Mastodawn

Michael Glenn Oct 28

This is a valuable lesson for any manufacturer: never awaken the nerd sleeping inside your customer, because his wrath shall be terrible.

In this case the warning was quite literal.

The company annoyed a buyer enough to push him into full blown nerd mode. He tore the product apart, reverse engineered every part, and then published a step by step guide showing exactly how to disable "kill switch" that prevented the use of the product without the vendor spying on the user.

What started as a minor grievance became a public, technical exposé that left the maker exposed and embarrassed.

Moral of the story: underestimate your users at your own peril.

The Day My Smart Vacuum Turned Against Me

Update: This post seems to have struck a nerve and went very wide. As I will not be able to answer every comment, I want to add a few points:

The linked article was not written by me. It came to me on a different channel (Discord). I only wrote the post on Mastodon.
The top image in the article looks AI generated. It is no a good image, but in my view less irritating than an advertisement (which is far more common).
Some people suggest the article itself is AI generated. I don't think this is the case. I wouldn't rule out he author wrote the text in a different language and used AI for translation assistance.
The claims in the article are not fully backed by the linked repo, but the general statement is correct and IMHO important.

The Day My Smart Vacuum Turned Against Me

Would you allow a stranger to drive a camera-equipped computer around your living room? You might have already done so without even realizing it. The Beginning: A Curious Experiment It all started innocently enough. I had recently bought an iLife A11 smart vacuum—a sleek, affordable, and technologically advanced robot

Small World

BrianKrebs Oct 28

@masek My wife bought one of these smart vacuums and it didn't even make it out of the box. Nope. Nuh-uh. Had to put my foot down there. And my dog/CSO wasn't wild about it either.

Kinene⭐🐻Oct 28

@briankrebs @masek My vacuum cleaner is very dumb, but it still works. It was built around 1960, and I inherited it from my grandmother.

An Electrolux, if you want to know.

Court Cantrell does not comply Oct 28

@c_merriweather @briankrebs @masek Mine is dumb too. A Hoover PAWS Wind tunnel purchased in 2008.

My parents gave us their off-brand Roomba thingy from 2018ish. No camera, and we can't get it to work right. It just goes back and forth in a weird diamond pattern and won't do anything else. 😆

Kinene⭐🐻Oct 28

@courtcan @briankrebs @masek I am surprised that someone has not some has not put an RC controller on a "roomba" so it can be operated with a joystick.

Just sittin' there on the Lay-z-Boy, feet up, directing the vacuum cleaner around the room.

Ariaflame Oct 28

@c_merriweather @courtcan @briankrebs @masek I believe they intrinsically could be. Stories of people playing frogger with them are teasing at my memory. Yes they put it in a costume. My first one definitely had a remote. I suspect to get it out from under the bed.

Court Cantrell does not comply Oct 28

@c_merriweather @briankrebs @masek My spouse knows electronics extremely well, and I am going to ask him if he can make this happen for me. It would increase my life satisfaction exponentially! 😄

@c_merriweather @courtcan @briankrebs @masek
I imagine throwing bits of puffy Cheetos on the floor and commanding the robot to sweep it up.🧹🍠

@Wheels @c_merriweather @courtcan @briankrebs @masek I know exactly which Cheeto I would like to throw down first!

Court Cantrell does not comply Oct 29

@dashrb @Wheels @c_merriweather @briankrebs @masek Seconded!!!

@c_merriweather @courtcan @briankrebs @masek

One of my favourite mods from long enough ago this thing could vote:
https://youtu.be/NqbcfSqPnLA

Wiimote+Roomba=Wiimba !

YouTube

Expertenkommision Cyberunfall Nov 1

Thats wonderful

The Goddess Anoia Oct 29

@c_merriweather @courtcan @briankrebs @masek the perfect way to get the kids to do chores

Martin Seeger Oct 28

@briankrebs My smart home is isolated from the Internet and when I test new devices the "Who do they talk to" is an important part of the evaluation.

But alas, the days have become dark and difficult. Everything wants to talk to the world.

Joan Albright Oct 28

@masek @briankrebs I had to revoke my thermostat's permission to access the internet after it wanted my name and address before it would let me connect it to an app. I will adjust it by hand twice a day instead, thanks.

@Lironah
Smart home tech (or any) shouldn’t require manufacturer apps, internet connection or accounts to work. If a product mandates anything like that, that’s just a hidden fee, paid with data. There are enough products using industry standards that work offline, across apps and hubs (if needed).

@masek @briankrebs

Joan Albright Oct 28

@Flo_Rian Yeah the company who put in the air conditioner wouldn't even give us the same brand of thermostat as the one we had downstairs for the furnace, so it's not like I had any say in the matter.

I'm starting to play with HomeAssistant and smart devices that don't call home aren't that easy to find.

