Mastodawn

spaghettiwestern

Manufacturer issues remote kill command to disable smart vacuum after engineer blocks it from collecting data — user revives it with custom hardware and Python scripts to run offline

https://sh.itjust.works/post/51015947

Manufacturer issues remote kill command to disable smart vacuum after engineer blocks it from collecting data — user revives it with custom hardware and Python scripts to run offline - sh.itjust.works

An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That’s when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn’t consented to. The user, Harishankar, decided to block the telemetry servers’ IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after. After a lengthy investigation, he discovered that a remote kill command had been issued to his device.

spaghettiwestern Dec 5

My robot vac will only operate when connected to the Internet so it’s only allowed to communicate when actually in use. As soon as it returns to the charger Internet access is automatically blocked.

Unfortunately the manufacturer has deliberately made this as inconvenient as possible. If communication is blocked for more than a few hours the vacuum loses all maps and will no longer even load saved maps from the Tuya app. To use it the vac must be powered down and the app killed. Only then can a saved map be restored.

It’s too bad it’s so useful.

Name and shame.

FauxLiving Dec 5

from the Tuya app.

www.tuya.com/solution/hardware/robot-vacuum

Smart Cleaning Robot Solutions | Smart, convenient, and automated. A clean home starts here | Tuya Smart

Tuya's smart cleaning robot solutions cover nine application scenarios, including automatic cleaning, home map display, timing, remote control, voice control, automatic recharging, and video surveillance.

it’s only allowed to communicate when actually in use.

What’s the point? The manufacturer is interested in the map of your apartment and usage statistics. What do you think it’s sending when not in use? Does it have a microphone or something?

spaghettiwestern Dec 5

Since I haven’t pulled it apart or tried to decrypt the ssl traffic I have no idea whether it has “a microphone or something.” That’s the point.

🇦🇺𝕄𝕦𝕟𝕥𝕖𝕕𝕔𝕣𝕠𝕔𝕠𝕕𝕚𝕝𝕖 Dec 5

SSL bold of you to assume that

Keeping it offline some of the time isn’t effective against passive data collection unless you’re willing to take the inconvenient step of factory-resetting it each time you’re about to use it. Anything it collects it can just hold onto until it next gets the chance to upload.

FauxLiving Dec 5

SmartTVs will hold onto your data as long as they have storage, even through a factory reset. So if you sell it and the next person hooks it up to the Internet then the data is uploaded.

I know it can be done, so it wouldn’t shock me at all to find out that it does happen, but do you know of any manufacturers who have been proven to do this?

SaharaMaleikuhm Dec 5

Should have read up on it before buying this crap.

spaghettiwestern Dec 5

Lol. Read what? Does your TV manual or privacy policy tell you what’s being transmitted? Have you ever even bought a connected appliance?

No! And I never will.

spaghettiwestern Dec 6

So you’re just another Internet “expert”. Got it.

Check the usernames.

My robot vac will only operate when connected to the Internet

That would trigger me to return it to the store. “It doesn’t work”

GreenShimada Dec 5

The fact that this isn’t considered outright fraud is disturbing. This person OWNS the device, yes? They’re not leasing it.

FFS, this should be illegal.

I agree with you that this should be illegal. I expect this was in the terms of service, though. Since we have no laws restricting this kind of bullshit, the company can argue that they’re within their rights.

We need some real legislation around privacy. It’s never going to happen, but it needs to. We need a right to anonymity but that is too scary for advertisers and our police state.

FartMaster69 Dec 5

Terms of service need to stop being treated like law.

MalReynolds Dec 5

They’re not law as long as you can afford the lawyers and legal costs to fight them. Which is, of course, the problem and the system working as designed.

Just because something’s written in the terms of service, doesn’t mean it’s legal.

deathbird Dec 6

And just because it’s legal doesn’t mean it’s ethical.

GreenShimada Dec 5

I expect this was in the terms of service, though

While I expect the same, there’s also just a reasonablility standard. If Meta and Google updated their TOS to say that users agreed to become human chattle slaves to mine cobalt and forfeit their rights, no court (…right, SCOTUS?..right?) would uphold that. A TOS is a contract, but it’s mostly for the protection of companies from liability. Takign active steps to brick someone’s device over the device not connecting to it’s C2 server (the company had zero evidence this was done intentionally and a router firewall misconfiguration could just have easily done the same thing), is IMO something that should result in a lawsuit.

