this post was submitted on 27 Oct 2025
855 points (98.5% liked)

Technology

75756 readers
3729 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
855
Man Alarmed to Discover His Smart Vacuum Was Broadcasting a Secret Map of His House (futurism.com)
submitted 4 days ago by themachinestops@lemmy.dbzer0.com to c/technology@lemmy.world
183 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] Regna@lemmy.world 289 points 4 days ago* (last edited 4 days ago) (4 children)

At first I thought ”Well, duh!”, but the manufacturer having a remote kill switch when he network blocked his vacuum from sharing his home map data with them, as well as unprotected root access when connecting to the vacuum… urgh.

The engineer says he stopped the device from broadcasting data, though kept the other network traffic — like firmware updates — running like usual. The vacuum kept cleaning for a few days after, until early one morning when it refused to boot up.

After reverse engineering the vacuum, a painstaking process which included reprinting the devices’ circuit boards and testing its sensors, he found something horrifying: Android Debug Bridge, a program for installing and debugging apps on devices, was “wide open” to the world. “In seconds, I had full root access. No hacks, no exploits. Just plug and play,” Narayanan said.

[–] justsomeguy@lemmy.world 150 points 4 days ago

All crappy IoT devices ever made. They aren't used in bot nets all the time because hackers like the challenge of hacking them so much. Security simply isn't a priority.

[–] pipe01@programming.dev 61 points 4 days ago (2 children)

Is it just me, or is having ADB exposed physically not that big a deal?

[–] KazuyaDarklight@lemmy.world 106 points 4 days ago (1 children)

Tend to agree, security is always the goal but if someone is in my house hacking my vacuum, I have bigger issues. The no-notice remote kill is the bigger issue to me.

[–] subignition@fedia.io 16 points 4 days ago (1 children)

The much bigger concern is that the pathway used to send the remote kill command could very easily be utilized by nefarious actors.

[–] krashmo@lemmy.world 15 points 4 days ago (3 children)

To do what, wear out one section of carpet faster than the rest of your house?

[–] subignition@fedia.io 11 points 4 days ago

If a hacker can get into the device remotely it can be an entry point to your home network.

[–] teft@piefed.social 10 points 4 days ago (1 children)

Remote “kill”

Where does it end? First it wears down your carpets and then we’re in Maximum Overdrive.

load more comments (1 replies)
load more comments (1 replies)
[–] kylian0087@lemmy.dbzer0.com 12 points 4 days ago (1 children)

It is not good. But in most cases just adb doesnt grand root access. That's just bad.

[–] riskable@programming.dev 48 points 4 days ago (9 children)

NO! It'syour device, you should have root! The fact that the manufacturer gives their product owners root is a good thing, not bad!

I will die on this fucking hill.

load more comments (9 replies)
[–] Monument@lemmy.sdf.org 50 points 4 days ago* (last edited 4 days ago) (1 children)

A few years ago I noticed an annoyance with a soundbar I had. After allowing it onto my WiFi network so we could stream music to it, it still broadcast the setup WiFi network.

While dorking around one day, I ran a port scan on my network and the soundbar reported port 22 (ssh) was open. I was able to log in as root and no password.
After a moment of “huh, that’s terrible security.” I connected to the (publicly open) setup network, ssh’d in, and copied the wpa_supplicant.conf file from the device to verify it had my WiFi info available to anyone with at least my mediocre skill level. I then factory reset the device, never to entrust it with any credentials again.

[–] billygoat@catata.fish 18 points 3 days ago (1 children)

Name and shame, what make and model was it?

[–] Monument@lemmy.sdf.org 13 points 3 days ago* (last edited 3 days ago) (1 children)

It was a TCL Alto 9+.

A quick internet search reveals that this issue was known about at least three years ago.

Another model, the 8i was reported to have a root password of “12345678” - which is partially how I got the idea to start seeing if I could gain root.

load more comments (1 replies)
load more comments (1 replies)
[–] 87Six@lemmy.world 160 points 3 days ago (6 children)

Since I dont see it mentioned, the company is

iLife

iLife makes vacuums that map your house and can be remote controlled

Just so we are clear. You should all up your name and shame game.

[–] eronth@lemmy.dbzer0.com 42 points 3 days ago (5 children)

For real. It's wild how often people don't just straight up call out bad corps.

load more comments (5 replies)
[–] AdolfSchmitler@lemmy.world 16 points 3 days ago

o7 thank you for your service

[–] muusemuuse@sh.itjust.works 12 points 3 days ago

All modern robot vacuums do this. Amazon and Zillow actually buy that data too.

load more comments (3 replies)
[–] fistac0rpse@fedia.io 80 points 4 days ago

iLife A11 smart vacuum

[–] bytesonbike@discuss.online 79 points 3 days ago (6 children)

In addition, Narayanan says he uncovered a suspicious line of code broadcasted from the company to the vacuum, timestamped to the exact moment it stopped working. “Someone — or something — had remotely issued a kill command,” he wrote.

