Man accidentally gains control of 7k robot vacuums

(popsci.com)

82 points by Brajeshwar3 hours ago

9 comments

dlenski53 minutes ago
> he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.This is extremely similar to what I accidentally discovered and disclosed about Mysa smart thermostats last year: the same credentials could be used to access, inspect, and control all of them, anywhere in the world.See <a href="https://news.ycombinator.com/item?id=43392991">https://news.ycombinator.com/item?id=43392991</a>
- morkalork38 minutes ago
 Is this cutting corners on manufacturing/assembly where they're skipping installing a unique set of keys on each device?
 - Neywiny22 minutes ago
 I think it's about being a configuration management nightmare. If every device has a unique password, you need the decoder ring for serial number to password. However, not all processors have unique IDs. So you either need to find a way to reliably serialize each board during manufacturing and hope it stays (like a sticker/laser/printer/etc) or add a serial number chip which is cost and complexity. It's not impossible, it's just extra work that usually goes unrewarded.
 - HFguy18 minutes ago
 I'm a long way from embedded development. But I was under the impression a lot of microcontrollers these days have some ID capability built in, even some relatively low-end ones. This strikes me more as laziness than anything.
MostlyStable1 hour ago
Anyone who's somewhat technically inclined should, in my opinion, only be buying valetudo [0] compatible vacuums and replacing the default software as soon as possible.[0] <a href="https://valetudo.cloud/" rel="nofollow">https://valetudo.cloud/</a>
- ericpauley1 hour ago
 I found the “Why Not Valetudo” page on that site extremely persuasive. I would consider myself technically inclined. I also own a robot vacuum so I can spend more time doing important things that leverage my skills. Valetudo does not serve this mission.Very impressive, but I disagree that this is the clear best choice for anywhere close to anyone.
 - misnome1 hour ago
 Also, the first line in "Why Valetudo?"> First of all, please do not try to convince people to use Valetudo.A good realist position for such a project to take.
RHSeeger2 hours ago
> In order for the Romo, or really any modern autonomous vacuum, to function it needs to constantly collect visual data from the building it is operating in.I specifically bought one without a camera or mic.
- tgsovlerkhgsel2 hours ago
 Are there any like that that would have automatic emptying?
 - valicord1 hour ago
 Roborock q revo
 - arein344 minutes ago
 Ive got a q revo pro, which can dry the mops.Happy with it but note that I dont have carpets, I guess for carpets you need something with more features.
 - bdcravens1 hour ago
 The Q Revo series does have a camera and mic.
 - izacus1 hour ago
 They don't, the camera equipped ones are the maxV series.Q Revo has an IR sensor which doesn't transmit that data anywhere.
 bdcravens1 hour ago
 I had a Q Revo Edge that had a mic (it responded to "Hey Rocky" commands) and I could remotely view my house through the camera.Are you thinking of the S8 line? That's the one with the MaxV model.
- sverhagen2 hours ago
 How do you know? For sure, I mean?
 - soopypoos1 hour ago
 I wrapped mine in foil to be safe and now it's fabulous
 - brookst1 hour ago
 I mean your coffee maker could be a one-off spy device with nation-state backing. But it seems unlikely.
 - skeeter20201 hour ago
 if they can build an internet connected coffee maker with mic and camera for 60 bucks that's freakin' amazing!
 - misnome1 hour ago
 I'm pretty sure they'd be happy to swallow the loss when building a one-off device to specifically target you.
 blibble59 minutes ago
 defeated by walking into a random shop and picking one off the shelfrather than buying it from scamazon
 - doubled1121 hour ago
 Would it include a cell radio and SIM card? Or are they hoping for an open WiFi network in range?
 - soopypoos48 minutes ago
 he did say he was trained at the kremlin...
 - jlarocco1 hour ago
 If Google thought it was okay to hide a microphone, I'm sure less scrutinized companies try to get away with worse. <a href="https://www.bbc.com/news/technology-47303077" rel="nofollow">https://www.bbc.com/news/technology-47303077</a>
 - dylan6041 hour ago
 phew, yet another reason it pays off to not be a coffee drinker.
 - Tempest19811 hour ago
 :) I'm sticking with my Aeropress
- amelius1 hour ago
 Does your smartphone have a mic?
 - dylan6041 hour ago
 You've brought up such a brilliantly useless point to this discussion. I'm really appreciative of your efforts
 - codeulike1 hour ago
 Smartphones at least have some semblance of security, whereas iot devices are a free for all
jonplackett2 hours ago
Companies this inept really need to get fined.Like how many layers of people had to have OKed having the same password for all of them? It’s incompetence on an impressive scale.
- wolrah1 hour ago
 Agreed, this sort of thing should at minimum be considered gross negligence at this point, but because regular consumers who buy these products rarely see and almost never understand these news articles it doesn't really impact sales so the company doesn't care.If this discovery was guaranteed to result in meaningful fines companies would get their act together pretty quickly. 7000 counts of negligent exposure of private data (camera/mic feeds) should in a just world be millions of dollars in fines at the least and arguably criminal charges for management.
 - jonplackett1 hour ago
 Exactly. If GDPR fines can be so high, then something like this that is pretty much intentionally leaking personal data should be in the same ballpark.
exegete2 hours ago
“Accidentally” is not accurate. He used AI to inspect the source and found credentials that work in all devices. He also never gained control of anyone else’s devices. He never used the exploit.
- 555551 hour ago
  I didn't read the article but based on the title and subheading I assume they say "accidentally" because he was trying to reverse engineer the communication protocol to use his own device and he did not expect to find something as dumb as master credentials that would work on others' devices.
- wolrah1 hour ago
  "Accidentally" as in his intent was to gain control of his own device but instead discovered what would in a just world be considered criminal levels of either incompetence or indifference to the most basic levels of security in the entire product line.
charles_f1 hour ago
Original story: <a href="https://www.theverge.com/tech/879088/dji-romo-hack-vulnerability-remote-control-camera-access-mqtt" rel="nofollow">https://www.theverge.com/tech/879088/dji-romo-hack-vulnerabi...</a>Accompanying discussion on hn <a href="https://news.ycombinator.com/item?id=47047808">https://news.ycombinator.com/item?id=47047808</a>
ghgr2 hours ago
> [...] the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio [...]Sorry what? Why would a vacuum cleaner even need a microphone?
- onli2 hours ago
 Control by voice? Not that absurd.
 - Telemakhos2 hours ago
 Audio and video surveillance via robot vacuum is a feature: you can control the vacuum, see and hear the world from its perspective, and spy on your cats. I wish I were kidding.<a href="https://youtu.be/TltYXEDoong?t=412" rel="nofollow">https://youtu.be/TltYXEDoong?t=412</a>
metalman2 hours ago
accidentaly a god, a sucky kinda god, but a god none the less " I command thee to make vanish the minor sins of this world my minions"
Betelbuddy1 hour ago
His code sucks...