@Lironah @masek @briankrebs

@axnxcamr
Try devices that use either Zigbee or Matter over Thread. They will work offline, are interoperable between manufacturers and work with HomeAssistant.

Some might require an app and internet for firmware updates, but those are optional. No need to use them or even keep them installed in daily use.

Popular brands include IKEA Tradfri, Philips Hue, Eve Home, Sonoff, Aqara or Xiaomi, but there are a myriad of companies in this field.

@Lironah @masek @briankrebs

Robert H Oct 28

@Lironah @masek @briankrebs

Same with my new hot water heater.

@masek Yeah, my inclination is to say "no smart devices, period" but that's getting harder and harder.

You can't really get a decent TV that doesn't have "smart" features anymore. Mine isn't connected to my network, but from what I've heard the newer ones are increasingly difficult to use without an internet connection.

I'd rather not support these products at all, but if there are no alternatives, I'm glad there are people tearing them down and showing us how to hack them.

Bytebro 🇬🇧 🇺🇦 🇬🇱Oct 28

@masek @briankrebs

"I'm sorry Martin, that brand of bread is not authorised in this toaster. Would you like to upgrade your bread subscription details?"

Bytebro 🇬🇧 🇺🇦 🇬🇱Oct 29

@masek @briankrebs

And if you liked that, then you really should read Cory Doctorow's compilation called _Radicalized_. Four short-ish stories, and the very first one is called "Unauthorised Bread". And the third one is kind of predicting Luigi Mangioni, but on steroids.

Have a nice evening!

@masek @briankrebs I'm with the dude still. https://www.youtube.com/watch?v=Sf-2msaWYqE

The brain is the biggest erogenous zone.

YouTube

Seán Fenian Oct 28

@masek "I am nerd. FEAR MY WRATH."

Oreo Teeth Oct 28

@masek I intentionally bought a somewhat dumb smart vacuum and just live with the annoyance of it wedging itself under furniture occasionally because I have trust issues with a fully GPS powered unit. Good to know that people with much better tech knowledge than I are making a stand and fighting back.

Weird Socks Oct 30

@oreoteeth @masek
We bought one based on it having no connectivity at all. It can only be controlled with a remote. It's pretty darned dumb and we have to rescue it frequently.
And that's fine.

@masek how is this a lesson for the manufacturer?. They are not gonna lose a significant amount of buyers from this.
If this story were to make it to mainstream media, they would at max need to rebrand this device another couple of times and that's it.
Stuff like this needs tough consumer-protection laws and enforcement.

@masek my comment sounds so negative. Thanks for sharing this interesting story. Also good warning for consumers. I just don't believe in companies being "embarrassed".

Martin Seeger Oct 28

@tildeMtilde No offense taken... I am aware that I won't teach humanity through my Mastodon account.

Michael Porter Oct 28

@masek @tildeMtilde We can dream 😄

F4GRX SÃ©bastien Oct 28

@masek why use slop for illustration on a technical article?

Also I'm pretty sure this whole article is also slop.

Martin Seeger Oct 28

@f4grx Don't ask me that..

@f4grx It is an absolute slop fest. Horribly obvious ChatGPT writing including the classic "This isn't X; it's Y" all over the place and a claim that ADB was open... on a Linux based device?

It's a shame too because it's a genuinely interesting situation, but the AI slop writing is horrible to get through and makes the story look much more involved and long than it actually is.

Rogan Dawes Oct 28

@IvanDSM @f4grx he’s not outside the realm of possibility claiming adb. Just because the rest of user space is not Android, doesn’t mean that you cannot run adbd. It offers some very useful services, that are not Android-specific. In fact, my LTE modem runs adbd (with no other Android bits).

@RoganDawes @f4grx Huh, I had no idea! Thanks for letting me know! :)

@IvanDSM @RoganDawes @f4grx some of it is definitely LLM generated, like the header image.

It's also light enough on details to be suspicious.

Lee O'Mara Oct 29

@fennix @IvanDSM @RoganDawes @f4grx there is more detail in the GitHub repo https://github.com/codetiger/VacuumRobot/

Eldeberen Oct 28

I found logs, configurations, and even the unencrypted WiFi credentials that the device had sent to the manufacturer’s servers

😱

Eldeberen Oct 28

@masek BTW the main message for users is:

The Golden Rule:
Never use your primary WiFi network for IoT devices.
Treat them as strangers in your home.

LukefromDC Oct 28

@masek This sort of thing is EXTREMELY dangerous. Data from this sold on the open market can be purchased by ICE, the FB, or local cops and used to pre-plan a raid on an house.

Burglars and organized crime can do the same.

