back to article Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets' camera, and remote-control the gizmos. Security researchers at Positive Technologies (PT) this week disclosed that Dongguan Diqee 360 smart vacuum cleaners contain security flaws that hackers can exploit to snoop on people through the …

  1. Chronos Silver badge
    FAIL

    More unfortunate naming fails

    "Someone's spying on my diqee!"

    That'll teach you for sending dick pics via social media...

  2. whoseyourdaddy

    So...

    Android is the underlying OS?

    You didn't buy a Dyson? That sucks in so many ways...

  3. Paul Herber

    IoT

    Internet of Toasters.

    Toasters create crumbs, hence the vacuum cleaner.

    No buns, baps, bagels or bageuettes, please.

  4. VinceH Silver badge

    Re: IoT

    Ah, so you're a waffle man!

  5. 2+2=5 Silver badge
    Happy

    Re: IoT

    > Ah, so you're a waffle man!

    Waffles are the same as pancakes but ribbed for added pleasure.

  6. Warm Braw Silver badge

    superuser rights on the vacuum

    I think that neatly encapsulates the full idiocy of the genre.

  7. DougS Silver badge

    Re: superuser rights on the vacuum

    All Unix OSes require root to do a lot of things, so avoiding the use of it isn't feasible. Perhaps they could have taken steps to minimize their use of root for network facing services, but the real problem was the same old story - not programming with security in mind. A shell script was able to be run with a %s argument supplied by the attacker.

    No doubt the argument they supply is something of the form "foo; <command of your choice>". Those ';' (or & or | or whatever) attacks are as old as Unix, and easy to leave in place if you hire someone on the cheap who does the minimum possible to make things work according to spec, and neither management nor the programmers give security a passing thought. After all, who would want to break in to a vacuum, right?

  8. JohnFen Silver badge

    Re: superuser rights on the vacuum

    "Perhaps they could have taken steps to minimize their use of root for network facing services"

    Not perhaps. There is no reason for network facing services to have real root access.

  9. jake Silver badge

    Re: superuser rights on the vacuum

    Never mind network services having root access. Start from the beginning.

    There is no fucking reason, at all, for any fucking vacuum cleaner anyfuckingwhere, to run any variation of un*x. Period. What fucking moron decided this was a good idea? They should be put in the stocks in the marketplace and laughed at until they die of embarrassment. Morons.

    Now ... on to the OBVIOUSLY much needed cameras and microphones and Internet access on vacuum cleaners ... Geebus H. Christ on a pogo stick, what has the world come to?

  10. JohnFen Silver badge

    Re: superuser rights on the vacuum

    I disagree. There's nothing wrong with the choice of a Unix derivative as the base OS. The primary issues here (ignoring ancillary ones like why in the world is there a camera on this thing at all, let alone a night vision one?) are that the device has network connectivity at all, and that the network connectivity was poorly implemented.

  11. jake Silver badge

    Re: superuser rights on the vacuum

    JohnFen, have you never heard of the folly of swatting mosquitoes with a shotgun? There is overkill, and then there is really fucking stupid, over the top overkill. And a couple of orders of magnitude on the stupid scale beyond that is putting a general purpose, multiuser, multitasking operating system on a fucking vacuum cleaner.

  12. JohnFen Silver badge

    Re: superuser rights on the vacuum

    You are aware that there are numerous Unices that are intended for dedicated systems and are lean, not multiuser, and not even multitasking, right?

  13. jake Silver badge

    Re: superuser rights on the vacuum

    But JohnFen, we're not talking about one of those, now are we?

  14. Warm Braw Silver badge

    Re: superuser rights on the vacuum

    All Unix OSes require root to do a lot of things

    The chain of reasoning really needs to start before the point of assuming that a floor sweeper is in need of an OS of any kind.

  15. Teiwaz Silver badge

    Re: superuser rights on the vacuum

    There is no fucking reason, at all, for any fucking vacuum cleaner anyfuckingwhere, to run any variation of un*x

    Ah, of course, what could one be thinking, Windows is the perfect solution for Vacuum Cleaner O.S, it sucks too.

