TOS that says you are allowed to do so.
This is a very provincial manner of thinking and shows how deeply tolerance of corruption and criminality dominates the American mind.
Same with the kill switch, it is essentially a fraudulent scheme, a criminal activity.
BarneyPiccolo@lemmy.today 3 weeks ago
Americans are conditioned to do a lot of things without thinking about it, but if they ever really stopped to consider it, they’d be outraged.
For instance, those heart-tugging ads for St Jude’s Children’s Hospital. It’s a great thing they do, taking in cancer kids, and covering all the expenses, even housing and food. They show grateful parents crying, because their kids have a chance because of the charity of St Jude and the viewers, and viewers shed a tear and donate.
It never occurs to anyone that in almost every other country in the world, such a place wouldn’t be necessary. Their cancer kids would simply be taken care of. No pomp about it, no commercials begging for donations, curing cancer kids is just business as usual.
But in America, your kid will just DIE unless you’ve got good health insurance (which is about to get a LOT more expensive), a lot of money, or hit the charity lottery.
But that never occurs to Americans watching that ad. They will dig into their pockets to send money to St Jude, before they will give money to a progressive candidate to change our health care system so it doesn’t require tear-jerking marketing to operate.
MountingSuspicion@reddthat.com 3 weeks ago
Just checked out Valetudo. Gotta love the FOSS community. Can I ask if you’ve used it? If so, which vacuum did you set it up on?
andrew0@lemmy.dbzer0.com 2 weeks ago
I have a friend who set up a Dreame L10s Ultra. I helped them solder the breakout board, and was there when they flashed the new firmware. Relatively straight forward! Just follow the guide on the website and you should be good.
The robot is now accessible only on the local network, and they got it working in Home Assistant. The only feature that is missing now is direct camera view, which the original robot had. Basically, you could get a live feed of the robot at any time. Looked fun, but it was not necessary.
Monument@lemmy.sdf.org 3 weeks ago
I commented elsewhere, but I once had a soundbar that just had a no password ssh login. It was one of those ‘connect to your WiFi’ to stream music through models and for whatever reason, after connecting it to my WiFi, it continued to broadcast the publicly joinable setup network.
SSH was open to both the unsecured and secured networks, so anyone within WiFi distance of the device could have gained root control of it. Or if I had a sufficiently weak network setup, anyone online could have taken control of it.
ArchmageAzor@lemmy.world 2 weeks ago
At this point, if you buy a smart thing you have to know it’s spyware.
pir8t0x@ani.social 2 weeks ago
True asf
FosterMolasses@leminal.space 2 weeks ago
AcidiclyBasicGlitch@sh.itjust.works 2 weeks ago
“Someone — or something — had remotely issued a kill command,” he wrote.
“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”
In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”
buttnugget@lemmy.world 2 weeks ago
Treasonous malware.
Auli@lemmy.ca 2 weeks ago
If he blocked the data collection how did it get the kill command?
REDACTED@infosec.pub 2 weeks ago
Outgoing vs Incoming
imetators@lemmy.dbzer0.com 2 weeks ago
Am I too dumb to understand why sending cartographer data is wrong?
His model is iLife A11 that has Lidar. He probably has an app that is used to control robot and shows cleaning progression. Vac 100% Lidar’d his entire home and sent data to create map in the app.
How in the fuck he thinks it is getting that map? If his ass so smart to find a killswitch and reverse it, how come he doesn’t grasp that map data is sent to a server though which he ca use vac app? Like in what world is it not obvious?
Not even gonna discuss about TOS he signed, or that it is general cheap brand cheap but super smart model for it’s price.
Unless some FOSS firmware and software is installed, that thing most certainly will ping back home every chance it gets.
Sidenote: My TV now is offline cause when it kept calling home (ove 60% of my pi-holes querries of all time was TV), it would freeze due to pi-hole block. Once set offline - issue is gone. I also know my robo vac is pinging, but at the same time if I block it, I’ll lose app controls which I wont do. Sadly, my vac doesn’t support Valetudo.
Reginald_T_Biter@lemmy.world 2 weeks ago
I think yes, to your first question. Couldn’t it just crunch the lidardata locally to feed into cartographer, I don’t understand why you don’t understand that this is the issue.
