- cross-posted to:
- privacy@programming.dev
- technology@lemmy.zip
- cross-posted to:
- privacy@programming.dev
- technology@lemmy.zip
An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That’s when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn’t consented to. The user, Harishankar, decided to block the telemetry servers’ IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after. After a lengthy investigation, he discovered that a remote kill command had been issued to his device.
You must log in or register to comment.
Yeah, mine has it. I have to go into the app once a week and manually delete it.
I am planning to make a list of devices I really do NOT want near me. Starting with this one.
Gonna be a long list…
Time to run off into the forest I suppose
Network segmentation.
But yea, you don’t want a moving cam/mic device reporting home…
This is every single ‘smart device’ out there. The way I was able to block everything in 2 Roborocks at home was by setting them up in Home Assistant over Matter, blocking everything and using it from HA only (us the schedules, those remain in the robots). It’s less than convenient allowing it access to the update servers once per month to see if there’s any and then blocking it again, but it’s something.
We’re preparing our ‘smart home’ for our new house that’s not finished yet by choosing only devices that are matter over wifi (not thread) so that I can set it all up to work locally ove Home Assistant. That, in my opinion, is the best way to keep some convenience while shutting those assholes out.
Most of them, sure. Every single one until proven otherwise, yes. Every single one, no qualifiers? No.
Brands like Shelly allow you to completely disable the cloud, which AFAIK makes them stop phoning home completely except for update checks.
I think a lot of “Home Assistant certified” brands are good privacy-wise, as that means that they don’t care about pushing you onto their proprietary cloud.
Old news that’s been posted several times in the last weeks
Reject bottom feeder, Embrace Rigid vacuum.
broom chads stay winning
Jesus christ, just vaccuum your own house already. This is the largest tradeoff I have ever seen for the minor inconvenience of a single household chore.
This comment is fucking insane lol
I dont even vacuum. I get on my knees and clean my floors by hand.
I can’t do that, I have bone spurs (actually though)
That’s why this invasive tech is criminal. Just plain criminal.
Louis Rossman should do a segment on them.
He did. Where he said the article looked AI generated and so he wasn’t going to waste any time with it.
That’s like a month old news article
No one should be outraged. That is how all robovacs are working - use LIDAR to map area -> send back to server -> server calculates optimal cleaning route -> sends back info to vac -> vac cleans. Vac cant ping back to server - server thinks vac is dead. No killswitch is needed.
Also, app is not a necessity except we are forced to use it. But many would not like to lose an ability to track progress or start and stop cleaning from their phone outside of the home network. For these features, app and external server is a must.
The only real issue with robo vacs is that it is an IoT device. We should make manufacturers and brands to let us choose if we want to selfhost their software. But that would never happen.
This article IMO is full of bs and ragebait.
What I don’t understand is why the person that owns the device wrote the following in their blog post:
How could a simple IP block disable a vacuum cleaner that is supposed to work offline as well? - Source
This seems like that device was sold to him as “offline” capable. Where does that claim even come from? From a cursory glance I don’t see that product advertised that way anywhere.
Now, I’d be totally in favor that such devices working offline should be the norm, but then again, the person writing the blog should know how these devices currently work.
Say, if he got it because it was advertised as an offline device then why would he connect it to wifi anyway? The more I read this article, the more questionable this so called “IT specialist” is.
This is how it has been for a long time - robovacs do talk to a server. Should it? Not necessary. But they undeniably do.
Pretty much everything you said is incorrect, except for the article age. Valetudo literally wrote software that does this on multiple models locally, including mapping. The response of the manufacturers whose models were capable of this was to release new versions where this wasn’t an option. As for servers and local control, there are a number of solutions for those with the knowledge and hardware to set it up, and the only thing stopping robovac companies from supporting this is (less) money.
My robot vac will only operate when connected to the Internet so it’s only allowed to communicate when actually in use. As soon as it returns to the charger Internet access is automatically blocked.
Unfortunately the manufacturer has deliberately made this as inconvenient as possible. If communication is blocked for more than a few hours the vacuum loses all maps and will no longer even load saved maps from the Tuya app. To use it the vac must be powered down and the app killed. Only then can a saved map be restored.
It’s too bad it’s so useful.
it’s only allowed to communicate when actually in use.
What’s the point? The manufacturer is interested in the map of your apartment and usage statistics. What do you think it’s sending when not in use? Does it have a microphone or something?
Since I haven’t pulled it apart or tried to decrypt the ssl traffic I have no idea whether it has “a microphone or something.” That’s the point.
Keeping it offline some of the time isn’t effective against passive data collection unless you’re willing to take the inconvenient step of factory-resetting it each time you’re about to use it. Anything it collects it can just hold onto until it next gets the chance to upload.
SmartTVs will hold onto your data as long as they have storage, even through a factory reset. So if you sell it and the next person hooks it up to the Internet then the data is uploaded.
I know it can be done, so it wouldn’t shock me at all to find out that it does happen, but do you know of any manufacturers who have been proven to do this?
SSL bold of you to assume that
Name and shame.
from the Tuya app.
My robot vac will only operate when connected to the Internet
That would trigger me to return it to the store. “It doesn’t work”
Had a kill command actually been sent, or does the device just not work without a remote server talking to it every so often?