“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”

In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”

They kill switched it remotely. Yikes.

load more comments (6 replies)
[–] ExLisper@lemmy.curiana.net 56 points 4 days ago (2 children)

Yeah, I read about iRobot gathering and selling info about apartments like 10 years ago. People still alarmed by this are simply ignorant.

load more comments (2 replies)
[–] Treczoks@lemmy.world 54 points 4 days ago (1 children)

Well, yes, that's what those cheap "smart" devices do. Or does anyone think cheap smart would fit into that device? Rule of thumb: if a device needs internet access, it is spying on you.

[–] Landless2029@lemmy.world 22 points 4 days ago* (last edited 4 days ago) (6 children)

!homeassistant@lemmy.world on a isolated vLAN is my goal for "Smart" devices.

load more comments (6 replies)
[–] Zwuzelmaus@feddit.org 52 points 4 days ago (2 children)

I know very well why I installed valetudo before I even started my new vac for the first time 😁

https://valetudo.cloud/

load more comments (2 replies)
[–] ArchmageAzor@lemmy.world 40 points 3 days ago (5 children)

At this point, if you buy a smart thing you have to know it's spyware.

load more comments (5 replies)
[–] AcidiclyBasicGlitch@sh.itjust.works 38 points 3 days ago (3 children)

“Someone — or something — had remotely issued a kill command,” he wrote.

“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”

In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”

collapsed inline media

load more comments (3 replies)
[–] andrew0@lemmy.dbzer0.com 32 points 4 days ago* (last edited 4 days ago) (3 children)

This article just screams rage-bait. Not that I am against making people aware of this kind of privacy invasion, but the authors did not bother to do any fact checking.

Firstly, they mention that the vacuum was "transmitting logs and telemetry that [the guy] had never consented to share". If you set up an app with the robot vacuum company, I'm pretty sure you'll get a rather long terms and services document that you just skip past, because who bothers reading that?

Secondly, the ADB part is rather weird. The person probably tried to install Valetudo on it? Otherwise, I have no clue what they tried to say with "reprinting the devices’ circuit boards". I doubt that this guy was able to reverse engineer an entire circuit board, but was surprised when seeing that ADB is enabled? This is what makes some devices rather straight forward to install custom firmware that block all the cloud shenanigans, so I'm not sure why they're painting this as a horrifying thing. Of course, you're broadcasting your map data to the manufacturer so that you can use their shitty app.

The part saying that it had full root access and a kill-switch is a bit worse, but still... It doesn't have to be like this. Shout-out to the people working on the Valetudo project. If you're interested in getting a privacy-friendly robot vacuum, have a look at their website. It requires some know-how, but once it's done, you know for sure you don't need to worry about a 3rd party spying on you.

[–] Alphane_Moon@lemmy.world 34 points 4 days ago (1 children)

I am assuming the individual described in the article is based in the US, but nevertheless, many countries do not allow spying, fraud and criminality as long as you have a TOS that says you are allowed to do so.

This is a very provincial manner of thinking and shows how deeply tolerance of corruption and criminality dominates the American mind.

Same with the kill switch, it is essentially a fraudulent scheme, a criminal activity.

[–] BarneyPiccolo@lemmy.today 23 points 4 days ago (4 children)

Americans are conditioned to do a lot of things without thinking about it, but if they ever really stopped to consider it, they'd be outraged.

For instance, those heart-tugging ads for St Jude's Children's Hospital. It's a great thing they do, taking in cancer kids, and covering all the expenses, even housing and food. They show grateful parents crying, because their kids have a chance because of the charity of St Jude and the viewers, and viewers shed a tear and donate.

It never occurs to anyone that in almost every other country in the world, such a place wouldn't be necessary. Their cancer kids would simply be taken care of. No pomp about it, no commercials begging for donations, curing cancer kids is just business as usual.

But in America, your kid will just DIE unless you've got good health insurance (which is about to get a LOT more expensive), a lot of money, or hit the charity lottery.

But that never occurs to Americans watching that ad. They will dig into their pockets to send money to St Jude, before they will give money to a progressive candidate to change our health care system so it doesn't require tear-jerking marketing to operate.

[–] Manjushri@piefed.social 21 points 4 days ago

It never occurs to anyone that in almost every other country in the world, such a place wouldn’t be necessary.

Yep. It reminds me of this .

