Wait till you find out what your wifi can do.
Port Scanning blocker was eye opening to how many websites just wanted to check in on me.
Oh, damn! Thanks for reminding me to add that extension since I reinstalled my browser.
I remember about news of some Israeli intelligence operatives who jogged around their HQ only to be outed by their tracks on Strava.
I remember army officers and cia folks, specifically. It wouldn’t surprise me that israel got caught as well.
At this point, if you buy a smart thing you have to know it’s spyware.
True asf
It’s funny how these “smart” appliances are all addressing things radically important for households, but in a poisoned way from the beginning. As if those making them were just trying to get there first and win the bank.
There’s a problem of scale in industrial innovations, where bigger scale makes cost of production of something and cost for the consumer and network effect power better, meaning that there’s no market feedback to help those who came first get old and die to make space for those who come next.
I think this tendency is actually the solution - there is a feedback, it’s that lacking feedbacks on one level prohibits those undying monsters from being competitive on the next one. The niche of non-poisoned smart appliances won’t be filled by anything big, for example.
That’s also another funny moment - instead of dedicated appliances it makes it useful to have one universal one (basically a butler robot) that can be programmed. It’s an incentive in the direction of universal machines programmed by customers.
BTW, imagine a frame with various manipulators and sensors attached to an RPi via GPIO, where every manipulator/sensor can be whatever thing at all, just needs to have a manipulator/sensor description template. The OS of the RPi itself runs tasks of the “move those items of fragility categories such and such to such and such locations, remove dust and dirt from that surface, wash that window”, for which the existing set of manipulators/sensors and task sequence are optimized without user’s involvement (other than attaching them and providing the right description templates, though I suppose manipulator controllers can provide them too, and confirming the resulting jobs). That’s also where those LLMs etc are good enough, to interpret instructions and display the sequence of actions they are going to perform to get user’s confirmation. This way you won’t have to fear that you tell it something harmless and it starts a fire in the room.
Such a system needs a set of standard protocols for the sensors\manipulators, their description templates, and the representation of commands deciphered from human speech to a set of tasks, and the spaces and traits of objects. The programs visualizing the resulting offered set of tasks, deciphering the order, optimizing one set of tasks into a better one, and so on, should be pluggable. Suppose everything’s already made, just nobody really needs a thing that they can’t just buy and turn on.
OK, I like imagining, should work better instead and start my toy the weekends after the next ones (I suspect I won’t start it even by then, at least not in the initial ideologically good form ; nothing about robotics or home appliances). Spent these weekends on making a POV-Ray scene instead.
Why did I even write this.
ahh actions which would be considered “hackers stealing your personal info” twenty years ago is now something people (including me) pay money to be subjected to.
these “smart” appliances are all addressing things radically important for households
Are they, though?
Most of these “smart” functions are at best a slight convenience. And a lot of the “smart” functions in most of them don’t really add anything useful to the user experience.
On paper all of this stuff is a great idea that would make our appliances more functional.
In reality, the best case scenario is that it’s sold to our corporate overlords so they can slap an ad on your refrigerator and sell you more plastic waste.
Worst case, it’s sold to ICE or some other fascist regime.
Worst case, it’s sold to ICE or some other fascist regime.
Every single government that has a contract with Palantir for Gotham or even whatever the fuck they’re doing with the UK NHS data, is reason enough to know this kind of shit is a bad idea. The entire existence of Palantir makes this kind of shit a bad idea by default.
Even if they’re not using lavender or where’s daddy (yet), I do not want them to have a detailed layout of my home, in addition to all the other information already being collected.
If the day comes when any government needs to crush civil unrest, Palantir gives them an easy button to weaponize your data against you.
“Someone — or something — had remotely issued a kill command,” he wrote.
“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”
In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”
Treasonous malware.
Since I dont see it mentioned, the company is
iLife
iLife makes vacuums that map your house and can be remote controlled
Just so we are clear. You should all up your name and shame game.
Implying the vast majority of roombas aren’t doing this
There’s no safe “opt-out” for people who cannae be arsed to vacuum lol
For real. It’s wild how often people don’t just straight up call out bad corps.
Could ya be sued, perhaps?
No
Just because it wouldn’t stick, doesn’t mean they can’t sue you and make your life more difficult. (Not saying you shouldn’t call out bad actors like that)
And when they sue its the time to come together and support the targets of their lawsuit to bring in the best of the best lawyers to take them down.
You always risk a punch in the face when standing up for yourself but that doesn’t mean you should just accept abuse.
All modern robot vacuums do this. Amazon and Zillow actually buy that data too.
o7 thank you for your service
Oh crap. I had one. It committed suicide off the stairs
Maybe for the best.
Yeah that issue has been around for at least a couple years now. Luckily my robovac doesn’t have WiFi or bluetooth
Same. I will service and repair my goddamn 880 until it is DUST, dammit.
It has a clock display for time?
Why would anyone need a moving clock?
To display time?
I used to be on a mailing list where American companies offered money to people in the third world for menial manual tasks. Like sending pictures of random crap from different angles and such. One time I got an email offering 4 of these things and $100 and all I had to do was put one of them in my home and use it for a week and give the other 3 away. Goes without saying they’re clearly a privacy nightmare.
In addition, Narayanan says he uncovered a suspicious line of code broadcasted from the company to the vacuum, timestamped to the exact moment it stopped working. “Someone — or something — had remotely issued a kill command,” he wrote.
“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”
In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”
They kill switched it remotely. Yikes.
All IoT devices do this to keep you from blocking their data collection. They won’t work reliably without a regular ping home. They lock up if they can’t phone home frequently enough.
