Manufacturer Remotely Bricks Smart Vacuum After Its Owner Blocked It From Collecting Data (tomshardware.com)
- Reference: 0179943888
- News link: https://yro.slashdot.org/story/25/11/02/2241201/manufacturer-remotely-bricks-smart-vacuum-after-its-owner-blocked-it-from-collecting-data
- Source link: https://www.tomshardware.com/tech-industry/big-tech/manufacturer-issues-remote-kill-command-to-nuke-smart-vacuum-after-engineer-blocks-it-from-collecting-data-user-revives-it-with-custom-hardware-and-python-scripts-to-run-offline
"That's when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn't consented to."
> The user, Harishankar, [2]decided to block the telemetry servers' IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after... He sent it to the service center multiple times, wherein the technicians would turn it on and see nothing wrong with the vacuum. When they returned it to him, it would work for a few days and then fail to boot again... [H]e decided to disassemble the thing to determine what killed it and to see if he could get it working again...
>
> [He discovered] a GD32F103 microcontroller to manage its plethora of sensors, including Lidar, gyroscopes, and encoders. He created PCB connectors and wrote Python scripts to control them with a computer, presumably to test each piece individually and identify what went wrong. From there, he built a Raspberry Pi joystick to manually drive the vacuum, proving that there was nothing wrong with the hardware. From this, he looked at its software and operating system, and that's where he discovered the dark truth: his smart vacuum was a security nightmare and a black hole for his personal data.
>
> First of all, it's Android Debug Bridge, which gives him full root access to the vacuum, wasn't protected by any kind of password or encryption. The manufacturer added a makeshift security protocol by omitting a crucial file, which caused it to disconnect soon after booting, but Harishankar easily bypassed it. He then discovered that it used Google Cartographer to build a live 3D map of his home. This isn't unusual, by far. After all, it's a smart vacuum, and it needs that data to navigate around his home. However, the concerning thing is that it was sending off all this data to the manufacturer's server. It makes sense for the device to send this data to the manufacturer, as its onboard SoC is nowhere near powerful enough to process all that data. However, it seems that iLife did not clear this with its customers.
>
> Furthermore, the engineer made one disturbing discovery — deep in the logs of his non-functioning smart vacuum, he found a command with a timestamp that matched exactly the time the gadget stopped working. This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life.
Thanks to long-time Slashdot reader [3]registrations_suck for sharing the article.
[1] https://www.tomshardware.com/tech-industry/big-tech/manufacturer-issues-remote-kill-command-to-nuke-smart-vacuum-after-engineer-blocks-it-from-collecting-data-user-revives-it-with-custom-hardware-and-python-scripts-to-run-offline
[2] https://codetiger.github.io/blog/the-day-my-smart-vacuum-turned-against-me/
[3] https://www.slashdot.org/~registrations_suck
Tempest, meet teapot (Score:2)
After Alexa, anyone surprised by this?
I am waiting to see what happens when Optimus comes out. First, what they say it will do and then what it will actually do.
Re: (Score:3)
I'm surprised one would bury this much time debugging a piece of crap instead of cleaning house with a simple vacuum cleaner once every few days.
I have zero network-enabled, complex firmware-sporting vacuum cleaners and I've never seen them fail.
Even the old Eastern bloc piece of junk that my grandmother left when she passed away - I still use that one to scare the neighbour's cat when that pest climbs onto my balcony.
I've also very likely used a lot less time for cleaning than this guy for debugging, and w
Re: Tempest, meet teapot (Score:3, Informative)
He didnâ(TM)t waste time to fix the vacuum. He spent his time accomplishing a security related task. His goal seems to have been to figure out what the vacuum was sending home and how to keep it from doing so. When he stored it he then had to figure out how to make it work again while not adversely affecting his privacy and security. Now heâ(TM)s sharing his knowledge with all of us so that we donâ(TM)t have the same problem. We can even take these facts and apply them to the other devices we
Re: (Score:2)
> He didnâ(TM)t waste time to fix the vacuum. He spent his time accomplishing a security related task.
Same difference.
> Now heâ(TM)s sharing his knowledge with all of us so that we donâ(TM)t have the same problem.
There's an easier, less time-consuming way to avoid the problem - avoid buying "autonomous crap" that "phones home". It is a given it will stop working some day, there are almost zero counter-examples and all of the latter were very costly.
A better use of his and everyone's time would be helping to pass consumer protection laws that ensure this shit ain't happening.
Alas...
just reverse the kill command (Score:4, Funny)
"This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life."
oh yeah, just reverse the kill command!
Re: (Score:2)
> oh yeah, just reverse the kill command!
Easily done, that’s how they multiply.
And THEN what happened? (Score:2)
This is like a cop show video that stops in the middle.
How stupid... (Score:1)
He blocks ip addresses on his network, and the vacuum stops working, so he ("repeatedly") sends it in to the manufacturer, then he goes to all the trouble of building an RPi-based control panel to "prove" the hardware is fine?
WTF, open up the blocked IP addresses! The reason the repair center couldn't recreate his problem is because they didn't block the necessary servers.
The company's "crime"? They didn't tell he owner the reason they had to put their vacuum on their wifi was because it had an under-powere
Re: (Score:3)
Did you read the article?