  16. Adam 1 Silver badge

    Re: superuser rights on the vacuum

    Shirley it should be an iOS derivative? Needs to have lots of shiny.

  17. jake Silver badge

    Re: superuser rights on the vacuum

    iOS is to all intents and purposes BSD in this discussion. Same issues, for the same reasons.

  18. JohnFen Silver badge

    Re: superuser rights on the vacuum

    I was.

  19. Nolveys Silver badge

    Re: superuser rights on the vacuum

    The chain of reasoning really needs to start before the point of assuming that a floor sweeper is in need of an OS of any kind.

    It's hard to have decent AI without an underlying operating system and without decent AI we will never be able to teach vacuum cleaners to drive cars.

  20. Anonymous Coward
    Alert

    Spy vs Spy

    When I said get the dirt on this guy, I didn't mean hack his vacuum but I guess that works.

  21. Kevin McMurtrie Silver badge

    Useless warranties

    There needs to be a global effort to categorize software bugs as manufacturing defects covered by warranty. Idiot of Things makers might take notice when their entire shipped inventory is returned as defective and all the money is gone.

    With a crap vac like this, you can literally see the looks on their faces when it's all returned.

  22. DougS Silver badge

    Re: Useless warranties

    Even if they did that, unless the law required MANDATORY returns, it wouldn't impact them much. Go tell your friends their Roomba is a security risk, watch them look at you funny and not care. If someone they knew had their Roomba compromised and it took pictures of them coming out of the shower (hey Roomba, what are you doing in the bathroom?) they'd have a different view but these attacks are too theoretical to care about.

    Very few would bother to return their Roomba for replacement, so Roomba still wouldn't have much incentive to invest in security. Though it sounds like they wouldn't have to actually return them, based on the security alert it sounds like the Roomba in question supports wifi. If so it should be able to receive software updates from home base, right?

  23. Doctor Syntax Silver badge

    Re: Useless warranties

    "you can literally see the looks on their faces"

    Unless I were present I literally couldn't.

  24. Nolveys Silver badge

    Re: Useless warranties

    Unless I were present I literally couldn't.

    Couldn't you use the cameras in the vacuum cleaners?

  25. spold Bronze badge

    A set of stairs should mitigate the risk to privacy

  26. John Brown (no body) Silver badge

    "A set of stairs should mitigate the risk to privacy"

    Until they independently invent anti-grav!

  27. DropBear Silver badge
    Joke

    That's what you thought would save you from Daleks too. How well did that work out...?

  28. Sureo

    password 88888888

    That's a refreshing change from 11111111.

  29. DougS Silver badge

    Re: password 88888888

    The world has advanced a lot since Donald Trump Dark Helmet used 12345 for his luggage combination.

  30. andy k O'Croydon

    Re: password 88888888

    It wasn't Dark Helmet who had that combination on his luggage, it was President Scroob!

  31. Anonymous Coward
    Anonymous Coward

    Of course it is snooping on you

    That is the nature of the shit that is IoT.

    If you assume that every 'gadget' is spying on you and phoning home your every move, you wont be far off the truth.

    I won't have any of this [redacted] [redacted] and [redacted] in my home.

    Call me a luddite but I don't want 'the man' and also every add agency and worse knowing what I do at home.

    Posting AC but that won't stop them if they are really determined.

  32. Anonymous Coward
    Anonymous Coward

    "If you assume that every 'gadget' is spying on you and phoning home your every move"

    That sums it up right there.... Whether its Reality 'Distortion-Field' economics or the Surveillance-Economy, not many of us want this. Yet our input is never listened to. From Silly 'con' Valley to South Korea, tech executives are deaf! With Android-slurp, Win10-slurp, SmartTV-slurp, Car-slurp, Hoover-slurp etc, CES should really be renamed 'Surveillance-World'! Plus, we're supposed to give thanks anyway, like dealing with God!

  33. Camilla Smythe Silver badge

    Perhaps Mr Chope...

    Was concerned that his new found Haxoring Skillz were about to get wasted.