Wispy2891@lemmy.world 2 weeks ago
afaik the lidar data is crunched locally, then sent to the remote server for easy consumption
when those vacuums are flashed with valetudo, they can still make the map with lidar without internet connection
W3dd1e@lemmy.zip 2 weeks ago
On paper all of this stuff is a great idea that would make our appliances more functional.
In reality, this is sold to our corporate overlords so they can slap an ad on your refrigerator and sell you more plastic waste.
AcidiclyBasicGlitch@sh.itjust.works 2 weeks ago
Worst case, it’s sold to ICE or some other fascist regime.
Every single government that has a contract with Palantir for Gotham or even the UK NHS data is reason enough to know this kind of shit is a bad idea. The entire existence of Palantir makes this kind of shit a bad idea by default.
Even if they’re not using lavender or where’s daddy (yet), I do not want them to have a detailed layout of my home, in addition to all the other information already being collected.
If the day comes when any government needs to crush civil unrest, Palantir gives them an easy button to weaponize your data against you.
Alenalda@lemmy.world 2 weeks ago
Wait till you find out what your wifi can do.
ILikeBoobies@lemmy.ca 2 weeks ago
Port Scanning blocker was eye opening to how many websites just wanted to check in on me.
burntbacon@discuss.tchncs.de 2 weeks ago
Oh, damn! Thanks for reminding me to add that extension since I reinstalled my browser.
Auli@lemmy.ca 2 weeks ago
So how are they port scanning yiubif your behind a firewall.
UnderpantsWeevil@lemmy.world 2 weeks ago
Sundiata@lemmy.world 2 weeks ago
aw he got in my head
Alenalda@lemmy.world 2 weeks ago
Was referring to this sort of bullshit. www.xfinity.com/hub/smart-home/wifi-motion
Auli@lemmy.ca 2 weeks ago
Sure “can” do but isn’t.
madjo@feddit.nl 2 weeks ago
That is why I have denied internet access for my robot vacuum cleaner. Xiaomi doesn’t need to know the blueprint of my house, and if it can’t connect to the internet, there’s no need for firmware updates.
I’ll start the thing by pressing the button at the top.
ohshit604@sh.itjust.works 2 weeks ago
I’m unfamiliar with Xiaomi “smart” products, I assume there is an app to control the vacuum, if it does have an app does it still work for you strictly behind your LAN network?
madjo@feddit.nl 2 weeks ago
It does have an app, but I’m not using it. It also doesn’t work, because it can’t find the vacuum on the network.
The device has 2 buttons: “turn on/off” and “find home”, those are the only two I need.
A vacuum doesn’t need internet access.
smeenz@lemmy.nz 2 weeks ago
The app talks to the servers, the servers talk to the robot
ICastFist@programming.dev 2 weeks ago
It’s Xiaomi, of course the app will not work without internet access
Gammelfisch@lemmy.world 2 weeks ago
Sheeesh, his fucking mobile phone mapped and photographed his house long ago.
DNS@discuss.online 2 weeks ago
These arricles are meant to be rage bait for the techno-illiterate. As you said, cell phones mapped your house long ago as well as your smart TV, or any appliance that requires an internet connection.
People traded in their privacy for convenience.
FosterMolasses@leminal.space 2 weeks ago
Both can be true. Probably shouldn’t make a regular practice of numbing out to this sort of info with the platitude “Big deal, my phone and facebook already have my data anyway. Might as well give you my mother’s maiden name.”
Netrunner@programming.dev 2 weeks ago
Privacy is not worthless just being one bad actor took it. It still is worth pursuing in all layers where possible.
elephantium@lemmy.world 2 weeks ago
Privacy may be dead as you suggest, but that doesn’t compel me to dance on its grave.
Auli@lemmy.ca 2 weeks ago
Phones have never mapped your house and how would they do that? Tvs don’t think it would map but yes they watch you.
Gammelfisch@lemmy.world 2 weeks ago
+1 Indeed!
stevedice@sh.itjust.works 2 weeks ago
I used to be on a mailing list where American companies offered money to people in the third world for menial manual tasks. Like sending pictures of random crap from different angles and such. One time I got an email offering 4 of these things and $100 and all I had to do was put one of them in my home and use it for a week and give the other 3 away. Goes without saying they’re clearly a privacy nightmare.