Every heartwarming human interest story in America is like "he raised $20,000 to keep 200 orphans from being crushed in the orphan-crushing machine" and then never asks why an orphan-crushing machine exists or why you'd need to pay to prevent it from being used.

load more comments (3 replies)
[–] MountingSuspicion@reddthat.com 10 points 4 days ago (2 children)

Just checked out Valetudo. Gotta love the FOSS community. Can I ask if you've used it? If so, which vacuum did you set it up on?

load more comments (2 replies)
load more comments (1 replies)
[–] W3dd1e@lemmy.zip 32 points 3 days ago* (last edited 3 days ago) (1 children)

On paper all of this stuff is a great idea that would make our appliances more functional.

In reality, the best case scenario is that it’s sold to our corporate overlords so they can slap an ad on your refrigerator and sell you more plastic waste.

Worst case, it’s sold to ICE or some other fascist regime.

https://arstechnica.com/gadgets/2025/10/ring-cameras-are-about-to-get-increasingly-chummy-with-law-enforcement/

load more comments (1 replies)
[–] Alenalda@lemmy.world 26 points 3 days ago (5 children)

Wait till you find out what your wifi can do.

[–] ILikeBoobies@lemmy.ca 16 points 3 days ago (3 children)

Port Scanning blocker was eye opening to how many websites just wanted to check in on me.

load more comments (3 replies)
load more comments (4 replies)
[–] madjo@feddit.nl 23 points 4 days ago (6 children)

That is why I have denied internet access for my robot vacuum cleaner. Xiaomi doesn't need to know the blueprint of my house, and if it can't connect to the internet, there's no need for firmware updates.

I'll start the thing by pressing the button at the top.

load more comments (6 replies)
[–] Boozilla@lemmy.world 21 points 4 days ago (2 children)

Talkie Toaster is here. "Howdy-doodly-do, how's it going?"

[–] the_riviera_kid@lemmy.world 11 points 4 days ago

readies my fourteen-pound lump hammer

[–] db2@lemmy.world 10 points 4 days ago (1 children)

Does anyone want any toast?

load more comments (1 replies)
[–] stevedice@sh.itjust.works 19 points 3 days ago

I used to be on a mailing list where American companies offered money to people in the third world for menial manual tasks. Like sending pictures of random crap from different angles and such. One time I got an email offering 4 of these things and $100 and all I had to do was put one of them in my home and use it for a week and give the other 3 away. Goes without saying they're clearly a privacy nightmare.

[–] imetators@lemmy.dbzer0.com 15 points 4 days ago (1 children)

Am I too dumb to understand why sending cartographer data is wrong?

His model is iLife A11 that has Lidar. He probably has an app that is used to control robot and shows cleaning progression. Vac 100% Lidar'd his entire home and sent data to create map in the app.

How in the fuck he thinks it is getting that map? If his ass so smart to find a killswitch and reverse it, how come he doesn't grasp that map data is sent to a server though which he ca use vac app? Like in what world is it not obvious?

Not even gonna discuss about TOS he signed, or that it is general cheap brand cheap but super smart model for it's price.

Unless some FOSS firmware and software is installed, that thing most certainly will ping back home every chance it gets.

Sidenote: My TV now is offline cause when it kept calling home (ove 60% of my pi-holes querries of all time was TV), it would freeze due to pi-hole block. Once set offline - issue is gone. I also know my robo vac is pinging, but at the same time if I block it, I'll lose app controls which I wont do. Sadly, my vac doesn't support Valetudo.

[–] Reginald_T_Biter@lemmy.world 12 points 4 days ago (2 children)

I think yes, to your first question. Couldn't it just crunch the lidardata locally to feed into cartographer, I don't understand why you don't understand that this is the issue.

load more comments (2 replies)
[–] Gammelfisch@lemmy.world 15 points 3 days ago (4 children)

Sheeesh, his fucking mobile phone mapped and photographed his house long ago.

[–] DNS@discuss.online 13 points 3 days ago (5 children)

These arricles are meant to be rage bait for the techno-illiterate. As you said, cell phones mapped your house long ago as well as your smart TV, or any appliance that requires an internet connection.

People traded in their privacy for convenience.

load more comments (5 replies)
load more comments (3 replies)
[–] Sam_Bass@lemmy.world 14 points 3 days ago (7 children)

Yeah that issue has been around for at least a couple years now. Luckily my robovac doesn't have WiFi or bluetooth

load more comments (7 replies)
[–] MourningDove@lemmy.zip 12 points 3 days ago (3 children)

He’s going to have a heart attack to find out that the floor plan to most houses are available online and have been for a long time.

load more comments (3 replies)
[–] rumba@lemmy.zip 12 points 3 days ago

I don't care if they map my house, just give me raw access to the data. Them having access to the speaker and mic, i'm more concerned about.

[–] dan69@lemmy.world 10 points 4 days ago

Shit I’m scared of my home speakers echo locating my furniture and the size of my domicile

load more comments
view more: next ›