Whoops: Your ‘Smart’ Vacuum May Be Broadcasting A 3D Map Of Your Home
from the smart-tech-is-dumb-tech dept
We’ve long established that modern “smart” devices aren’t always all that smart.
Whether it’s “smart” door locks that are easily hacked to gain entry, “smart” refrigerators that leak your Gmail credentials, or “smart” vehicles that sell data to insurance companies without your permission, the act of modernizing something with internet access and a CPU isn’t always a step forward.
The latest case in point: one owner of the $300 iLife A11 smart vacuum realized that the device wasn’t just cleaning his home, it was creating a map of his entire living space, and then openly broadcasting it to its parent company via the internet:
“I’m a bit paranoid — the good kind of paranoid,” he wrote. “So, I decided to monitor its network traffic, as I would with any so-called smart device.” Within minutes, he discovered a “steady stream” of data being sent to servers “halfway across the world.”
“My robot vacuum was constantly communicating with its manufacturer, transmitting logs and telemetry that I had never consented to share,” Narayanan wrote. “That’s when I made my first mistake: I decided to stop it.”
When he prevented the device from sending data back to the corporate mothership, the device refused to boot up. After several efforts to get it “repaired,” the device fell out of warranty and he was left with a $300 paperweight. At that point, he dug a bit more deeply into the device, and found it was using Google Cartographer to create 3D maps of his home that were being transmitted back to its parent company.
Like most data collection of this type (in a country with no modern privacy laws or functioning privacy regulators), the vacuum maker wasn’t informing customers of this data collection and transmission. Digging through the vacuum’s code, he says he found specific instructions to stop the vacuum from working if the data collection ceased:
“In addition, Narayanan says he uncovered a suspicious line of code broadcasted from the company to the vacuum, timestamped to the exact moment it stopped working. “Someone — or something — had remotely issued a kill command,” he wrote.
“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”
This is just a vacuum. The same thing is happening with far more important devices, like your phone and vehicle. And again, we live in a country with a President (and corrupt court system) who is making it impossible to hold companies accountable for any of it.
Either by blocking regulatory oversight “legally” (see attempts to fine AT&T for location data collection), or by basically lobotomizing agencies like the FTC and FCC. U.S. privacy enforcement was already a sad joke; now it’s basically nonexistent. Surely that won’t be a problem longer term, right?
Filed Under: 3d mapping, privacy, security, smart home, smart vacuum, surveillance
Comments on “Whoops: Your ‘Smart’ Vacuum May Be Broadcasting A 3D Map Of Your Home”
Must be Skynet still looking for Sarah Connor.
May be?
Oh Karl, you sweet summer child.
Never lose that innocence.
Re:
He can’t say with any certainty that other “smart” vacuums do the same.
Hence “may be”.
Re: Re: 3irobotix CRL-200S
It’s a standard hardware design that has been incorporated into several vendors’ products (original blog linked in URL).
But isn’t there one such law, the California Consumer Privacy Act? The company claims to have a warehouse and service center in Los Angeles, and to be in use by “100,000+Families”, thereby making them subject to the law. And unlike the linked story about ISPs, vacuum cleaner manufacturers are not regulated by a federal entity, which means the states retain jurisdiction.
That still leaves the question of whether there’s a functional privacy regulator to enforce the law. There’s a private right of action, but that only applies after a data breach (and only sometimes; it’s kind of weak).
Time to put aluminum foil hats on the devices to block the signals. <;p
I don't get the concern much
I realize it may be desirable to have a device that worked completely offline, but I don’t see any reason to care that the company knows that your living room is however many feet long as that thing drives back and forth between walls.
The company knows that somewhere out there, not even probably personally identifiable but just some random hardware ID, is traversing a space that is x by y. Or encountering obstacles at n frequency.
This doesn’t seem like private protected data is being leaked
Re:
Not living room, living space.
So you didn’t actually read what it is capable of? A quick question to get you on the right track, how do you think people control the device and what are the implications of that when combined with the data from the device?
How can you tell? What if the house has a secret panic room that suddenly becomes public knowledge? Does that count?
