[HN Gopher] ABC News hacks into popular robot vacuum, watches ow...
___________________________________________________________________
ABC News hacks into popular robot vacuum, watches owner through
camera
Author : puffl
Score : 186 points
Date : 2024-10-03 22:43 UTC (5 days ago)
(HTM) web link (www.abc.net.au)
(TXT) w3m dump (www.abc.net.au)
| elitistphoenix wrote:
| His homepage: https://dontvacuum.me/
| killingtime74 wrote:
| I specifically bought a robot vacuum with less sensors (no
| camera) for this reason. Why does it need camera if bump sensors
| and Lidar already works, it's asking for trouble.
| dikkechill wrote:
| How did you do your research and which one did you eventually
| buy?
| iammiles wrote:
| This sounds like the Roborock S series. I went with lidar
| over camera because it can run in any lighting condition and
| I don't have a need for poop detection.
| Rebelgecko wrote:
| Not OP, but I'm a big fan of the Vacuum Wars YouTube channel
| (they have text summaries on their website too)
| MBCook wrote:
| Some manufacturers use cameras instead of LiDAR (iRobot, for
| example).
|
| Others use both. LiDAR for walls, cameras for object
| identification below the LiDAR plane, directly in front of the
| robot. That's how the fancy ones avoid socks or cables or other
| small things.
| supportengineer wrote:
| This might be OK for a vacuum cleaner, but nobody in their
| right mind would choose cameras over LiDAR for important
| applications.
| NRv9tR wrote:
| If I understand correctly Tesla is/has removed LIDAR and
| uses computer vision for most/all of their self driving.
|
| https://bdtechtalks.com/2021/06/28/tesla-computer-vision-
| aut...
| Alupis wrote:
| Yes, perhaps the single-most controversial decision Tesla
| has made regarding FSD.
|
| Everyone else uses LIDAR in some form. Tesla's cameras
| can and have been fooled on many occasions.
| bmicraft wrote:
| Yeah okay, but that doesn't mean _cameras_ are bad
| (which, to be fair, they are in Teslas case), it means
| the algorithms feeding on them are.
| Alupis wrote:
| It means the cameras can be fooled by things LIDAR cannot
| be. Such as smoke, glare, reflections, optical
| illusions/mirage, etc.
|
| If the algorithms are fed with incorrect data, they will
| produce incorrect results - such as driving full-speed
| into a parked, white colored, semi-truck.
| nicce wrote:
| Yet they stockpile them:
|
| https://www.theverge.com/2024/5/7/24151497/tesla-lidar-
| lumin...
| Rebelgecko wrote:
| Lidar doesn't work for some things- my Roborock S7 has trouble
| if there's a USB cable on the ground or a lamp's power cord
| isn't tucked all the way up against the wall. Supposedly the
| camera models are better at avoiding certain obstacles, which
| is good if you have a pet or housemate who sometimes poops
| inside and you don't want that getting mopped all over the
| floor.
|
| That's a compelling use case for me but considering how many of
| these vacuums have had privacy issues, I stuck with Lidar
| (people cast aspersions on the Chinese companies but US
| manufacturers have track records that don't inspire confidence
| either - just ask the Roomba employees who got their naked pics
| leaked online)
| tzs wrote:
| In addition to what others have said, I believe some use an
| upward facing camera to help with mapping.
|
| Ceilings tend to be less cluttered than floors so it is easier
| to figure out the shapes of rooms and their relationships by
| looking at the ceiling than by looking at the floor.
| ncr100 wrote:
| Ecovacs notified in December 2023
|
| > "Ecovacs has always prioritised product and data security, as
| well as the protection of consumer privacy," they said in a
| statement.
|
| Still not fixed, today.
|
| Mobile Webcam exploit at 100 meters.
| ChrisArchitect wrote:
| ABC Australia
|
| Title: We hacked a robot vacuum -- and could watch live through
| its camera
| dikkechill wrote:
| I found the open source Valetudo
| (https://github.com/Hypfer/Valetudo) project quite interesting,
| as it sits between the vendor firmware and (cloud) connectivity.
| The project is made possible due to Dennis Giese's research.
|
| It currently supports Dreame, Xiaomi, Roborock and some others.