It was creating and RETAINING maps of his house.
Seems like rather private data to me.
But the real crime was bricking his $300 device simply because it couldn't collect data that wasn't necessary to it functioning.
Re: How stupid... (Score:1)
Basically every house and property near me has walkthroughs on realty sites. The layout of the walls in no house here is private or secret.
Re: (Score:3)
Yes it has a camera, it makes 3D maps of the house. LIDAR might not technically be the type of camera you're talking about, but it's still used to create images of things. Just because those images aren't in color doesn't mean you can't call it a camera. For LIDAR, and thus this vacuum, if it looks at you with it's lens it can trivially gather enough info to fake a 3D model of your face for facial id security systems. Chances are low that the company or hacker will do that to break into one of your acco
Re: (Score:2)
No, the problem was the vacuum worked just fine with those IP addresses blocked. It had the maps to his house locally stored and vacuumed just fine.
Except when the company found out it wasn't getting that data from the vacuum, it sent the command to disable the vacuum.
In other words, it's a device that would work fine offline, but the manufacturer put some extra telemetry code in that uploads who knows what to their servers. And when they stopped getting that data, the manufacturer disables the device.
It's
Amazon did the same thing because of bad reviews (Score:3)
I've bought some lemons on Amazon and I'm not shy about posting reviews saying things like "It didn't work out of the box. Sent it back." or the lastest "Bought it 4 years ago (laptop fan) and it just stopped working. Don't buy this." Unfortunately, Amazon flagged my account to not allow reviews any longer, so this place is the only place that will see this review.
Bought a Dyson vacuum some 15 years ago. It's "power head" sweeper stopped working. There were no replacement parts for something this old available from Dyson or after-market. I'll never buy another Dyson product again. I expect a vacuum manufacturer to support their products for at least 20 years. Meile does. So does Electrolux.
Re:Amazon did the same thing because of bad review (Score:4, Interesting)
Funny you should mention Amazon reviews. I just posted a review where I point out that the set I was given and indeed nearly all the Star trek TNG box sets for sale on Amazon are counterfeit and buyers should beware. Amazon flagged it as not conforming to community guidelines. Anytime that might hamper business is apparently against their rules.
Re: Amazon did the same thing because of bad revie (Score:2)
15 years is a long time for a manufacturer to stock replacement parts. I understand auto manufacturers are supposed to stock repair parts for cars they sell for 10 years after they stop selling them.
I think dropping support after 15 years (or even 10 years) is fine. That other brands can offer support for longer periods is nice, but it likely speaks to their extensive re-use of standard parts in subsequent generations of their products.
Re: (Score:2)
BMW still make parts for motorcycles last sold in 1955, [1]apparently [bmwgroup-classic.com]
[1] https://www.bmwgroup-classic.com/en/services/spare-parts/bmw-motorcycle.html
Re: (Score:2)
So why didn't you buy a Meile or Electrolux?
Our experience in the vacuum cleaners are disposable. If you get 2 years out of it, you're lucky.
Of course we only buy ones that are $300 or less.
Seems like wife is constantly buying a new vacuum cleaner.
Re: (Score:2)
Wow, not sure what you are doing to your vacuums, but I've had two that easily lasted over 10 years. My current one is 12 years old.
How nefarious! (Score:3, Interesting)
> Since he blocked the applianceâ(TM)s data collection capabilities, its maker decided to just kill it altogether. "Someoneâ"or somethingâ"had remotely issued a kill command,â says Harishankar. âoeWhether it was intentional punishment or automated enforcement of 'compliance,' the result was the same: a consumer device had turned on its owner.â
The vacuum relied on telemetry servers, and after an extended period when the vacuum couldn't reach the servers, it issued a command to stop operating until it could access the servers.
That is such a non-issue. It's not uncommon for a device to stop trying to access a network resource after a defined period/number of tries, and since the service the servers provide serves some part of the proper operation of the vacuum, it stopped trying to work, it issued a "stop trying" command. Big whoop.
I bet, if he unblocked the telemetry server IP addresses and power-cycled the vacuum it would 'magically' start working again, thus proving the vacuum itself just stopped trying, that there wasn't some dark overlord issuing "kill" commands to "smart" vacuums...
Re: (Score:3)
RTFA. The device didn't notice a lack of telemetry and decide internally to stop. The shutdown was a remote command SENT to the device.
While this is certainly slimy (Score:2)
Anybody who is surprised by this is an idiot.
The 1st clue should have been: why is this online? (Score:3)
The man bought a vacuum cleaner that required an internet connection, and that didn't make him suspicious?
Not so clever I reckon...
Re: (Score:2)
It's Amazon page doesn't advertise that it requires an internet connection to function. It says you can control it from your phone. It doesn't say that's required nor that it'll stop working when your wide area network is down. Many phone controllable devices work fine when limited to your local network.
Oddly they promote their use of the SLAM algorithm, something almost every customer has no clue what that is. They need better marketers.
One thing to keep in mind (Score:2, Interesting)
It’s designed to feed the company’s data systems first, and clean your floors second.
Re: (Score:2)
I dont care who or what the app or device is... YOU ARE ALWAYS THE PRODUCT!