hckrnws

I found the open source Valetudo (https://github.com/Hypfer/Valetudo) project quite interesting, as it sits between the vendor firmware and (cloud) connectivity. The project is made possible due to Dennis Giese's research.

It currently supports Dreame, Xiaomi, Roborock and some others. But not Ecovacs. And not sure it prevents this type of Bluetooth vulnerabilities.

Dennis works closely with the Valetudo developer. On one of the Valetudo Telegram channels, they announced the following:

> As you might know, we looked into Ecovacs as an alternative for Dreame&Roborock. However, we found security and privacy being completely broken. If you have a X2, a Goat lawnmower, or newer than 2023 devices, you might want to turn them off for now. There is a BLE RCE, that lets an unauthenticated attacker send a payload via Bluetooth, that gets executed as root on the device. It does not appear that Ecovacs wants to fix that. More information: https://twitter.com/lorenzofb/status/1822002515279270079 https://techcrunch.com/2024/08/09/ecovacs-home-robots-can-be...

I specifically shopped for vacuum using that website and it wasn't too bad to set up.

Same. Had to spend a bunch of time on Telegram finding a breakout board in NA, but once I did that, it was just a matter of following directions. It’s my favorite piece of tech at the moment, and it cost me 180 bucks brand new.

The breakout board is the reason I haven't bought and hacked one of these robots yet. I have to source the PCB and then solder the components myself. I've never done this before and learning this is taking up significant amounts of my free time. Personally I would rather get a manufactured PCB that would no doubt be better built.

I respect their "learn to solder" stance but it's a fact that a lot more people would be involved in the project if it wasn't required.

+1 for Valetudo, not only does it work, but it is also maintained and keeps getting better. Moreover old vacuums are still maintained as new ones are added

Yup, my first gen roborock is still trundling along quite happily because of Valetudo. Would be nice if the base ubuntu was updatable but as it's offline except for a connection to a homeassistant instance it's probably safer than 99% of IOT devices

Wow.

Can Valetudo provide artificially blocked cloud features? For example the Roborock S5 doesn't have persistent maps, though it would be trivial to just keep one loaded in the cloud, but Roborock would rather you upgrade to an S7.

Would that work?

I have two Roborock S5s running Valetudo with persistent maps. Works well and integrates into Home Assistant.

Someone advertise me why vacuum cleaner needs internet?

I have xiaomi unit and I haven't connected it to an app, so it has no connectivity. It does it's job - cleans house 1st floor.

Is it useful to target specific places to clean? Ok, that is a feature that would be useful but I can live without.

Remotely starting? Fancy feature not sure I need - you can aswell start it when leaving the house. Maybe useful for some people when wanting to cleanup after guests remotely, but then again who knows what's dropped on floor there.

> Someone advertise me why vacuum cleaner needs internet?

It doesn't. And it isn't like hosting a web-portal is some kinda alien technology that can only be done in the cloud. There's absolutely no reason that a robot vacuum couldn't serve its own web interface.

Amazing

Only v1 does not have persistent maps, as it is not supported by the firmware. Valetudo only supports whatever the firmware supports already.

I have some modern (mapping) roombas laying around. Any idea what they could be useful for?

If it involves vacuuming, mopping, or returning to their docks, they are pretty useless.

No truck on this robot vacuum race because I don't own one, but one an incredible name.

For (some) Ecovacs, there's Bumper [0]. Not exactly the same as Valetudo but serves a similar purpose.

[0] https://github.com/bmartin5692/bumper

Ecovacs notified in December 2023

> “Ecovacs has always prioritised product and data security, as well as the protection of consumer privacy,” they said in a statement.

Still not fixed, today.

Mobile Webcam exploit at 100 meters.

Reinforces my gut instinct that I don't want any of these "smart" devices in my home. Aside from being spys, it takes 10 minutes to vacuum the floor with a standard vaccum cleaner. I spent more time than that guiding the Roomba that we had, getting it unstuck from corners or wires, emptying its pitifully small dust cup, making sure all potential obstacles are picked up, etc. Chucked it in the trash after a month or so.

I love our robot vac. Not because it's faster or better than me, but because it's labour-free, and I can run it every day after the kids go to bed and have nice clean floors.