| But not Ecovacs. And not sure it prevents this type of Bluetooth
| vulnerabilities.
| Tier3r wrote:
| No truck on this robot vacuum race because I don't own one, but
| one an incredible name.
| FloatArtifact wrote:
| I specifically shopped for vacuum using that website and it
| wasn't too bad to set up.
| xkcd-sucks wrote:
| +1 for Valetudo, not only does it work, but it is also
| maintained and keeps getting better. Moreover old vacuums are
| still maintained as new ones are added
| dugite-code wrote:
| Yup, my first gen roborock is still trundling along quite
| happily because of Valetudo. Would be nice if the base ubuntu
| was updatable but as it's offline except for a connection to
| a homeassistant instance it's probably safer than 99% of IOT
| devices
| cassianoleal wrote:
| For (some) Ecovacs, there's Bumper [0]. Not exactly the same as
| Valetudo but serves a similar purpose.
|
| [0] https://github.com/bmartin5692/bumper
| FredFS456 wrote:
| Dennis works closely with the Valetudo developer. On one of the
| Valetudo Telegram channels, they announced the following:
|
| > As you might know, we looked into Ecovacs as an alternative
| for Dreame&Roborock. However, we found security and privacy
| being completely broken. If you have a X2, a Goat lawnmower, or
| newer than 2023 devices, you might want to turn them off for
| now. There is a BLE RCE, that lets an unauthenticated attacker
| send a payload via Bluetooth, that gets executed as root on the
| device. It does not appear that Ecovacs wants to fix that. More
| information:
| https://twitter.com/lorenzofb/status/1822002515279270079
| https://techcrunch.com/2024/08/09/ecovacs-home-robots-can-be...
| pj_mukh wrote:
| Wow.
|
| Can Valetudo provide artificially blocked cloud features? For
| example the Roborock S5 doesn't have persistent maps, though it
| would be trivial to just keep one loaded in the cloud, but
| Roborock would rather you upgrade to an S7.
|
| Would that work?
| darknavi wrote:
| I have two Roborock S5s running Valetudo with persistent
| maps. Works well and integrates into Home Assistant.
| XorNot wrote:
| Huh I have an Ecovacs vacuum I hope this leads to a cloud cut
| exploit so I can run it locally.
|
| The biggest disappointment has been Tuya patched the exploits
| which let tuya-cloudcutter work without dismantling devices.
|
| I don't know how we do it, but I want a world where IoT is
| required to be independent of cloud and flashable.
| gosub100 wrote:
| Would there be a market for a VPN-style zeroconf networking
| "protocol" (that maybe sits on top of TCP) that would work with a
| yubikey and NFC? The effect would be that if you didn't, at some
| point, swipe the yubikey (or other token) on the IoS (internet of
| shit) device, and on the router/smart phone/PC, then you just get
| encrypted data.
|
| I think this would be intuitive to many people, physically
| touching the security wand on the devices you want to connect,
| and voila. Of course, this wouldn't work for the companies
| selling you this junk where they insert themselves and their
| paywall in between.
|
| I'm just wondering if TLS could be (ab)used for this use case.
| SoftTalker wrote:
| Reinforces my gut instinct that I don't want any of these "smart"
| devices in my home. Aside from being spys, it takes 10 minutes to
| vacuum the floor with a standard vaccum cleaner. I spent more
| time than that guiding the Roomba that we had, getting it unstuck
| from corners or wires, emptying its pitifully small dust cup,
| making sure all potential obstacles are picked up, etc. Chucked
| it in the trash after a month or so.
| WheatMillington wrote:
| I love our robot vac. Not because it's faster or better than
| me, but because it's labour-free, and I can run it every day
| after the kids go to bed and have nice clean floors.
|
| However I also agree about not putting smart spy devices in my
| home - mine is a very basic cheap model with no cameras or
| wireless connectivity. Absolutely INSANE to have any type of
| connected camera inside your home. Even baby monitor cameras,
| such a huge vulnerability for so little utility.
| Rebelgecko wrote:
| My Roborock is probably the best <$500 purchase I've ever
| made. I'm actually tempted to get a fancier one with auto
| emptying just to avoid having to dump the bin once or twice a
| week
| blakes wrote:
| The auto-empty is absolutely worth it. If you want to be
| very thrifty, get an i7+ from eBay, or a refurbished J5/J7.