There needs to be a huge neon orange warning on the Front of these products that explains, clearly, that you don't own it, your privacy will be invaded and the company can disable it at anytime.
This will stop people from buying this garbage, and hopefully companies will stop if they want our money.

My life rule is, if it says Smart on it, it's never going to be smart. It will always cause trouble.

GreenShimada Dec 5

IMO “Smart” refers to the lawyers that got paid to write a 900-page TOS that lets a company do whatever they want.

No that's called "smarmy".

Socialism_Everyday Dec 6

If it were illegal, that would be a huge infraction to FREEDOM®🦅🦅

Too bad he’s an engineer and not a lawyer.

As useful a smart device are, it’s very annoying that the company behind it are always either: 1) a scumbag that will collect data and will lockdown the device if people doesn’t use it their way; 2)incompetent idiots that can’t make a good software to save their life. So by using these device you basically have to pick the thing that you’re willing to lose.

It’s really too bad because robovac save me a lot of time and mental exhaustion.

...when i 'buy' something, should i not own and be able to use it and all functions until the end of it's mechanical processes?..

I specifically got one which can run valetudo and it works great for over two years now. Without sending images of my flat to china or the us

rowinxavier Dec 5

I have just purchased a Dreame L10s Ultra and have had the PCB for a breakout board made and components for setting it up ordered. In a few days I should get the last bits and I will be able to root the device and have it connect to Valetudo managed through Home Assistant. Fully local operation with basically the same features but none of the privacy issues. As soon as I can get it connected I will be able to use it just like a robot I actually own should without some random third party being involved in every single operation.

illpillow Dec 6

The mentioning of Valetudo should be more at the top to make people aware of the existing alternatives.

My aged Roborock S5 suddenly stopped working a year ago and only cleaned a very small segment making it effectively useless. Since I knew that data is exchanged with the manufacturer I suspected them to actively prevent the device from working properly to make me buy a new one. Thanks to Valetudo the device is working back again just fine. Meaning there never was a hardware (or software) failure, but a remote issue.

rowinxavier Dec 7

This is why free software is so important. The company can just lie to you about their product and for some reason it isn’t illegal. I really want to have a dishwasher and washing machine with an ESP32 controller and free software to control it, ideally with Home Assistant integration, but at this point I can’t find anything.

I was thinking about getting one but I learned that they do require a lot of maintenance like cleaning the brushes and you have to change parts regularly. That sounds like more work they just sweeping from time to time. Also, broom has a lower carbon footprint.

spaghettiwestern Dec 5

Ours has needed very little maintenance and has quickly become a necessity because it gets the floors much cleaner that we ever did. An unexpected consequence is that the whole house stays cleaner because we still spend some of the time and energy we were spending on sweeping on other cleaning tasks.

As much as the thing irritates me you’d have to pry it from my cold, dead hands.

I guess it depends on your use case. I know people with pets love them because sweeping hair is a lot of work. Probably the same with kids. For us with no pets or kids there’s really not that much sweeping.

I bought one and was disappointed to realise that i still need to (manually!) tidy up the rooms (kids’ toys, cats’ toys etc) for it to have good effect. yes, i am not very smart.

Libre alternative?

notreallyhere Dec 5

while this is good, we really don’t need all these smart devices in the first place

GreyEyedGhost Dec 5

We could still live in caves, but most of us have chosen not to. I’m personally of the opinion that every advancement that gives you more time to do things that are important to you are worth it. This doesn’t mean inviting every piece of spyware some company tries to thrust upon me is acceptable, either.

notreallyhere Dec 6

people have less free time now, then any time since the labor movement.

tech hasn’t been the solution ; but tech companies have been the problem

There’s something not working in this article.

They say it “makes sense” for the device to basically send the plan of your home to some online server, because the vacuum is not powerful enough to process this data on its own. This is already a bit horrifying to me, but okay.

And then when that guy blocked it out, the vacuum “worked for a while” before something sent the kill command through an update.

How come is it still working at all if navigation requires that server?

It's not the navigation that requires the server but the processing of the mapping data.

Which in itself is BS because most of these vacuums come with hardware roughly equivalent of a top of the line smartphone from about 5-6 years ago. They can easily do the raw data to map conversion, even if it's a bit slow and takes 20-30 seconds.

