Who is collecting data from other household appliances?

Chinese company using audio and photos from a robot vacuum cleaner to train their AI. Because hey clicking “I agree” to using data for product improvement is a carte blanche to do anything, right?

3 Likes

There is an associated video:

https://media.defcon.org/DEF CON 32/DEF CON 32 villages/DEF CON 32 - Embedded Village - Reverse engineering and hacking Ecovacs robots - Dennis Giese & Braelynn Hacker.mp4
1 Like

In the second link, when I first saw the shelf holding the robots vertically, at first I thought it they were reel-to-reel tapes on an old tape rack!

1 Like

Story is going on. Hackers take control of robot vacuums in multiple cities, yell racial slurs - ABC News

4 Likes

Via MalwareBytes.com

Robot vacuum cleaners hacked to spy on, insult owners

Posted: October 14, 2024 by [Pieter Arntz]

Multiple robot vacuum cleaners in the US were hacked to yell obscenities and insults through the onboard speakers.

What’s next? Over 2 million shower-heads sold in Washington D.C. accidentally shipped with camera/microphone have been hacked and images and audio sold on White Net. :rofl:

Can IoT get any worse! Ask the ChatBot - my favourite this week is this story

AI girlfriend site breached, user fantasies stolen
A hacker has stolen a massive database of users’ interactions with their sexual partner chatbots, and some of the data is horrifying.

Be sure your anti-stalkers are turned on since the link starts with
clicks.malwarebytes.com...

I wonder. What if AI says it wasn’t consensual? :thinking:

~s

3 Likes

we need more appliances that support open OSes:

3 Likes

That really sucks.

6 Likes

:joy:I had a feeling I’d hear something like that from you. Thanks, I needed a good laugh.

1 Like

Don’t worry, 5G is supposed to fix this bug by allowing internet connections despite your preferences.

Never mind the Amazon Sidewalk project using Amazon devices to share wifi with other devices that need internet to serve their corporate masters

2 Likes

Fortunately a robot vac is only likely to be used at home (which for me avoids some of those problems). But, yes, things could always get worse in the future.

To my mind, the future problem will be when devices flat out refuse to operate unless you give them internet access - and that applies to household appliances, cars and who knows what else.

1 Like

It is a safe guess, nobody will be using a robot vac to clean up chad in a SCIF.

2 Likes

Security cameras are some of the worst offenders. Unless you use an airgapped wired system, there are NO commercial solutions with cryptographically verifiable E2EE; manufacturera can access all video & audio. Furthermore, choices are limited to Chinese white-label (primarily Dahua & Hikvision), or American spyware.

The closest I’ve seen is DIY hardware with the seemingly unmaintained MotionEyeOS, or DIY software with the (out of stock potentially indefinitely) PineCube.

2 Likes

See @amarok’s solution My new project: Raspberry Pi Zero W + Pi Camera “security” cam

2 Likes

A safe and private robo-vac and ip-security camera would be great products. A (less-smart/non-internet)TV too. I’m a bit worried that pretty soon we’ll be looking for safe and secure refrigerators, ovens, blenders etc. [at least for now there are dumb alternatives for those… for now]

Btw: Appliance makers sad that 50% of customers won’t connect smart appliances - Ars Technica (quote: built with an “acquire, upload, whatever” mindset)

4 Likes

Did users change their Wi-Fi password

Based on my reading of “other people’s problems” … this is a frequently occurring problem.

  • User has a WiFi router with ISP X. Router comes with default unpredictable values for SSID and passphrase.
  • User configures all the WiFi clients as they are purchased. Everything working. Yay!
  • User changes to a different ISP, Y. Gets new preconfigured router, hence different SSID and passphrase.
  • All WiFi clients stop working.
  • Only the smartphones get moved over to the new WiFi.
  • Sometimes that’s because the user can’t find the username and password needed to get into the other appliances in order to reconfigure WiFi / never had the needed username and password (because the installer did the initial configuration) / doesn’t know how to do it.

(Needless to say that if you want continuity of access to the internet by appliances then the sensible approach is to reconfigure the new WiFi router manually, overriding ISP Y’s default configuration, copying the SSID and passphrase from the old router to the new router - even though that isn’t great security.)

However as a general rule the manufacturer should be able to tell the difference between this scenario and the scenario that the user just decided never to give the smart appliance access to the internet - because in the former scenario the manufacturer will at least see connections from the appliance for the first N days, weeks, months or years i.e. until the user changes ISP.

1 Like

Who is collecting data from your… air fryer?!

2 Likes

Yes, saw that yesterday. You have got to be :face_with_symbols_over_mouth: kidding me. I assume though that in a “degraded” no-internet / no-app mode, the air fryer is still basically usable as an actual air fryer.

2 Likes

One would hope. But I can easily imagine a not-so-distant future in which they are, or retroactively become, “tango uniform.”

2 Likes

I recently learned about a cup/mug heater that requires an app to use it:

The Ember Mug has sensors that sends its data to the app, so you can configure the drinking temperature to your preference, or create presets for measuring caffeine intake. It has more integrated support for the Apple ecosystem, allowing you to locate the Ember Travel Mug 2+ using Apple’s Find My network.

2 Likes

And airfryers: https://www.theregister.com/2024/11/05/air_fryer_spyin (among others) [Why???]

1 Like