| Alupis wrote:
| A robot vacuum will literally change your life.
|
| It seems silly, because as the parent said, it doesn't take
| long to vacuum normally, but it's one chore struck off the
| list and becomes something you rarely have to think about
| anymore.
|
| Coming home to a freshly vacuumed house is a great feeling.
| With a robot vac, you get to have that feeling every single
| day.
|
| Robot vacuums aren't as effective at vacuuming as a human
| would be, but it also doesn't matter. Whatever it missed
| today, it'll get tomorrow.
|
| Yes, you need to adjust somewhat your living style. If you
| leave a lot of clothing on the floor, or have cables just
| laying about, the robot vac will find them and get stuck. You
| should clean those up anyway - but within the robot vac-
| owning community it's often a joke that you have to "roomba-
| proof" your house.
|
| The upsides outweigh the downsides by far.
| kardos wrote:
| > mine is a very basic cheap model with no cameras or
| wireless connectivity.
|
| What brand is it? So many these days have both cameras and
| wireless
| stronglikedan wrote:
| > it takes 10 minutes to vacuum the floor with a standard
| vaccum cleaner.
|
| Sure, if you live in a studio, but a lot of people don't.
| BeetleB wrote:
| > Aside from being spys, it takes 10 minutes to vacuum the
| floor with a standard vaccum cleaner.
|
| Robot vacuums often pick up things I miss, because they tend to
| be thorougher.
|
| > getting it unstuck from corners or wires
|
| Yes, this is annoying. Not everyone has stuff that these
| vacuums will get stuck in.
|
| > making sure all potential obstacles are picked up,
|
| If you have small clutter on the floor, you probably need to
| pick it up anyway if you vacuum yourself.
|
| Robot vacuums are for people who have a track record of _not_
| vacuuming :-) If you have the discipline to vacuum on your own,
| then there 's no need for a robot one.
| whywhywhywhy wrote:
| Think mine is one of my favorite purchases ever, turned
| something that used to take me close to two hours into
| something I don't even have to do.
|
| Bought a lidar one too (BotVac) so never had to worry about
| camera feeds and it's smart about navigating the rooms, not
| even connected to the net.
| ta1243 wrote:
| I don't do much "smart home" stuff, but could someone explain the
| value of allowing your vacuum cleaner talk to the internet? Does
| it use cloud resources to process stuff remotely like I believe
| Alexa does?
| insane_dreamer wrote:
| I'm guessing it transmits telemetry to help the manufacturer
| improve the robot's spatial awareness algorithm (and images for
| the same reason), and users probably consent to this without
| realizing it when they "agree" to the 15-page TOS
| ta1243 wrote:
| OK, I was going for value to the customer. Obviously selling
| your data to the highest bidder is a given nowadays.
| larrik wrote:
| To control it via app. Scheduling and such.
| ajsnigrutin wrote:
| Drives around, lidar draws a floor plan with all the obstacles,
| you can then mark zones (don't vacuum here, do extra vacuuming
| over there,...), set up schedules (vacuum the hallway daily,
| bedroom every two days, ...), etc.
|
| But lidar is not a camera and exposes much less than a video
| feed does... why does a vacuum need a camera is a different
| question.
| BeetleB wrote:
| I have an old school Roomba - no Internet/Wifi capability.
| None of what you said is that helpful.
|
| Obstacles: Not sure what kind...? It's either a large enough
| obstacle that it will bounce off and continue vacuuming, or
| small enough that you should probably pick up.
|
| Zones: Solved with the virtual walls that come with the old
| style Roombas.
|
| Schedules: My Roomba has it - no need for networking.
| bmicraft wrote:
| Obstacles: Mine always get stuck under the toilet because
| it almost fits and it's a very oblique angle
| BeetleB wrote:
| Ah - I don't consider them as "obstacles", but "traps".
| For me, it sometimes gets stuck under certain chairs.
| There is a path for it to "escape", but about 25% of the
| time it gives up. So when I do that room, I have to
| rearrange it so the chairs are not in the path. As a
| result, I rarely do that room.