However I also agree about not putting smart spy devices in my home - mine is a very basic cheap model with no cameras or wireless connectivity. Absolutely INSANE to have any type of connected camera inside your home. Even baby monitor cameras, such a huge vulnerability for so little utility.

A robot vacuum will literally change your life.

It seems silly, because as the parent said, it doesn't take long to vacuum normally, but it's one chore struck off the list and becomes something you rarely have to think about anymore.

Coming home to a freshly vacuumed house is a great feeling. With a robot vac, you get to have that feeling every single day.

Robot vacuums aren't as effective at vacuuming as a human would be, but it also doesn't matter. Whatever it missed today, it'll get tomorrow.

Yes, you need to adjust somewhat your living style. If you leave a lot of clothing on the floor, or have cables just laying about, the robot vac will find them and get stuck. You should clean those up anyway - but within the robot vac-owning community it's often a joke that you have to "roomba-proof" your house.

The upsides outweigh the downsides by far.

> A robot vacuum will literally change your life.

For me at least, my robot vac stops well short of that.

But the feeling of smugness I get while I sit on the couch doomscrolling or watching Netflix, while being able to tell myself "Look at me, I'm an adult! I'm doing the chores!!!" as my extremely dumb non wifi robot randomly bumps around my lounge room is priceless. Totally worth the couple of hundred bucks I paid for it, and the minor rearranging I had to do to make my apartment suitable for it to roam around.

Having some discipline is a tremendous advantage in both personal and professional life, much better life success multiplier than ie just raw intelligence. I guess we all have seen it many times around us. In the sea of kids having 9 seconds attention span due to parents giving up on screen time, the ones with just a bit of discipline or focus will get much further in life, in whatever direction they will decide to pursue. And this is one way to get and maintain it, another may be cleaning dishes preemptively (well maybe not if you have family with 2+ small kids). There are many more.

Not taking away from the benefits of automation and getting a bit of extra free time (nobody is thinking how cool it is to handwash all our clothes all the time, do we), but if you would say that instead you could do 10-15 mins meditation, learn something new or have a longer run outside, now that would be an improvement. Those passive activities you mention are one of the worst one how to spend extra gained time (albeit very popular due to easy access and addictivity).

Just my take on some chores, I honestly believe making the life too easy has some negative consequences later and that's how I raise my kids, contrary to many other parents.

> while I sit on the couch doomscrolling or watching Netflix

It'd say that's a tangible improvement to your life. Less mundane chores, more leisure time to unwind after a long day.

Permanently removing something from the "todo" list is always a significant positive.

Oh yeah, definitely a life improvement, but it's not an "OMG! You won't believe this life hack! It's totally changed my life!!! Don't forget to like and subscribe, smash that bell to be sure to see my next amazing video!"(tm) kind of life changing event.

But also, this for me is way more than just "one more thing off the todo list", it's the smugness of "That todo list item is being handled WHILE I'M SITTING ON THE COUCH STUFFING AROUND! HOW GOOD AM I???" :-)

(I acknowledge this is a fairly childish reaction, I'm sure I'll grow up and get over it one one day, I'm only 57 after all...)

Sadly, because of two medium hair cats (and carpets), all the robots I’ve had required brush maintenance after every single run, ruining that “coming to a freshly vacuumed house” feeling. Maybe someone knows a robot vacuum that somehow solved it and doesn’t need daily maintenance for pet hair?

This is the same story for anyone with pets. You need to keep at it. Eventually the robot is "caught up" with the hair and then everything is fine.

Run the robot daily (while you're at work or something).

My Roborock is probably the best <$500 purchase I've ever made. I'm actually tempted to get a fancier one with auto emptying just to avoid having to dump the bin once or twice a week

The auto-empty is absolutely worth it. If you want to be very thrifty, get an i7+ from eBay, or a refurbished J5/J7.

It’s also indispensable if you have pets. Cat and dog hair fills the robot up fast.

My old Pethair Plus would find fists of hair in a day or two.

Made me realize the importance of defining your use case as narrowly as possible, when buying home appliances.

> mine is a very basic cheap model with no cameras or wireless connectivity.

What brand is it? So many these days have both cameras and wireless

If (like me) you're okay with connectivity but not cameras, there are quite a few choices out there. The Roborock Q Revo is basically brand new, has just about everything you'd ever want in terms of features / performance but uses lidar for navigation.

If a network connection is a non-starter, your choices are way more limited. It looks like the eufy 11s doesn't have any sort of app / wi-fi support.