Because the second one is probably worse from a “what if this company goes bust” standpoint.
Man itd be great if there was an answer to this. Maybe in an article somewhere. Guess we’ll never know.
Not to fear! Here is the relevant part so the next person coming by doesn’t have to read the article:
deep in the logs of his non-functioning smart vacuum, he found a command with a timestamp that matched exactly the time the gadget stopped working. This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life.
(Image credit: Harishankar)
So, why did the A11 work at the service center but refuse to run in his home? The technicians would reset the firmware on the smart vacuum, thus removing the kill code, and then connect it to an open network, making it run normally. But once it connected again to the network that had its telemetry servers blocked, it was bricked remotely because it couldn’t communicate with the manufacturer’s servers. Since he blocked the appliance’s data collection capabilities, its maker decided to just kill it altogether. "Someone—or something—had remotely issued a kill command,” says Harishankar. “Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”
( ͡° ͜ʖ ͡°)
it was bricked remotely because it couldn’t communicate with the manufacturer’s servers.
That bit seems inaccurate… if it couldn’t communicate it wasn’t bricked remotely… it was more like digital seppuku.
Earlier in the article he says that he only disabled some of the network connections but he left open the ones for firmware updates and stuff so to me it’s not impossible that it was able to receive remote commands although I would certainly want to see more technical details to satisfy my curiosity.
The article says in words that it was a remote command. But again, we don’t have any details supporting that description. So maybe the journalist got it wrong.
I would certainly want to see more technical details
Certainly. By default most home networks block incoming traffic but then again if the’s the tinkerer type his network will most likely not be default.
This is something I’ve never understood about firewalls. If the vacuum cleaner is uploading and downloading stuff from https://somecorpo.net/, what stops it from listening for remote commands on that same connwction?
Or the kill command could have been a response to a request made by the vacuum.
Vacuum #2566247: checking in for firmware updates
Server response: it’s been 3 months since we received any telemetry data from vacuum #2566247 – Execute Order 66
Don’t worry, the quality of the modern hardware is so shitty, it will not outlive the company for long
Furthermore, the engineer made one disturbing discovery — deep in the logs of his non-functioning smart vacuum, he found a command with a timestamp that matched exactly the time the gadget stopped working. This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life.
Stalkerware is criminal digital slavery. It is sale and ownership of a part of a person to manipulate and exploit them.
I think your comparison to slavery is a bit overblown and minimizes the tragedy of actual slavery. But I agree with the sentiment.
There are other types of slavery besides American chattel slavery.
But someone making money off of me without my consent is literally slavery. No one is saying that this form of slavery is equivalent to chattel slavery, so I don’t understand how this minimizes that? Do you also think that wage slavery or forced prison labor are not slavery?
As soon as you’re forced to buy that vacuum, sure, your analogy is rock solid and it’s like actual slavery.
No, I don’t think it does that at all. People need to be able to see the world in more than just binary choices, “it is, or it isn’t”. I reject the premise that things can’t be in between, that it can’t be a little bit of slavery, while still understanding that plantations were a whole lot of slavery. Comparing the similar aspects of things and discussing the things they have in common is not the same as equating them and we can have better discussions if we resist the assumptions that drive us to that conclusion.
I think we also need to keep in mind what slavery actually is, the actual concept of slavery not just the most extensively taught and politically important implementation of it which people tend to confuse and conflate with the concept itself. What happened with the trans-atlantic slave trade is just one example of slavery, it’s not the definition, and as a result we need to be clear which concept of slavery we’re talking about here.
Slavery is fundamentally about depriving people of their right to choose for themselves. The sadistic violence and cruelty of the slave trade and plantations are the emblematic and possibly inevitable results of that, but it’s not what actually defines it. A slave would still technically be a slave even if all the choices being made for them were to make them comfortable and protected while they live in luxury. If they are not allowed to choose anything different for themselves and do not have any personal autonomy to make the choices they want to make, they are a slave to someone or to something. Even kings have sometimes been described as slaves to their position and that is actually true in some ways. That is not “minimizing” slavery, that’s simply describing what being a slave is. It’s not having the right to choose for yourself.
If modern technology and digital rights management controls are depriving people of their rights to choose for themselves in important ways, then it’s totally fair to call it digital slavery.
No. This robot vacuum situation is basically the Holocaust, and if you can’t see that then you are complicit. /s
Yeah down with the oppressors! Robot vacuums are also people!
remote kill command had been issued to his device.
What the actual fuck?!
I don’t think any compatible machines can be acquired in my region any more. The only one I saw semi recently had a revision a few years ago but no packaging or model change to match so you can’t verify if its the older model that works or the newer one that doesn’t.
while this is good, we really don’t need all these smart devices in the first place
We could still live in caves, but most of us have chosen not to. I’m personally of the opinion that every advancement that gives you more time to do things that are important to you are worth it. This doesn’t mean inviting every piece of spyware some company tries to thrust upon me is acceptable, either.
people have less free time now, then any time since the labor movement.
tech hasn’t been the solution ; but tech companies have been the problem
Libre alternative?
A broom? /s, but not really
