The smart vacuum cleaner was remotely bricked for not collecting data.

An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That’s when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn’t consented to. The user, Harishankar, decided to block the telemetry servers’ IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after. After a lengthy investigation, he discovered that a remote kill command had been issued to his device.

  • FosterMolasses@leminal.spaceEnglish
    2·
    22 minutes ago

    Jesus christ, just vaccuum your own house already. This is the largest tradeoff I have ever seen for the minor inconvenience of a single household chore.

  • youmaynotknow@lemmy.zipEnglish
    2·
    57 minutes ago

    This is every single ‘smart device’ out there. The way I was able to block everything in 2 Roborocks at home was by setting them up in Home Assistant over Matter, blocking everything and using it from HA only (us the schedules, those remain in the robots). It’s less than convenient allowing it access to the update servers once per month to see if there’s any and then blocking it again, but it’s something.

    We’re preparing our ‘smart home’ for our new house that’s not finished yet by choosing only devices that are matter over wifi (not thread) so that I can set it all up to work locally ove Home Assistant. That, in my opinion, is the best way to keep some convenience while shutting those assholes out.

    • flying_sheep@lemmy.mlEnglish
      1·
      8 minutes ago

      Most of them, sure. Every single one until proven otherwise, yes. Every single one, no qualifiers? No.

      Brands like Shelly allow you to completely disable the cloud, which AFAIK makes them stop phoning home completely except for update checks.

      I think a lot of “Home Assistant certified” brands are good privacy-wise, as that means that they don’t care about pushing you onto their proprietary cloud.

  • percent@infosec.pubEnglish
    5·
    8 hours ago

    I wish companies would at least offer a “no data collecting/selling” price option. Like, how much would they make from selling my data? Just give me the option to pay that extra amount so I can buy a vacuum without thinking about how it’s spying on me.

    • deathbird@mander.xyzEnglish
      2·
      37 minutes ago

      My concern is that they’ll include the equipment for spying on you, and just enable it later.

      I bought a Hue because it said “no online account required!” Later they changed their mind.

      I want the promise plus open standards and a base of libre software. I want them to tie themselves to the mast.

    • Smoogs@lemmy.worldEnglish
      1·
      8 hours ago

      Do they not just a cheaper version that could come without wifi or Bluetooth? I usually get that option where available for any products. because I’m a cheap ass.

      • FlashMobOfOne@lemmy.worldEnglish
        1·
        1 hour ago

        There are older models you can get that work that way. They’re just less convenient in that you have to clean them out yourself. I had one for a long time, but I wanted one that is self-emptying.

  • GreenShimada@lemmy.worldEnglish
    1661·
    1 day ago

    The fact that this isn’t considered outright fraud is disturbing. This person OWNS the device, yes? They’re not leasing it.

    FFS, this should be illegal.

    • vortic@lemmy.worldEnglish
      472·
      1 day ago

      I agree with you that this should be illegal. I expect this was in the terms of service, though. Since we have no laws restricting this kind of bullshit, the company can argue that they’re within their rights.

      We need some real legislation around privacy. It’s never going to happen, but it needs to. We need a right to anonymity but that is too scary for advertisers and our police state.

      • Pyr@lemmy.caEnglish
        3·
        12 hours ago

        How often are the terms of service evident at the time of purchase? It’s unreasonable to assume at the checkout that the price is only for a limited time of use. I doubt the put it on the box or on the Amazon page when you purchased stuff like this. Are you supposed to buy it and then return it after reading the fine print in the instruction booklet after opening it up?

        • MalReynolds@slrpnk.netEnglish
          23·
          1 day ago

          They’re not law as long as you can afford the lawyers and legal costs to fight them. Which is, of course, the problem and the system working as designed.

      • GreenShimada@lemmy.worldEnglish
        7·
        1 day ago

        I expect this was in the terms of service, though

        While I expect the same, there’s also just a reasonablility standard. If Meta and Google updated their TOS to say that users agreed to become human chattle slaves to mine cobalt and forfeit their rights, no court (…right, SCOTUS?..right?) would uphold that. A TOS is a contract, but it’s mostly for the protection of companies from liability. Takign active steps to brick someone’s device over the device not connecting to it’s C2 server (the company had zero evidence this was done intentionally and a router firewall misconfiguration could just have easily done the same thing), is IMO something that should result in a lawsuit.

        • vortic@lemmy.worldEnglish
          2·
          24 hours ago

          I agree with you. The problem is that lawsuits cost money. Fighting the company on this requires the right plaintiff who is willing to risk money on the problem.

      • dan@upvote.auEnglish
        91·
        1 day ago

        Just because something’s written in the terms of service, doesn’t mean it’s legal.

        • NotMyOldRedditName@lemmy.worldEnglish
          1·
          20 hours ago

          Thats why any good terms of service have clauses that say if any part of this is deemed unenforceable or not legal or whatever, the rest of the terms remain intact, as I guess at some point in time, people were getting entire documents thrown out based off 1 thing.

      • Ininewcrow@piefed.caEnglish
        01·
        22 hours ago

        When an authoritarian country does it, everyone goes crazy

        When a company does it to make more money and take more control, it’s just business as usual.

