Man Accidentally Gains Control of 7,000 Robot Vacuums (popsci.com)
- Reference: 0180841372
- News link: https://hardware.slashdot.org/story/26/02/22/0510212/man-accidentally-gains-control-of-7000-robot-vacuums
- Source link: https://www.popsci.com/technology/robot-vacuum-army/
> While building his own remote-control app, Sammy Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the robot communicated with DJI's remote cloud servers. But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.
>
> The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools, all without their owners ever knowing. Luckily, Azdoufal chose not to exploit that. Instead, he [2]shared his findings with The Verge , which quickly contacted DJI to report the flaw... He also claims he could compile 2D floor plans of the homes the robots were operating in. A quick look at the robots' IP addresses also revealed their approximate locations.
DJI told Popular Science the issue was addressed "through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10."
[1] https://www.popsci.com/technology/robot-vacuum-army/
[2] https://www.theverge.com/tech/879088/dji-romo-hack-vulnerability-remote-control-camera-access-mqtt
A white hat hacker did the same thing with Teslas (Score:2)
He managed to order one to drive someplace. Only thing he needed was the vin.
I'm always a bit surprised that the right wing doesn't have more online chatter about how self-driving cars can be remotely controlled. We learn from a Google deposition that they're being piloted remotely rather than self-driven. Elon Musk volunteered that information after Google was forced to admit it.
It's funny cuz they had a panic attack about walkable cities and how the government could control where you could go and
Opportunity missed! (Score:2)
> Man Finds Out He Sucks 7000 Times More Than Other People
This could have you been your headline slashdot but you let it get away!
Grandmas IPO story. With milk and cookies. (Score:2)
> The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools..
Or one might argue that a 7,000-strong node comprised of all manner of deep-seeded surveillance hardware was purpose-built to be a surveillance tool.
(I mean for shits sake how often do we accidentally stumble across a network like that? Even PRISM is turned on right now.)
The answer is obvious (Score:2)
Robot vacuums do NOT need to communicate with a cloud server
The cloud is a trap
Run away
multi layered scam (Score:2)
Why wrestle with connecting your phone directly to your home devices through some ad hoc networking, when you can simply attach everything to a [highly insecure] central server and have a simple app that basically amounts to a little more than an HTTP request.
Plus when you shut down your back end services, all your old customers are fucked and have to buy new products.
Re: (Score:2)
That's the consumer point of view.
From the vendor, cloud requirements ensure control and access to data they can mine or sell for additional profit.
That ought to be illegal, but consumer protection laws haven't really caught on with such things yet. Techies have been screaming about it for decades, but it seems that we've gone from being seen as whackjobs to simply being ignored.
Personally, I have a robot vacuum and I block it from Internet access - which means it doesn't do floor mapping and the vendor lo