TheJen will not comply Oct 28

@masek My vacuum is very dumb. I rebuilt a Rainbow D4 I found at thrift from memory. My grandaddy repaired them and I watched him for hours and hours every week as a child. I have a couple of spare D2s in storage as well. For parts and backup. :)

LukefromDC Oct 28

@masek On the unmodified device, if the kill switch requires a remote command to be sent, blocking ALL networking (no open wifi and not giving in the passphrase) should block the command from being received. This won't work if a timeout on communications with the robot's true master is also included.

I would expect most users who block networking to block ALL of it, especially given the long history of updates that are downgrades (such as new DRM antifeatures and lockouts) in commercial devices of all types.

ANY device you cut off from the vendor needs to be cut all the way off including firmware updates. Hard for a 3ed party to exploit an offline device, so should be safe to stay with a "known good snapshot" firmware.

Anna Spanner 👩‍🏫🇪🇺🧪Oct 28

@masek Absolute hero!!

fritzoids Oct 28

When we were looking at vacuum robots I said I didn't want anything that needed to connect to WiFi to do its job because I remembered the babymonitors that used WiFi and griefers had "hacked" to terrify toddlers. So we got an Ecovacs Deebot and it'll go around in a frustratingly random way and not "see" things just next to it, but it gets the job done.

https://boingboing.net/2016/01/19/griefer-hacks-baby-monitor-te.html

Griefer hacks baby monitor, terrifies toddler with spooky voices

Remember how, back in September 2015, researchers revealed that virtually every "smart" baby-monitor they tested was riddled with security vulnerabilities that let strangers seize control over it, spying on you…

Boing Boing

Rainer "friendica" Sokoll Oct 28

@masek I've blocked my roomba's mac address on the router. It is operated by home assistant.

@masek egh, I thought this could be interesting but the first thing I saw was totally unnecessary slop, nevermind then

Mark Stosberg Oct 28

@masek Also, don't sue users who explain that your security sucks, fix your security. https://arstechnica.com/tech-policy/2025/10/suing-a-popular-youtuber-who-shimmed-a-130-lock-what-could-possibly-go-wrong/

10M people watched a YouTuber shim a lock; the lock company sued him. Bad idea.

It’s still legal to pick locks, even when you swing your legs.

Ars Technica

Vincent 🌻🇪🇺 en 🌹☘️Oct 28

@masek I never trusted Henry either

@masek
By way of appetiser:
"It was a marvel of cheap engineering, but also a privacy nightmare waiting to happen. ... I discovered something shocking: Android Debug Bridge (ADB) was wide open — no password, no authentication. And it was running a version of Linux.
In seconds, I had full root access. No hacks, no exploits. Just plug and play...
The manufacturer had the power to remotely disable devices and used it against me for blocking their data collection"

Davip Prestnod Oct 28

@masek power to the user #powertotheuser #righttorepair #humanrightsforhumans #nerds4eva

@masek gonna use this post as a chance to give a shout out to Valetudo for anyone reading this who is thinking about a robot vacuum - https://valetudo.cloud/ it frees your robot vacuum from its manufacturer's cloud, and will forever run happily with its internet access disabled.

Valetudo

Cloud replacement for vacuum robots enabling local-only operation

Valetudo

@iMeddles @masek seconded! I bought a model of vacuum specifically for Valetudo compatibility, and I never even connected it to the manufacturer’s app. Now the only thing it talks to is Home Assistant via a MQTT broker.

@masek Never buy from China... the ccp actively works at stealing every single peace of data it can. And one day, that data will be linked to AI to create chaos in the rest of the world

Martin Seeger Oct 28

@luupies I don’t think this to be a problem tied to Chinese products.

I am no fan of the CCP, but currently the Chinese government is one of the more rational parties in the political arena.

@masek the ccp is the cancer of the planet, pushing for the enslavement of humanity, financing all invasions and prepping up more of it's own ones while stealing our intellectual property... there's a reason all it's neighbors have to have military alliances

@frenck another example of why we need more projects like Home Assistant!!!!

@Pierrodu21
It would be interesting to have a relatively dumb vacuum just with sensors and motors, and the bulk of the logic happens in a program that's attached to home assistant.

@eythian yes, totally 👍🏻

@masek I really want to give the content a go, but it’s all edited and riddled with that annoying GPT accent that instantly devalues the article in my own subjective experience. Too bad.

Keenan Tims Oct 28

@masek It seems somehow unlikely to me that the manufacturer would intentionally trigger a kill switch in this scenario. Maybe if it triggered something user-visible demanding to re-enable network connectivity, but shadowbanning the device does nothing for them but inflate customer support costs. What justification would they have?

It seems more likely that a queue of 'work' to send to the mothership got full and that stalled further 'work', or something along those lines.

Not that depending on connectivity to the mothership is a good thing, especially in an asynchronous way, but I am not sure it makes sense to ascribe malice here.