I got the Roborock Q Revo a little under a year ago, as an upgrade to a Neato Botvac 80 that had just broken down. Robot vacuums have come so far in ~8 years they're very nearly an entirely different product.

I think OP's issue with Roomba is simply that it was a Roomba (depending on when they tried it); I did a lot of searching before deciding on the Q Revo, and it seems like iRobot had been relying on the Roomba brand name for some time and until very recently was still playing catch-up. Not sure they have caught up when it comes to navigation and the control app.

Also a happy Q Revo Pro customer. No mic/camera, but with the lidar the auto location and pathing is shockingly efficient. And vacuuming might be easy, but mopping is a pain that I never have to deal with anymore. The difference between a pure vacuum and a vacuum plus mop on hardwood floors is night and day, especially with two pets.

After initial setup the Q Revo does not need internet connectivity. So you can set it up using an ephemeral hotspot and afterwards control it exclusively with the buttons on the top of the unit. Any errors are spoken by the device.

> Absolutely INSANE to have any type of connected camera inside your home

so no smartphones for you?

> Aside from being spys, it takes 10 minutes to vacuum the floor with a standard vaccum cleaner.

Robot vacuums often pick up things I miss, because they tend to be thorougher.

> getting it unstuck from corners or wires

Yes, this is annoying. Not everyone has stuff that these vacuums will get stuck in.

> making sure all potential obstacles are picked up,

If you have small clutter on the floor, you probably need to pick it up anyway if you vacuum yourself.

Robot vacuums are for people who have a track record of not vacuuming :-) If you have the discipline to vacuum on your own, then there's no need for a robot one.

Think mine is one of my favorite purchases ever, turned something that used to take me close to two hours into something I don’t even have to do.

Bought a lidar one too (BotVac) so never had to worry about camera feeds and it’s smart about navigating the rooms, not even connected to the net.

I get a lot of value out of my Roomba. It takes me quite a bit longer than 10 minutes to vacuum manually. Whenever I want the Roomba to do its thing, I spend 5 minutes picking things up off the floor (mostly cat toys that I'd have to pick up anyway if I were vacuuming manually) that would trip it up, and then I start it up and ignore it. Sure, it takes longer to vacuum than I would, but aside from the initial 5 minutes of effort, I don't have to do anything. I do also have the model that goes back to the base station to empty its own bin; not having that would be annoying.

Even my sister ended up buying one after I talked about it with her. She was looking for a way to make her daily nighttime kid cleanup ritual less work. Same deal with her: it takes longer for it to do its job than if she were doing it herself, but while it's vacuuming she can clean something else, and be ready for bed earlier than she'd otherwise be.

> it takes 10 minutes to vacuum the floor with a standard vaccum cleaner.

Sure, if you live in a studio, but a lot of people don't.

My space is a bit larger, I hate vacuuming and have never had a manual vacuum I don’t find too loud too inefficient and too large.

I run the robot when I’m outside and have it do two passes which results in very good results. I get tremendous enjoyment from knowing a machine is doing the work I absolutely hate, with quality results. Would absolutely buy again.

>Aside from being spys,

This isn't a problems if you use open-source replacement firmware like Valetudo (https://valetudo.cloud/).

Agree on smart devices, but I also have 3 kids and just want to have clean floors every day.

Also, Roomba is absolute trash compared to any other brand. Replaced my Roomba with a different brand a few months ago and it's a totally different experience.

[dead]

I specifically bought a robot vacuum with less sensors (no camera) for this reason. Why does it need camera if bump sensors and Lidar already works, it's asking for trouble.

Lidar doesn't work for some things- my Roborock S7 has trouble if there's a USB cable on the ground or a lamp's power cord isn't tucked all the way up against the wall. Supposedly the camera models are better at avoiding certain obstacles, which is good if you have a pet or housemate who sometimes poops inside and you don't want that getting mopped all over the floor.

That's a compelling use case for me but considering how many of these vacuums have had privacy issues, I stuck with Lidar (people cast aspersions on the Chinese companies but US manufacturers have track records that don't inspire confidence either - just ask the Roomba employees who got their naked pics leaked online)

"good if you have a pet or housemate who sometimes poops inside"

I have a pet (cat) that unfortunately poops just outside her box most of the time, despite a lot of different ideas and approaches with the help of our vet. She's old and has lower back pain issues. It ends up on a litter mat or the wooden floor, so it's not that hard to clean up.