Boozilla@lemmy.world 3 weeks ago
Talkie Toaster is here. “Howdy-doodly-do, how’s it going?”
Sam_Bass@lemmy.world 2 weeks ago
Yeah that issue has been around for at least a couple years now. Luckily my robovac doesn’t have WiFi or bluetooth
MourningDove@lemmy.zip 2 weeks ago
He’s going to have a heart attack to find out that the floor plan to most houses are available online and have been for a long time.
rumba@lemmy.zip 2 weeks ago
I don’t care if they map my house, just give me raw access to the data. Them having access to the speaker and mic, i’m more concerned about.
lechekaflan@lemmy.world 2 weeks ago
I remember about news of some Israeli intelligence operatives who jogged around their HQ only to be outed by their tracks on Strava.
Widdershins@lemmy.world 2 weeks ago
I live in a prefabricated home that is a different color than my neighbor’s. Can I gift them one of these robots to get a blueprint of their house? It is already easily googled but I feel that making a robot do it keeps them lower on the food chain.
FosterMolasses@leminal.space 2 weeks ago
dan69@lemmy.world 2 weeks ago
Shit I’m scared of my home speakers echo locating my furniture and the size of my domicile
misteloct@lemmy.dbzer0.com 2 weeks ago
I mean, UCSC researchers used WiFi to detect a human heartbeat.
papertowels@mander.xyz 2 weeks ago
In case anyone’s interested, there’s actually open-source self-hosted robot vacuum firmware for select models
HugeNerd@lemmy.ca 2 weeks ago
“secret”. Sweet summer child, you’ve been mapped down to your quarks for decades, and building plans have been at Town Hall since… Louis XIV?
1985MustangCobra@lemmy.ca 2 weeks ago
or…just buy a vacuum cleaner and vacuum your house? you don’t need smart devices for everything.
zalgotext@sh.itjust.works 2 weeks ago
If you have a robot vacuum, and the robot vacuum makes a persistent map (as opposed to the older “dumber” models that just bounce around randomly), they all send that map back to some remote server. In fact, most of those robots won’t even enable the mapping feature unless they’re connected to the Internet (which is absolute bullshit considering most of those robots generate, process, and store that map locally, so there’s literally no reason to send it off somewhere).
So your options are to just use the robot without ever connecting it to the Internet and be happy with the reduced featureset, root the robot and install Valetudo on it, or just vacuum manually. But until manufacturers are forced to let us actually own the smart devices they sell is, under no circumstances should you ever let one touch the Internet.
sem@lemmy.blahaj.zone 2 weeks ago
Such a boring dystopia :/
Regna@lemmy.world 3 weeks ago
At first I thought ”Well, duh!”, but the manufacturer having a remote kill switch when he network blocked his vacuum from sharing his home map data with them, as well as unprotected root access when connecting to the vacuum… urgh.
justsomeguy@lemmy.world 3 weeks ago
All crappy IoT devices ever made. They aren’t used in bot nets all the time because hackers like the challenge of hacking them so much. Security simply isn’t a priority.
Xerxos@lemmy.ml 3 weeks ago
The ‘S’ on IoT stands for security!
pipe01@programming.dev 3 weeks ago
Is it just me, or is having ADB exposed physically not that big a deal?
KazuyaDarklight@lemmy.world 3 weeks ago
Tend to agree, security is always the goal but if someone is in my house hacking my vacuum, I have bigger issues. The no-notice remote kill is the bigger issue to me.
kylian0087@lemmy.dbzer0.com 3 weeks ago
It is not good. But in most cases just adb doesnt grand root access. That’s just bad.
Monument@lemmy.sdf.org 3 weeks ago
A few years ago I noticed an annoyance with a soundbar I had. After allowing it onto my WiFi network so we could stream music to it, it still broadcast the setup WiFi network.
While dorking around one day, I ran a port scan on my network the soundbar reported the port was open. I was able to log in as root and no password.
After a moment of “huh, that’s terrible security.” I connected to the (publicly open) setup network and successfully logged into ssh and copied the wpa_supplicant.conf file from the device and verified it had my WiFi info available to anyone with at least my mediocre skill level, and factory reset the device, never to entrust it with credentials again.
givesomefucks@lemmy.world 3 weeks ago
There was an ARS article years ago about it…