We would have enjoyed [Harishankar’s] tear down of a robot vacuum cleaner, even if it didn’t have a savage twist at the end. Turns out, the company deliberately bricked his smart vacuum.
Like many of us, [Harishankar] is suspicious of devices beaming data back to their makers. He noted a new vacuum cleaner was pinging a few IP address, including one that was spitting out logging or telemetry data frequently. Of course, he had the ability to block the IP address which he did. End of story, right?
No. After a few days of working perfectly, the robot wouldn’t turn on. He returned it under warranty, but the company declared it worked fine. They returned it and, indeed, it was working. A few days later, it quit again. This started a cycle of returning the device where it would work, it would come home and work for a few days, then quit again.
You can probably guess where this is going, but to be fair, we gave you a big hint. The fact that it would work for days after blocking the IP address wouldn’t seem like a smoking gun in real time.
The turning point was when the company refused to have any further service on the unit. So it was time to pull out the screwdriver. Inside was a dual-CPU AllWinner SoC running Linux and a microcontroller to run the hardware. Of course, there were myriad sensors and motors, too. The same internals are used by several different brands of vacuum cleaners, so these internals aren’t just one brand.
Essentially, he wrote his own software to read all the sensors and drive all the motors using his own computers, bypassing the onboard CPU. But he found one thing interesting. The Android Debug Bridge was wide open on the Linux computer. Sort of.
The problem was, you could only get in a few seconds after booting up. After that, it would disconnect. A little more poking fixed that. The software stack was impressive, using Google Cartographer to map the house, for example.
But what wasn’t impressive was the reason for the repeated failures. A deliberate command was sent to kill the robot when it quit phoning home with telemetry. Of course, at the service center, it was able to report and so it worked fine.
The hardware and the software are impressive. The enforcement of unnecessary data collection is not. It does, however, make us want to buy one of these just for the development platform. [Harishankar] has already done the work to make it useful.
It isn’t just vacuums. Android phones spew a notorious amount of data. Even your smart matress — yes, there are smart matresses — can get into the act.
-1 for the “AI”-generated header image. Now I don’t care to even read the blog post.
You mean the “photo” of the board? Or do you mean because the post was written by AL Williams? Oo
No, you mean the actual original post. Never mind then, though I’m still shaking my head
The cat on the lamp made me laugh. But really? Top commenter is upset about that? Who cares?
The first link to the blog. Not the second link to the github page.
In the linked article, he IDs the thing to be an iLife A11. Listed as “Currently unavailable” with very bad reviews on Amazon. A12 ($169.99) and A30 ($189.99) are still available and I have little doubt that they have the same “feature.”
In other privacy news, Flock Safety, the AI aided license plate tracker system (which they also brag about being able to track cars without a needing a plate simply by other characteristics unique to a particular car) are teaming up with the Ring home security camera service.
Go to Musk’s grok and request the following without the quotes: “Palantir + Flock Safety + Ring + Starlink + AI. Connect the dystopian dots in detail.”
And this is why I’m on a wired network. I have a so-called “smart” tv, and I didn’t set up the wifi on it.
I just watch my local news and weather. I don’t need wifi for that.
You don’t even need a tv for news and weather. Face the fact, your an ad junkie.
Face the facts: you’re an idiot
I get my local news and weather by sitting down to my pc and calling up the local news website. Quick scan, Done. Don’t have to listen to talking heads. Weather is simple too with duck duck go. weather in search bar. Done. Less than a minute or two, I have the info I need for the day. My systems use wired networking as well. But do have Wifi available for company if needed.
What I don’t understand, is I have to ‘login’ to my wifi router to use the internet. How does the vacuum do it with out someone ‘setting up’ the device in the first place to get access??? And if the box says you need internet/account to setup device, that is big warming bell in my mind to not buy. Like M$ does. Nope notta! Only local access wanted. There is a reason I have a local home network, and the internet network. Home automation devices only get access to home network.
DuckDuckGo publish an app for Android that hooks into Android’s VPN system to block a lot of telemetry to known tracking companies. It allows you to see counts of what apps have been blocked and to which receivers.
And you trust DuckDuckGo with that data?
There are smart matresses? OMG! I’m just imagining how this probably gets used. Customer ‘had a good night’ last night. Customer is probably amenable to buying from this list of goods which studies show happy people buy. Customer hasn’t ‘had a good night’ in months. Customer might be amenable to buy from this other list.