If I had a housemate that pooped inside not in the toilet, they would need to be even less able to manage their shit, so to speak, and more loved than our cat, or they would be out of here very fast.

just wrap your cables in retroreflective tape?

this is a joke… right?

It’d be ugly but should make them really pop on the lidar, no?

In addition to what others have said, I believe some use an upward facing camera to help with mapping.

Ceilings tend to be less cluttered than floors so it is easier to figure out the shapes of rooms and their relationships by looking at the ceiling than by looking at the floor.

Some manufacturers use cameras instead of LiDAR (iRobot, for example).

Others use both. LiDAR for walls, cameras for object identification below the LiDAR plane, directly in front of the robot. That’s how the fancy ones avoid socks or cables or other small things.

This might be OK for a vacuum cleaner, but nobody in their right mind would choose cameras over LiDAR for important applications.

If I understand correctly Tesla is/has removed LIDAR and uses computer vision for most/all of their self driving.

https://bdtechtalks.com/2021/06/28/tesla-computer-vision-aut...

Yes, perhaps the single-most controversial decision Tesla has made regarding FSD.

Everyone else uses LIDAR in some form. Tesla's cameras can and have been fooled on many occasions.

Yet they stockpile them:

https://www.theverge.com/2024/5/7/24151497/tesla-lidar-lumin...

To be fair, $2MM of LIDAR units seems more like a R&D purchase than a stockpile.

$2.1m?! They must have bought two!

2,100 - according to article

Yeah okay, but that doesn't mean _cameras_ are bad (which, to be fair, they are in Teslas case), it means the algorithms feeding on them are.

It means the cameras can be fooled by things LIDAR cannot be. Such as smoke, glare, reflections, optical illusions/mirage, etc.

If the algorithms are fed with incorrect data, they will produce incorrect results - such as driving full-speed into a parked, white colored, semi-truck.

And lidar can't tell the difference between a plastic bag and a rock, what's your point?

One can (and has been) fooled into thinking there is no object in the path - the other might be extra sensitive to any object in it's path.

I'll let you stew on that one for a minute...

> I'll let you stew on that one for a minute...

Then that means the vision processing isn't far along yet to be viable for a car. There is no fundamental reason why it couldn't work though. With either stereoscopic vision or more temporal processing you could obviously detect when things are only painted on a wall surface, with both there really is no excuse to still fail except limited processing power.

I don't think Tesla ever used LIDAR and the article confirms they don't think they will need to. I believe they removed ultrasonic sensors though, maybe that's what you're thinking of.

And this is likely why Tesla's FSD is... not very good.

How did you do your research and which one did you eventually buy?

Not OP, but I'm a big fan of the Vacuum Wars YouTube channel (they have text summaries on their website too)

This sounds like the Roborock S series. I went with lidar over camera because it can run in any lighting condition and I don’t have a need for poop detection.

[dead]

As a refresher...

These exploits promise to be the rule, not the exception -- and not (just) because this company might have to comply with its national imperatives.

Assuming companies get paid for deploying hackable devices, it gives them an unfair competitive advantage relative to ethical companies (who would have higher prices).

Given the information asymmetry (promoting the devices as simply reliable vs the difficulty and complexity of hacking them), this advantage is protectable.

Thus if, or since, the market gives enduring advantages to this kind of exploitation, we can expect exploitation to be the rule, and product/technical leaders will be selected who comply.

A key aspect (noted in the article) is the capture of technical standards organizations by the companies they monitor. Usually this is good (keeping standards more realistic, timely, and relevant). But that means one can't rely on those organizations to protect end users (whether business or consumer).

The alternative of government politicized regulators would kill technology advancement, leading to a race to less-regulated jurisdictions (protected by fair-trade rules). The same is true of product liability schemes.

So exploitation is the rule, and technology can't regulate itself or be regulated.

Meanwhile, technology reaches into every aspect of work and play.

Entrepreneurs who solve this problem would create tremendous value (yes, some of which could be captured).

I don't do much "smart home" stuff, but could someone explain the value of allowing your vacuum cleaner talk to the internet? Does it use cloud resources to process stuff remotely like I believe Alexa does?