|
| I doubt their "smartness" will figure out that it _may_
| get stuck under those chairs. But even if it did, I
| wouldn 't allow it to communicate home.
| whywhywhywhy wrote:
| >why does a vacuum need a camera is a different question.
|
| Cheaper than a lidar, although I'd never buy a camera one.
| ta1243 wrote:
| So expose this on an webserver on the device itself,
| advertise it via mdns, have the app talk to it directly from
| the same network, or via a custom IP for people with more
| complex needs.
| Jach wrote:
| Apparently some of them feature two-way communication so you
| can for example talk to your pets.
| RomanUhliar wrote:
| It's literally the perfect house surveillance device though.
| Camera on a moving robot which is connected to a network, ha
| brcmthrowaway wrote:
| This is naked Australian government propaganda to make people
| fear China
| yawnxyz wrote:
| Does this mean they found an exploit in the Bluetooth mechanism?
| How were they able to pair with any protected bluetooth device
| (was hoping for more info on that)
| FredFS456 wrote:
| Technical details here
| https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecova...
| LeoPanthera wrote:
| "popular robot vacuum" huh? I really hate clickbait headlines. I
| know about the HN rule to not change the title, but I really wish
| there was an exception for clickbait.
|
| It's an Ecovacs vacuum. Not an irobot, as most people were
| probably thinking.
| tredre3 wrote:
| iRobot had the same kind of issues with leaked camera photos.
| Sure, the distinction might help. But Roombas are in no way
| more secure/less intrusive.
| andrensairr wrote:
| To be fair, the sharer may have just been quoting the ABC's own
| words. Clickbait is their MO of late, and their app is the
| worst for it. The website used to be better.
|
| EDIT: the link in the app phrases it "The world's largest home
| robotics company has a problem - its vacuum cleaners can be
| hacked from afar".
| JimTheMan wrote:
| As always, I am super proud of the Australian Broadcasting
| Corporation and their consistent balanced (for the most part)
| good work.
| FredFS456 wrote:
| Link to Dennis's website with slides for a talk he did on this
| topic:
|
| https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecova...
| textlapse wrote:
| Why is it that a smart device (robovacuum or proximity sensor
| etc) etc require the same technology as a streaming webcam?
|
| In other words, are there any HW-level privacy-preserving CCDs
| (for lack of a better word) that provide an image in a format
| that can't be snooped in? Like say, I need an 'image' that I use
| to detect certain objects - I don't really need a 1920x1080 24bit
| RGB image @ 30Hz?
|
| In fact, with such a mechanism, certain other metrics
| (performance, better object detection) could also improve in
| addition to privacy?
| teruakohatu wrote:
| Some of them sell it as a feature and let you drive your
| robovac around like a FPV drone. Hardly worth the spying
| implications.
| gwbas1c wrote:
| > that provide an image in a format that can't be snooped in
|
| There's no way to make information that can only be used in the
| way you want it to.
|
| I would assume that the image is handled in software: IE, the
| vacuum runs software that uses the image as one of its many
| inputs to decide where to steer the vacuum. Doing this as
| hardware-only is technically possible, but in practice, it's
| probably so difficult to implement it that way that it may be
| impractical. (For example, how can you remotely update the
| vacuum to fix a bug in the algorithm if it's burned into a
| chip?)
|
| Edit: I should point out that the vacuum is probably using a
| standard, off-the-shelf, camera part. They could consider
| figuring out how to blur the image (by manipulating the lens
| during manufacturing,) but I wouldn't make any assumptions
| about their algorithms to assert that this is practical.
| textlapse wrote:
| What I am talking about is a bit different: imagine if the
| CCD produced a non MxN color image. Maybe think of it as
| scrambled data that has just the right level of detail for
| the machine to do its thing but not something where you can
| get back the full color image via any means.
|
| I am not saying the actual CCD is different but it's
| something akin to a filter between the HW and the rest of the
| system to prevent full color image access.
| winrid wrote:
| Of course the researcher has to have htop open!
|
| Btw has anyone done an analysis of Bobsweep (Canadian company)
| vaca? They kind of position themselves now as "privacy focused".
___________________________________________________________________
(page generated 2024-10-08 23:00 UTC)