Re: Re: That spying vacuum cleaner
As a seasoned practitioner of criminal law and it’s denizens, I ask y’all to please contemplate how a 3D map of a space could facilitate a “home invasion” for purposes of theft, murder, kidnapping, bug plants and the like.
Old News.
Just
Say
No
Re: Re: Re:
Exactly, just because random person A think random information B is useless doesn’t mean random criminal C won’t find it extremely useful in their criminal pursuits.
Re:
The limitations of any individual’s imagination should not be the standard by which we determine good practices or human rights. Someone cleverer than you will have thoughts on how valuable this information can be and someone will have an opportunity to exploit that. And it may not be with this particular device, but choosing to let your guard down with this one might make you not think twice about the next or make false assumptions about how benign the next one is such that you give away more and more of your privacy and feel comfortable in naivety and ignorance until it comes back to bite you later.
It’s a hell of a lot easier if a vacuum just doesn’t get programmed to broadcast unnecessary data.
Re:
The thing is, is one day someone is going to get that info, and the rest of your info.
They will know your driving habits, work schedule, and where you and your family are expected to be.
One day some politician, or worse yet military member, is going to find out that this information they didn’t knew was being collected was hacked and it will be used violently against them.
Re:
Idiots like you are part of the problem, thanks.
Go post all you PII to Facebook and then tell everyone when you’ll be on vacation.
you know it’s a problem when your neighbor texts you and says, you missed some carpet in the middle of your living room.
The kill command seems like it would violate laws.
But maybe not. In the us, you can rape and kill children and it’s government approved, so who cars about bricking the devices and stealing money from the slaves.
Re:
Now prove it in court, since U.S. prosecutors are unlikely to do so unless this Shenzen company (although with offices in the U.S.) pisses off Trump.
It’s more likely that local law enforcement departments will be dealing with them to request detailed maps of people’s houses. Can lidar detect how Mexican someone looks?
Wouldn’t it be a 2d map?
I guess if it traveled on an elevator or you carried it downstairs it could suck in that extra dimension but doesn’t the darn thing just sniff around in 2d?
Re:
Depends on the sensors. You can use stuff like lidar to map out the entire room, not just the floor. This specific one uses CV-SLAM (Ceiling Vision Simultaneous Localization and Mapping), which is pointed upwards.
(And yes, it is advertised to be able to map multiple floors. You have to carry it up/down)
Speaking only on the home’s “geometry” (the least significant item in the article), other entities who already have this info: your home’s builder et al, local real estate authority, previous owners, agents, etc. and neighbors in your development/building. None of it was ever private info (building codes being what they are). Some data that so many people like to think of a “private” has never been private; at best it’s been obscured due to lack of interest.
I mean, probably not a 3D map, unless this is one of those flying vacuums.
Re:
Maybe Musk is getting into the cleaning device market?
Re: Re:
Flying vacuums do seem like the sort of “Why hasn’t anyone done this obviously dumb thing before?” question a Tesla engineer would ask.
Re: Re: Re:
Does hovering count as flying? The Hoover Constellation was doing that in the 1950s. And, speaking of dumb things, it seems this vacuum blew dirt all over the place when used on hard floors, as one might expect; and that it also didn’t work well on thick carpet.
A quick search shows at least two modern imitators (aiRider and ZeroG).
Re: Utah maybe
maybe he’s in Utah, where pi equals 3 and lakes are forbidden to flood the landscape?
smart devices
We have an oven (!) that showed up on our wi-fi and I couldn’t figure out why. So I did some research on how to turn it off. It wasn’t easy!
Before you buy any house appliance, make sure it is not set up for wi-fi by the installer or set up controls on your phone with an app. If you are comfortable with being spied on, don’t bother. But do think about who is watching you and why.
We need a way to remotely brick companies arbitrarily, at will.
Storm Shadow is rather too costly.
As far as your car transmitting yout driving data, that can be solved with a jammer that jams that frequency it uses.
It will likely be using 3g, 4g, or 5g internet which can be jammed without jamming voice calls because that use different frquency bands.
Is that how warranty works? “You reported the problem in time, but since we didn’t fix it in time we’re off the hook”?
Also, intentionally sending a kill command to a device without the permission of the device owner should be treated, legally, as vandalism.