Most of them don't allow any amount of app control whatsoever unless they have an internet connection. LAN-only app interaction is apparently basically non-existent in this market, for some reason. You can usually use them without giving a wifi connection, but then you can do nothing more than "push a button on the robot to start cleaning the house" and it just runs an automatic/default scheme -- no customization.

Basically the reality is, because you're held hostage by the very few manufacturers making these also gating most functionality behind "let us surveil your entire home permanently".

Almost all modern devices use internet access for one thing: Because, in the modern internet, it's basically impossible to reliably initiate a p2p connection.

I'm guessing it transmits telemetry to help the manufacturer improve the robot's spatial awareness algorithm (and images for the same reason), and users probably consent to this without realizing it when they "agree" to the 15-page TOS

OK, I was going for value to the customer. Obviously selling your data to the highest bidder is a given nowadays.

Drives around, lidar draws a floor plan with all the obstacles, you can then mark zones (don't vacuum here, do extra vacuuming over there,...), set up schedules (vacuum the hallway daily, bedroom every two days, ...), etc.

But lidar is not a camera and exposes much less than a video feed does... why does a vacuum need a camera is a different question.

So expose this on an webserver on the device itself, advertise it via mdns, have the app talk to it directly from the same network, or via a custom IP for people with more complex needs.

So how will i turn it on from work?

>why does a vacuum need a camera is a different question.

Cheaper than a lidar, although I’d never buy a camera one.

I have an old school Roomba - no Internet/Wifi capability. None of what you said is that helpful.

Obstacles: Not sure what kind...? It's either a large enough obstacle that it will bounce off and continue vacuuming, or small enough that you should probably pick up.

Zones: Solved with the virtual walls that come with the old style Roombas.

Schedules: My Roomba has it - no need for networking.

Obstacles: Mine always get stuck under the toilet because it almost fits and it's a very oblique angle

Ah - I don't consider them as "obstacles", but "traps". For me, it sometimes gets stuck under certain chairs. There is a path for it to "escape", but about 25% of the time it gives up. So when I do that room, I have to rearrange it so the chairs are not in the path. As a result, I rarely do that room.

I doubt their "smartness" will figure out that it may get stuck under those chairs. But even if it did, I wouldn't allow it to communicate home.

To control it via app. Scheduling and such.

Perhaps.

But it has its own little robot brain, and I have a pocket supercomputer along with a LAN to connect betwixt these two things.

I know that realtime clock modules are useful for scheduling and are not free, but that doesn't mean that a device needs to call home in order to start sweeping the floor at a particular time.

Honestly I think you're overestimating most people.

The concept of a LAN is a non-starter for many folks. My measure are my in-laws. They like technology but don't understand it. My mother in law does not know what LAN means or how to access it.

These things phone home for the apps that lets normal people like that run them.

Your in-laws are smart enough to understand that they can't use their robo-vac without having "the wiffies" turned on.

Your inlaws can presumably print from their phone, using MDNS to find local printers, and sending the traffic direct to the printer. They can presumably also do airplay operating in exactly the same way.

They don't need to know terms like LAN or MDNS or Bonjour or whatever.

It can talk to the ntp server the network dhcp server gives out. If the dhcp doesn't give an NTP server then sure, try to talk to one (which should be configurable form the onboard webserver)

Or it can set the clock locally from the particular app instance used for the initial setup.

If that's not accurate enough due to drift, then it can also rejigger the clock during subsequent runs of the app.

And that's probably good enough.

It's just a robo-vac -- nobody is going to be late for work or even annoyed if it drifts a bit and a sequence starts at 7:02:37 instead of 7:00:00.

Apparently some of them feature two-way communication so you can for example talk to your pets.

That seems like a really good way to get my dog to absolutely savage a smart speaker.

I'm looking for one that barks to non-pets

It's literally the perfect house surveillance device though. Camera on a moving robot which is connected to a network, ha

Or a thing to get triggered whenever there's a suspected burglar. Doesn't even need to get it right all the time, just can't get it wrong. Nobody ever suspects the vacuum cleaner!

Does anyone sell one that barks? Or makes it sound like 2-3 angry people are having a conversation about guns from different points of a room?

Why is it that a smart device (robovacuum or proximity sensor etc) etc require the same technology as a streaming webcam?