    • Zier@fedia.io
      15·
      1 day ago

      There needs to be a huge neon orange warning on the Front of these products that explains, clearly, that you don’t own it, your privacy will be invaded and the company can disable it at anytime. This will stop people from buying this garbage, and hopefully companies will stop if they want our money.

      My life rule is, if it says Smart on it, it’s never going to be smart. It will always cause trouble.

  • Rhoeri@lemmy.worldEnglish
    03·
    10 hours ago

    This shit is two months old. How many times is it going to recirculate?

  • √𝛂𝛋𝛆@piefed.worldEnglish
    302·
    1 day ago

    Stalkerware is criminal digital slavery. It is sale and ownership of a part of a person to manipulate and exploit them.

    • BennyTheExplorer@lemmy.worldEnglish
      154·
      1 day ago

      I think your comparison to slavery is a bit overblown and minimizes the tragedy of actual slavery. But I agree with the sentiment.

    • mal3oon@lemmy.worldEnglish
      6·
      15 hours ago

      For me the worst part is that someone developed the functionality to monitor and track, until the signal is lost, and if so, kill. It’s really crazy how daring this is.

  • spaghettiwestern@sh.itjust.worksOPEnglish
    51·
    1 day ago

    My robot vac will only operate when connected to the Internet so it’s only allowed to communicate when actually in use. As soon as it returns to the charger Internet access is automatically blocked.

    Unfortunately the manufacturer has deliberately made this as inconvenient as possible. If communication is blocked for more than a few hours the vacuum loses all maps and will no longer even load saved maps from the Tuya app. To use it the vac must be powered down and the app killed. Only then can a saved map be restored.

    It’s too bad it’s so useful.

  • brsrklf@jlai.luEnglish
    281·
    1 day ago

    There’s something not working in this article.

    They say it “makes sense” for the device to basically send the plan of your home to some online server, because the vacuum is not powerful enough to process this data on its own. This is already a bit horrifying to me, but okay.

    And then when that guy blocked it out, the vacuum “worked for a while” before something sent the kill command through an update.

    How come is it still working at all if navigation requires that server?

    • LH0ezVT@sh.itjust.worksEnglish
      3·
      8 hours ago

      It is total BS. Offline vacuum cleaners do mapping and localisation just fine. It is just an excuse to spy on your home.

    • fonix232@fedia.io
      381·
      1 day ago

      It’s not the navigation that requires the server but the processing of the mapping data.

      Which in itself is BS because most of these vacuums come with hardware roughly equivalent of a top of the line smartphone from about 5-6 years ago. They can easily do the raw data to map conversion, even if it’s a bit slow and takes 20-30 seconds.

      Also if you read the article it specifies that the damn thing is already running Google Cartographer which is a SLAM 3D map builder software - one of the better pro-grade mapping software suites, mind you. So the whole claim of cloud needed for processing is BS.

      • brsrklf@jlai.luEnglish
        12·
        1 day ago

        My VR headset can create pretty accurate 3D maps of my environment like nothing, and it only uses cameras to do so, so I can imagine it’s doable.

        Then, yeah, it doesn’t “make sense” for that thing to externalize that.

      • Nalivai@lemmy.worldEnglish
        51·
        1 day ago

        It’s not that it’s impossible, but it requires effort, skill, and time. Instead of hiring a bunch of programmers who would make it run on the device locally, you can just throw the same amount of money at Amazon and it will run whatever unoptimised version of the renderer you stole on some random Chinese forum. As a bonus, you got to enrich a multibillionaire and make a world slightly worse place, which is a second and third priority of every CEO after getting money.

    • MangoPenguin@lemmy.blahaj.zoneEnglish
      0·
      22 hours ago

      They do process mapping locally, there’s no reason for a remote connection other than remote control outside your LAN and data collection.

      My vacuum running Valetudo works fine with no internet connection, mapping and all.

      • brsrklf@jlai.luEnglish
        1·
        22 hours ago

        I suspected it shouldn’t need the connection, but I’ve never had one of those, so, I didn’t know for sure.

        It’s just that the article gets in a tangent about how the device might require offloading that to online servers… and then it’s obviously not the case since the guy made it work offline.

  • Elvith Ma'for@feddit.orgEnglish
    154·
    1 day ago

    Having not read the article: “Let’s apply Hanlon’s Razor: Oh, probably it just collects the data locally and caches it until the vendor’s servers are reachable. After a while the data partition was full and it stopped working as this case was never deemed possible when this was developed.”

    Having read that the kill command was logged and he found it in the logs: “ok, there are no technical details, so there might still be a misunderstanding, but that’s not what I expected!”

    • Randomgal@lemmy.caEnglish
      0·
      23 hours ago

      Why talk if you don’t know what you’re talking about? If you didn’t read the article whatever you say is irrelevant.

  • psx_crab@lemmy.zipEnglish
    251·
    1 day ago

    As useful a smart device are, it’s very annoying that the company behind it are always either: 1) a scumbag that will collect data and will lockdown the device if people doesn’t use it their way; 2)incompetent idiots that can’t make a good software to save their life. So by using these device you basically have to pick the thing that you’re willing to lose.

    It’s really too bad because robovac save me a lot of time and mental exhaustion.