This is hell right? When did I die?
Even more fun, when AWS went down a couple days ago, many of these “smart” mattresses ceased to respond to commands, leaving them in inclined positions or with the heat turned on, for example.
Kill Switch to brick all sold units. Just shut down the server.
What an awful AI generated header image on the blog post. It really puts a damper on any respect for an author when AI is used.
I’m struck by the amount of compute power here and yet the support people somehow weren’t able to detect that the robot stopped working because it couldn’t phone home. I’d be surprised if that data wasn’t available in non-volatile storage on the device.
Oh I expect most of them could, but they don’t care just follow the script. And no doubt step 1 of the script is connect it to the testing network and hit run… Which in this case would just magically have it work, no problem here return it.
The real winning play is to send random map data to the company servers. Mansions, little shotgun shacks, House of Leaves nonsense, whatever, just a constant stream of trash data.
Someone on Mastodon recently reported that their lidar robot vacuum had discovered a whole new section of their house that they didn’t know about because it got bad data back from a full length wall mirror and was convinced there was a hallway and a room back there. So they’ll generate their own house of leaves if you encourage them a little.
Why would I pay for a data collection device to roam my home? It’s enough that I have a laptop on my desk. Athough it runs Linux, I keep an hatchet nearby if its proprietary UEFI code ever goes rouge and I need to disable it.
Some time in 2010s EU decided to cuck corded vacuum cleaners by limiting their power which turned them from appliances into toys. In 2019 my 1200W pre-regulation vacuum died so… I went and bought a 1400W shop vac to use at home.
It was such a great decision. Unlike consumer devices it sucks, it blows, it isn’t afraid of liquids, it has a large stainless steel bin that’s trivial to empty out and it will accept any 38 mm hose, pipe and brush. Since it doesn’t have to visually appeal to women with case that has pretty shapes and fancy colours, it’s also cheap.
At my local DIY store a 1400W shop vac costs $60. Basic 650W Electrolux consumer unit starts at $120 while more advanced models (with less power, sic!) can reach prices of up to $350. This is nuts.
The only “disadvantage” of a shop vac is that I have to put on Peltor earmuffs while using it – which is honestly not an issue at all.
I did the same. The vac also works as an extension lead!
Since the 90s the vacuum cleaner manufacturers have kept on releasing new products that were more and more power hungry without any increase in suction power. The regulation was necessary. Now you can finally find vacuum cleaners that make much less noise, and the best part of it is that finally the suction power and efficiency is finally stated, which are much more relevant numbers rather than just power consumption on its own.
You made what looks like a deliberate decision to leave out the fact that the vacuum was an ILIFE A11, from the scumbags at ILIFE in Guangdong.
Unethical business, like ILIFE, that are actively hostile to their customers, need to be named and shamed, loudly. It should be impossible to search for names like “ILIFE”, or products like “ILIFE A11”, without finding the information about how fundamentally worthless products like the ILIFE A11 from shady companies like ILIFE have deliberately been crippled.
Please do better.
Yup, keep IoT devices on a segmented network. Need to do some housecleaning myself on that one, but sound advice all the same.
“keep IoT devices on a segmented network” . I agree. Keep ’em internal.
This is why I never upgraded my old Roomba – I don’t need devices mapping my house. It’s battery died again though and I’m not sure about sticking a home-built lithium in.
Apparently there’s been no coverage of Valetudo https://valetudo.cloud/ here yet, since surely it would have been the attention-trap link at the end of the article. (Also, did not appear in a search.) It’s open source robot vacuum software that works entirely locally. It was enabled by jailbreaks from Dennis Giese https://dontvacuum.me/. Harishankar has certainly done enough work to be able to support it in Valetudo.
So…. at what point setting up this vacuum did you not think “wait a minute why am I allowing a freaking vacuum to access my home wifi?”
I have zero sympathy.
This is in the same bin as buying a genuine Rolex from a dude on Canal Street for $100. But buying it using a photo of your credit card and giving him your social security number and home address
I bought a bird feeder for my mom with a camera. She opened it on her birthday and when I tried to set it up, it required an app, an email login and account, etc. I apologized to her and returned it.
I do love the hack though.
“wait a minute why am I allowing a freaking vacuum to access my home wifi?” That is the question I asked above as well.
Yeah, what’s the deal with intentionally hiding the name of the vacuum or the maker? How will we know which brands to avoid?