In other words, are there any HW-level privacy-preserving CCDs (for lack of a better word) that provide an image in a format that can't be snooped in? Like say, I need an 'image' that I use to detect certain objects - I don't really need a 1920x1080 24bit RGB image @ 30Hz?

In fact, with such a mechanism, certain other metrics (performance, better object detection) could also improve in addition to privacy?

> that provide an image in a format that can't be snooped in

There's no way to make information that can only be used in the way you want it to.

I would assume that the image is handled in software: IE, the vacuum runs software that uses the image as one of its many inputs to decide where to steer the vacuum. Doing this as hardware-only is technically possible, but in practice, it's probably so difficult to implement it that way that it may be impractical. (For example, how can you remotely update the vacuum to fix a bug in the algorithm if it's burned into a chip?)

Edit: I should point out that the vacuum is probably using a standard, off-the-shelf, camera part. They could consider figuring out how to blur the image (by manipulating the lens during manufacturing,) but I wouldn't make any assumptions about their algorithms to assert that this is practical.

> I would assume that the image is handled in software: IE, the vacuum runs software that uses the image as one of its many inputs to decide where to steer the vacuum.

They mainly use lidar for navigating the room, the front camera is to help identify obstacles so they're not run over. They also advertise using the camera and a two-way microphone with remote control through the app, so you can look around your home or talk to your pets while you're away.

What I am talking about is a bit different: imagine if the CCD produced a non MxN color image. Maybe think of it as scrambled data that has just the right level of detail for the machine to do its thing but not something where you can get back the full color image via any means.

I am not saying the actual CCD is different but it’s something akin to a filter between the HW and the rest of the system to prevent full color image access.

> Maybe think of it as scrambled data that has just the right level of detail for the machine to do its thing but not something where you can get back the full color image via any means.

Information theory says this is impossible. https://anishathalye.com/inverting-photodna/

I could imagine an IR or LiDAR like image that is still useful to detect objects or humans but is otherwise indecipherable by a human…

Really I think I am imagining homomorphic encryption style techniques.

The resulting image would be basically useless for navigation. If a human can't make stuff out in the image, a computer definitely won't.

Why would that be true? You can do facial recognition on very low resolution photographs that wouldn't be easily recognisable to a human: https://www.sciencedirect.com/science/article/abs/pii/S02628...

That can be achieved by manipulating the lens to blur the image. A blurry high resolution image is generally equivalent to a low resolution image.

I was thinking more of an equivalent of XOR-ing the image direct from the CCD then using a TPM to do the image processing (edge detection, or whatever). You could deobfuscate by inspecting an individual CCD, but all images passed around would be essentially white-noise?

You trust the company to do all this complicated obfuscation, but don't trust them to not spy on you?

All of the HW components are commoditized and horizontally integrated anyways. It’s easy to verify and build components with strong guarantees that ensures that the integrator can’t workaround (and why would they?)

I do worry that companies essentially use the webcam as their main profit margin (sell ads!) with a rubbish trash compactor added as a mere ‘free service’.

You can over emphasize a detail / feature of a design at the expense of other more important features.

Honestly, it just makes more sense to follow good security practices. Protecting the Bluetooth interface is much more practical than what you propose.

FWIW: Military jets encrypt transmission on the wire between chips and components. But, they have to worry about a lot more than casual Bluetooth snooping.

I am not worried about the attack vector mentioned in the article - but that’s definitely a concern and a nice buzzworthy headline.

I am more worried about the robovac companies really being an ad supported spying company with robovac as a mere shipping vehicle.

Back when I was playing with DIY Drones, there were a bunch of projects using optical mouse sensors to do visual position hold at low altitudes. There was a fairly well known way to swap out the lens, then you'd get a 16x16 or 32x32 pixel "image" stream, which was good enough to do feature detection and at the same time made that feature detection way less computationally expensive than hi resolution video feeds.

I strongly suspect anything a robot vac does with cameras could easily be done with super low resolution sensors. Even if you needed to put 2 of them in stereo to get depth perception that maybe you could compute from HD video.

Some of them sell it as a feature and let you drive your robovac around like a FPV drone. Hardly worth the spying implications.

You could try smearing Vaseline on the lens.

As always, I am super proud of the Australian Broadcasting Corporation and their consistent balanced (for the most part) good work.

A national treasure, but I've stopped reading their news in the last year due to the clickbait headlines.

