alt Hacker NewsMan accidentally gains control of 7k robot vacuums
Comments
Anyone who's somewhat technically inclined should, in my opinion, only be buying valetudo [0] compatible vacuums and replacing the default software as soon as possible.
Companies this inept really need to get fined.
Like how many layers of people had to have OKed having the same password for all of them? It’s incompetence on an impressive scale.
Internet connections on devices are an anti feature to me. I need something to work reliably without internet. And then maybe add some extras through internet access through open and secure protocols, so I can always write my own implementation.
I don't knowingly have any live cameras or microphones in my home other than my laptop and phone (I know those are big "buts", but still), and I plan to keep it that way.
I remind myself of this no matter how much convenience I may be missing out on. (Getting a TV without em is kinda hard!)
Planning in advance, same for any AR stuff, not in my life, I'm sticking to it.
Original story: https://www.theverge.com/tech/879088/dji-romo-hack-vulnerabi...
Accompanying discussion on hn https://news.ycombinator.com/item?id=47047808
> In order for the Romo, or really any modern autonomous vacuum, to function it needs to constantly collect visual data from the building it is operating in.
I specifically bought one without a camera or mic.
“Accidentally” is not accurate. He used AI to inspect the source and found credentials that work in all devices. He also never gained control of anyone else’s devices. He never used the exploit.
How long before there is a claw controlled network of robot/device spies and soldiers?
He couldve cleaned up....
Well - imagine how many cat furs can be vacuumed with this!
> [...] the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio [...]
Sorry what? Why would a vacuum cleaner even need a microphone?
Surely this also requires reporting DJI to the authorities for gross negligence? This is not an oopsie, this is deploying a surveillance network without telling anyone.
Well it only took until the 2nd paragraph, and the words "DJI’s remote cloud servers" for me to be forehead-slappingly disgusted again.
Obviously proper diligence wasn't followed with this product, and obviously this is going to be something we've all heard before, but why does a vacuum need to talk to a server at all?
And also, to go even further back, is there anything more leopards-ate-my-face than a compromised robo-vacuum? I have never understood the appeal of these things. Except as satire. Pushing a vacuum around takes minutes, once a month, all the more so when you live in a 3m x 3m box with 12 roommates, and is badly needed exercise for a lot of pathetic little nerd noodle-arms.
Terrible writing in the article.
>It retails for around $2,000 and is roughly the size of a large terrier or a small fridge when docked at its base station.
So, large terriers, and small [presumably 'smart'] fridges can have docking stations?
accidentaly a god, a sucky kinda god, but a god none the less " I command thee to make vanish the minor sins of this world my minions"
His code sucks...
> he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.
This is extremely similar to what I accidentally discovered and disclosed about Mysa smart thermostats last year: the same credentials could be used to access, inspect, and control all of them, anywhere in the world.
See https://news.ycombinator.com/item?id=43392991