Also if you read the article it specifies that the damn thing is already running Google Cartographer which is a SLAM 3D map builder software - one of the better pro-grade mapping software suites, mind you. So the whole claim of cloud needed for processing is BS.

My VR headset can create pretty accurate 3D maps of my environment like nothing, and it only uses cameras to do so, so I can imagine it’s doable.

Then, yeah, it doesn’t “make sense” for that thing to externalize that.

It’s not that it’s impossible, but it requires effort, skill, and time. Instead of hiring a bunch of programmers who would make it run on the device locally, you can just throw the same amount of money at Amazon and it will run whatever unoptimised version of the renderer you stole on some random Chinese forum. As a bonus, you got to enrich a multibillionaire and make a world slightly worse place, which is a second and third priority of every CEO after getting money.

Valetudo

I don’t think any compatible machines can be acquired in my region any more. The only one I saw semi recently had a revision a few years ago but no packaging or model change to match so you can’t verify if its the older model that works or the newer one that doesn’t.

FelixCress Dec 5

remote kill command had been issued to his device.

What the actual fuck?!

√𝛂𝛋𝛆 Dec 5

Stalkerware is criminal digital slavery. It is sale and ownership of a part of a person to manipulate and exploit them.

DeckPacker Dec 5

I think your comparison to slavery is a bit overblown and minimizes the tragedy of actual slavery. But I agree with the sentiment.

FlyingCircus Dec 5

But someone making money off of me without my consent is literally slavery. No one is saying that this form of slavery is equivalent to chattel slavery, so I don’t understand how this minimizes that? Do you also think that wage slavery or forced prison labor are not slavery?

Schwim Dandy Dec 6

As soon as you’re forced to buy that vacuum, sure, your analogy is rock solid and it’s like actual slavery.

Blackmist Dec 5

Had a kill command actually been sent, or does the device just not work without a remote server talking to it every so often?

Because the second one is probably worse from a “what if this company goes bust” standpoint.

Don’t worry, the quality of the modern hardware is so shitty, it will not outlive the company for long

Man itd be great if there was an answer to this. Maybe in an article somewhere. Guess we’ll never know.

Not to fear! Here is the relevant part so the next person coming by doesn’t have to read the article:

deep in the logs of his non-functioning smart vacuum, he found a command with a timestamp that matched exactly the time the gadget stopped working. This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life.

(Image credit: Harishankar)

So, why did the A11 work at the service center but refuse to run in his home? The technicians would reset the firmware on the smart vacuum, thus removing the kill code, and then connect it to an open network, making it run normally. But once it connected again to the network that had its telemetry servers blocked, it was bricked remotely because it couldn’t communicate with the manufacturer’s servers. Since he blocked the appliance’s data collection capabilities, its maker decided to just kill it altogether. "Someone—or something—had remotely issued a kill command,” says Harishankar. “Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”

( ͡° ͜ʖ ͡°)

Furthermore, the engineer made one disturbing discovery — deep in the logs of his non-functioning smart vacuum, he found a command with a timestamp that matched exactly the time the gadget stopped working. This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life.

imetators Dec 5

That’s like a month old news article

No one should be outraged. That is how all robovacs are working - use LIDAR to map area -> send back to server -> server calculates optimal cleaning route -> sends back info to vac -> vac cleans. Vac cant ping back to server - server thinks vac is dead. No killswitch is needed.

Also, app is not a necessity except we are forced to use it. But many would not like to lose an ability to track progress or start and stop cleaning from their phone outside of the home network. For these features, app and external server is a must.

The only real issue with robo vacs is that it is an IoT device. We should make manufacturers and brands to let us choose if we want to selfhost their software. But that would never happen.

This article IMO is full of bs and ragebait.

What I don’t understand is why the person that owns the device wrote the following in their blog post:

How could a simple IP block disable a vacuum cleaner that is supposed to work offline as well? - Source

This seems like that device was sold to him as “offline” capable. Where does that claim even come from? From a cursory glance I don’t see that product advertised that way anywhere.

Now, I’d be totally in favor that such devices working offline should be the norm, but then again, the person writing the blog should know how these devices currently work.

The Day My Smart Vacuum Turned Against Me

Would you allow a stranger to drive a camera-equipped computer around your living room? You might have already done so without even realizing it. The Beginning: A Curious Experiment It all started innocently enough. I had recently bought an iLife A11 smart vacuum—a sleek, affordable, and technologically advanced robot

Small World