His homepage: https://dontvacuum.me/

Link to Dennis's website with slides for a talk he did on this topic:

https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecova...

ABC Australia

Title: We hacked a robot vacuum — and could watch live through its camera

I would love to upgrade my ten year old Roborock running Valetudo. But I'm not sure they've been able to figure out a way to root the new machines.

I point blank refuse to have a computer on wheels with cameras and microphones roaming my house with a direct connection to China. It really blows my mind that the majority of people seem to think that's fine.

Huh I have an Ecovacs vacuum I hope this leads to a cloud cut exploit so I can run it locally.

The biggest disappointment has been Tuya patched the exploits which let tuya-cloudcutter work without dismantling devices.

I don't know how we do it, but I want a world where IoT is required to be independent of cloud and flashable.

You can check here: https://valetudo.cloud/pages/general/supported-robots.html

Uhhh, actually, I guess there aren't any Ecovacs models yet supported by Valetudo, unfortunately :\

Of course the researcher has to have htop open!

Btw has anyone done an analysis of Bobsweep (Canadian company) vaca? They kind of position themselves now as "privacy focused".

Does this mean they found an exploit in the Bluetooth mechanism? How were they able to pair with any protected bluetooth device (was hoping for more info on that)

Technical details here https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecova...

based on the slides, any device can pair with the robot. They implemented the security based on the payload, not the BLE protocol.

that... sounds like a really terrible idea?! Even my JBL refuses to connect half the time

Would there be a market for a VPN-style zeroconf networking "protocol" (that maybe sits on top of TCP) that would work with a yubikey and NFC? The effect would be that if you didn't, at some point, swipe the yubikey (or other token) on the IoS (internet of shit) device, and on the router/smart phone/PC, then you just get encrypted data.

I think this would be intuitive to many people, physically touching the security wand on the devices you want to connect, and voila. Of course, this wouldn't work for the companies selling you this junk where they insert themselves and their paywall in between.

I'm just wondering if TLS could be (ab)used for this use case.

Why does a vacuum need a microphone?

Why is the device connected to the Internet? And why does it have a camera?

I have an different model, but:

Control of the device requires an iOS/android app and communication takes place via the internet.

My model has a camera in order to map its surroundings.

The app makes a map of the space, separated in rooms, and thus possible to request or schedule the cleanup of a specific room or zone. I often start the cleaning process while not at home.

Because the morons making the product think you need to use it while away from home, which is also conveniently allowing them to send data to their servers all the time. I personally never do, so a bluetooth connection would be sufficient, but they don't give you a choice.

"popular robot vacuum" huh? I really hate clickbait headlines. I know about the HN rule to not change the title, but I really wish there was an exception for clickbait.

It's an Ecovacs vacuum. Not an irobot, as most people were probably thinking.

iRobot is since COVID not the market leader anymore. After Amazon did not buy them, they might disappear at some point. If you look at their products, they did not really release anything innovative recently. Based on the numbers, Ecovacs might have a bigger market share than iRobot.

Could also be a Shark or a Roborock - both brands are also pretty popular

Maybe it's just me, but when I hear "popular X" rather than a brand name or "the most popular X" I generally skip past the number one most likely option in my mind

To be fair, the sharer may have just been quoting the ABC's own words. Clickbait is their MO of late, and their app is the worst for it. The website used to be better.

EDIT: the link in the app phrases it "The world's largest home robotics company has a problem - its vacuum cleaners can be hacked from afar".

The ABC News website (the Australian one) has been doing A/B testing on headlines for years. It's super common to see two or three different versions of the headline in the first hour or so after an article's publication, and then settle onto the presumably best click thru one. It used to show up pretty obviously when the url didn't match the headline, but I'm not sure if that's still true after their recent (awful) website redesign.

iRobot had the same kind of issues with leaked camera photos. Sure, the distinction might help. But Roombas are in no way more secure/less intrusive.

There should definitely be a clickbait exception to that. Sure, "YOU WON'T BELIEVE what robot vacuum ABC hacked" might be work better if you want an unaltered title, but it's objectively worse in every way.

[flagged]

Have you looked at the privacy record of some of the large US tech companies? Not exactly confidence inspiring. But carry on with the casual racism.

Not everything is racism. This is xenophobia. Using words incorrectly takes away their meaning.

This is naked Australian government propaganda to make people fear China