Tapo’s sockets don’t - in fact they explicitly have a ‘local only’ function. All you lose is control outside your home network.
Tuya on the other hand will start leeching off the fucking Bluetooth of your pairing device if you hobble them.
tapo cameras do. mine all went offline and factory reset themselves after not having internet access or even accounts for several months, all at the same time.
Haven’t experienced that one - but your statement was “all iot devices do that” (emphasis mine)
And i haven’t even touched on Zigbee…
More likely it killed itself after not being in contact with home base. Since it worked fine elsewhere
He’s going to have a heart attack to find out that the floor plan to most houses are available online and have been for a long time.
Yeah, but without the correlation that this particular fella is living there. That vacuum might’ve been the missing link in someone’s data collection.
With possibly objects in the house identified?
Sure. Including pictures of people shitting.
Sheeesh, his fucking mobile phone mapped and photographed his house long ago.
Do you have any source on this? I have never seen a similar article about phones sending a 3D map of your home to the manufacturer.
These arricles are meant to be rage bait for the techno-illiterate. As you said, cell phones mapped your house long ago as well as your smart TV, or any appliance that requires an internet connection.
People traded in their privacy for convenience.
Both can be true. Probably shouldn’t make a regular practice of numbing out to this sort of info with the platitude “Big deal, my phone and facebook already have my data anyway. Might as well give you my mother’s maiden name.”
Privacy is not worthless just being one bad actor took it. It still is worth pursuing in all layers where possible.
+1 Indeed!
I wasn’t aware about this with regards to mobile phone tbf. I know you are spied upon on your phone camera, but mapping the house with the phone? Do you mean like Dark Knight stuff?
Mapping like that is probably mostly done through bluetooth and wifi triangulation.
I picture the phone doing it the way it was done in The Dark Knight. That scene when Lucius Fox was in China and had to volunteer a phone to security.
I mean, UCSC researchers used WiFi to detect a human heartbeat.
At first I thought ”Well, duh!”, but the manufacturer having a remote kill switch when he network blocked his vacuum from sharing his home map data with them, as well as unprotected root access when connecting to the vacuum… urgh.
The engineer says he stopped the device from broadcasting data, though kept the other network traffic — like firmware updates — running like usual. The vacuum kept cleaning for a few days after, until early one morning when it refused to boot up.
After reverse engineering the vacuum, a painstaking process which included reprinting the devices’ circuit boards and testing its sensors, he found something horrifying: Android Debug Bridge, a program for installing and debugging apps on devices, was “wide open” to the world. “In seconds, I had full root access. No hacks, no exploits. Just plug and play,” Narayanan said.
All crappy IoT devices ever made. They aren’t used in bot nets all the time because hackers like the challenge of hacking them so much. Security simply isn’t a priority.
The ‘S’ on IoT stands for security!
There isn’t an s in IoT silly.
Woosh? Either Yours or mine :)
I keep seeing you everywhere and the only reason I won’t block you is because of your username brightening my day every time I see it. Curse you!
When that is the light in your day…
A few years ago I noticed an annoyance with a soundbar I had. After allowing it onto my WiFi network so we could stream music to it, it still broadcast the setup WiFi network.
While dorking around one day, I ran a port scan on my network and the soundbar reported port 22 (ssh) was open. I was able to log in as root and no password.
After a moment of “huh, that’s terrible security.” I connected to the (publicly open) setup network, ssh’d in, and copied the wpa_supplicant.conf file from the device to verify it had my WiFi info available to anyone with at least my mediocre skill level. I then factory reset the device, never to entrust it with any credentials again.Name and shame, what make and model was it?
It was a TCL Alto 9+.
A quick internet search reveals that this issue was known about at least three years ago.
Another model, the 8i was reported to have a root password of “12345678” - which is partially how I got the idea to start seeing if I could gain root.
TCL
The Chinese company that steals corporate secrets (I kicked a bunch of their devs once when they were trying to take pictures of prototypes and copy source code on USB keys) and send everything to China? Who would have thought.
Is it just me, or is having ADB exposed physically not that big a deal?
Tend to agree, security is always the goal but if someone is in my house hacking my vacuum, I have bigger issues. The no-notice remote kill is the bigger issue to me.
The much bigger concern is that the pathway used to send the remote kill command could very easily be utilized by nefarious actors.
To do what, wear out one section of carpet faster than the rest of your house?
It could overcharge and overheat the battery, leading to explosion or at least fire.
If a hacker can get into the device remotely it can be an entry point to your home network.
Remote “kill”
Where does it end? First it wears down your carpets and then we’re in Maximum Overdrive.
It finds a sharp corner to rub against and hones itself into a stabby bot.
It is not good. But in most cases just adb doesnt grand root access. That’s just bad.
NO! It’syour device, you should have root! The fact that the manufacturer gives their product owners root is a good thing, not bad!
I will die on this fucking hill.
I agree with you. But granting root straight from adb with 0 auth is not good.
But on this threat model? Why would it not be good?
It has to physically accessed on the PCB itself from what I gather.
There are 2 “threats” from what I see:
-
someone at the distribution facility pops it open and has the know how to install malware on it (very very unlikely)
-
someone breaks into your home unnoticed and has the time to carefully take apart your vacuum and upload pre-prepared malware instead of just sticking an IP camera somewhere. If this actually happens, the owner has much much bigger problems and the vacuum is the least of their worries.
The homeowner is the other person that can access it and it is a big feature in that case.
-
yes and no… i agree with the sentiment, but with root you can extract wifi credentials and various other secrets… you shouldn’t be able to get these things even when you have physical access to the device… the root access itself isn’t the problem
At first I thought ”Well, duh!”
There was an ARS article years ago about it…
