resipsaloquiturMan accidentally gains control of 7,000 robot vacuums
Carlos SolísLong story short: he was trying to find the password for his own vacuum (yeah that already sounds ridiculous) so he could control it with a game controller, and found that the same exact credentials worked for an estimated 7000 other vacuums that need to call home to process visual data in the cloud. Hidden behind the lede: DJI automated vacuums require constantly sending their footage abroad to even work in the first place
∟⊔⊤∦∣≶But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries. The backend security bug
I feel like “bug” is doing a looot of heavy lifting here.
It also illustrates how a security vulnerability is simply a bug, albeit a dangerous one.
Is it a bug though in this case? To me a bug is when a program behaves in a way that’s not intended. This might very well be a case of the program behaving exactly as intended, except the intentions of the people who made it were wrong.
An online service is a program (or a bunch of program).
Giving access when it’s not supposed to falls into behaving in a way that’s not intended.
Therefore, an online service giving access when it’s not supposed to can be classified as a program behaving in a way that’s not intended.
Thus, this case fits into your very definition.
Giving access when it’s not supposed too
Not sure I’d agree with that statement. Personally I see it as the correct credentials were provided, and thus access was granted; ergo, the app performed as intended, and there is no bug.
The error here seems to be around the lack of concern for security; nobody considered that using the same credentials for their fleet of robots could pose a threat if discovered. It’s no different to someone using the same email and password for everything, and then wondering why their facebook has been hacked after their Reddit account leaked. The problem isn’t a bug in code, it’s just poor cybersecurity hygiene; what we see here is the same just on a commercial level.
The error here seems to be around the lack of concern for security
I feel like this is extremely generous, but I’m a bit of a cynic.
I don’t see an error at all. All I see is Upskirt Robot working as intended
Sheridan
Bot R1
SundrayThis honestly sucks
This is fine🔥🐶☕🔥Great tagline for a vacuum advert.
[the robot vacuum] retails for around $2,000 and is roughly the size of a large terrier or a small fridge
Doing everyhing possible to avoid actual dimensions as always.
What size is a ‘small fridge’ anyway??
Good time to shamelessly plug valetudo, if your vacuum robot is supported.
With this, it does not access the public internet, and still functions the same as without rooting it. You just can’t manage it if you’re not home, unless you have some VPN set up or home assistant integration. But I don’t know when I ever wanted to manage/watch my vacuum robot when I’m not home. Some sort of offline mode should be legally required for these kinds of devices that don’t really need it. “Does not need an app to work” has become a major selling point for me for things, alongside “has physical buttons”.
Also drop me a message if you’re in switzerland and need an unsoldered valetudo breakout board, I still have around 5 left.
GreatWhiteBuffalo41Damn, not supported. Bookmarked though for when I need a new one at some point
🇰 🌀 🇱 🇦 🇳 🇦 🇰 🇮 World’s suckiest army.