Your robot vacuum is secretly collecting your data! - SDN

ShiftDelete.net
FOLLOW US

Your robot vacuum is secretly collecting your data!

After an engineer prevented the iLife A11 robot vacuum from collecting unauthorized data, the manufacturer remotely locked the device.

Your robot vacuum is secretly collecting your data!

Curious about how his iLife A11 robot vacuum cleaner worked, an engineer named Harishankar began monitoring the network traffic from the device. He noticed that the vacuum cleaner was constantly sending logs and telemetry data to the manufacturer. The user had not previously consented to this data collection. The engineer decided to block the IP addresses of these telemetry servers on his network, but left the software update (OTA) servers open. The vacuum cleaner continued to operate normally for a while, but soon refused to turn on completely.

Robot vacuum scandal: The user’s device was remotely locked after blocking data collection!

After a lengthy investigation, Harishankar discovered that a remote “stop command” had been sent to his device. He sent the vacuum cleaner to authorized service several times. Interestingly, the technicians at the service center found no problems when they turned it on. When the vacuum cleaner returned to the engineer, it worked for a few days and then stopped turning on. After this situation repeated several times, the service center, likely tired of this situation, declared the device void of warranty and stopped accepting the vacuum.

robot süpürge, iLife A11, veri toplama, telemetri

Harishankar then decided to disassemble the vacuum cleaner to determine what was causing it malfunction and see if he could get it working again. The iLife A11 was a smart device containing an AllWinner A33 chipset, the TinaLinux operating system, and a microcontroller that managed sensors like Lidar. The engineer created custom PCB connectors and wrote Python scripts to control the components with a computer. He even built a Raspberry Pi joystick to manually control the vacuum cleaner, proving there were no hardware issues.

Confirming the hardware was intact, the engineer then examined the software and operating system. Here he encountered a dark truth: the robot vacuum cleaner was a security nightmare. The device’s Android Debug Bridge (ADB) granted full root access, and this access was not protected by any password. The manufacturer had added a temporary security measure by leaving out a critical file, but Harishankar easily bypassed it. He also discovered that the vacuum cleaner used Google Cartographer technology to create a live 3D map of his home.

While mapping for navigation is normal for robot vacuum cleaners, what’s concerning is that the device sends all this data to the manufacturer’s server. Since the device’s own chipset isn’t powerful enough to process this data, sending the data to the server may be technically necessary. However, iLife appears to have failed to obtain explicit permission from its customers for this data collection. The engineer found a command in the disabled vacuum cleaner’s log files with a timestamp that precisely matched the moment the device stopped working. This was clearly a stop command, and when he reversed the command, the device restarted.

So, why did the vacuum cleaner work at the service center but not at home? The technicians reset the vacuum cleaner’s software, thus removing the stop code. At the service center, the device worked normally because it was connected to an open network. However, when it connected to the engineer’s home network, where the telemetry servers were blocked, it remotely locked itself again because it couldn’t communicate with the manufacturer’s servers. Because the device’s data collection capabilities were blocked, the manufacturer resorted to shutting it down completely. Harishankar summarized the situation as follows: “Someone or something had remotely issued a stop command. Whether it was a deliberate punishment or an automatic enforcement of ‘compliance,’ the result was the same: a consumer device was defying its owner.”

Unfortunately, many other smart vacuum brands use similar hardware. Therefore, it’s quite likely they have a similar setup. This is especially true for cheaper devices, which lack sufficient processing power (e.g., edge computing) to process data and are forced to send it to remote servers for processing. When your information is sent to a server beyond your control, you have no idea what happens to that data, giving the manufacturer the freedom to use it as they please.

Ultimately, through extensive tweaking, the device owner was able to run their vacuum completely locally, without the manufacturer’s control. This allowed them to both regain control of their data and use their $300, software-locked device on their own terms.

His advice to other users was, “Never use your main WiFi network for IoT (Internet of Things) devices” and “Treat them like strangers in your home.” So, what are your thoughts on the security of smart devices in your home?

Robot vacuum

SDN Comments 0 Comments

Comment

HOW TOAll

Related News

Windows 11 offers a surprising innovation
Windows 11 offers a surprising innovation
Netflix Moves to Acquire Warner Bros
Netflix Moves to Acquire Warner Bros
SpaceX receives $2 billion for Golden Dome project
SpaceX receives $2 billion for Golden Dome project
A 21-year wait is coming to an end: Half-Life 3 coming!
A 21-year wait is coming to an end: Half-Life 3 coming!

SDN Network

Sihirli Elma Yeşil Robot Tech Inside Pembe Teknoloji Future Flow Life

SDN.net

1250 BORREGAS AVENUE, #40, SUNNYVALE, CA
94089 ShiftDelete.Net LLC

info@shiftdelete.net

Shiftdelete.Net is a member of the Association of Internet Media and IT Reporters.

Desteklio