  34. A. Coatsworth
    Mushroom

    Super User rights... SD Cards... Vacuums

    Why does this exist? In the name of everything that is holy, WHY?!

    Please, stop the World, I *need* to get out

  35. JohnFen Silver badge

    IoT foolishness

    I can't think of a good reason why your vacuum cleaner needs access to the internet at all. This is just more IoT madness.

  36. Remy Redert

    Re: IoT foolishness

    How else will it download updates over the air to protect it from hackers?

  37. Anomalous Cowturd
    Stop

    Re: IoT foolishness

    > I can't think of a good reason why your vacuum cleaner needs access to the internet at all. This is just more IoT madness.

    So you / I can control it from the comfort of $wherever you like$ without having to physically go and fetch it.

    If I drop crumbs on the floor, I can summon mine to the exact location for a spot clean, without leaving my chair. For us disabled folks, it's a marvel. I've ordered another one as a treat for my cleaner.

    Just because you personally don't see a reason for something, doesn't mean there isn't a very good one for someone else.

  38. John Smith 19 Gold badge
    Thumb Up

    can summon mine to..location for a spot clean, without..y chair. For us disabled folks,

    OMFG

    I believe you've found a genuine use case for this.

    F**k me sideways.

  39. jake Silver badge

    Re: can summon mine to..location for a spot clean, without..y chair. For us disabled folks,

    A use case for spot cleaning on demand, sure! But I still fail to see where having an internet connection, a camera, and a microphone make any sense. Shirley a localized means of control would be more logical? Unless you're planning on calling your vacuum to come to the rescue for a mess you made at your DearOldMum's house, clear across the country, I guess. What's the range of these things, anyway?

  40. Martin an gof Silver badge

    Re: IoT foolishness

    > I can't think of a good reason why your vacuum cleaner needs access to the internet at all. This is just more IoT madness.

    So you / I can control it from the comfort of $wherever you like$ without having to physically go and fetch it.

    But as has been pointed out here many, many times in the past, it doesn't need internet access for that.

    If there must be a smartphone app, then the thing can communicate across the home network. But why must there be a smartphone app? A very simple remote control is probably easier to carry with you (smaller, battery lasts months, not hours) and with a teensy bit of thought the crumb-collecting device could respond to any one of a couple of different remote button pushes to "start full clean routine now" or "clean dining room" or "stop cleaning and go home because the cat has just been sick".

    The key thing here, of course, is making sure that when the device leaves the factory it actually works and doesn't need to be updated at all.

    M.

  41. Doctor Syntax Silver badge

    Re: IoT foolishness

    "So you / I can control it from the comfort of $wherever you like$ without having to physically go and fetch it."

    But do you need to control it from wherever you like? If you drop crumbs on the floor within range of the cleaner you don't need to be able to control it from somewhere else. The control never needs to go outside your WiFi zone. Your use case is valid, it's the implementation that fails.

  42. Anomalous Cowturd
    Happy

    Re: IoT foolishness

    > Your use case is valid, it's the implementation that fails.

    It works fine as a vacuum cleaner without any network connection, but you lose the facility to program scheduled clean ups, or adjust the power settings, along with many other features.

    I agree with you that the external network access is not necessary for most use cases, but it does give you the option to trigger a cleanup from afar, or watch it fill in the map as it goes around. It uses LIDAR, not a camera.

    It cost far less than any Dyson cleaner, and you don't have to do the hoovering yourself.

    Xiaomi Mi robot vacuum version 1. Under £250 on GearBest. One of the best performing robo vacs on the market. It's my new best friend. ;o)

  43. Yet Another Anonymous coward Silver badge

    Re: IoT foolishness

    If I drop crumbs on the floor, I can summon mine to the exact location

    I've got a lab - the crumbs don't even reach the floor

  44. Wensleydale Cheese Silver badge

    Re: can summon mine to..location for a spot clean, without..y chair. For us disabled folks,

    "Shirley a localized means of control would be more logical?"

    The beauty of standards is that there are so many to choose from.

    The problem wiih a localized means of control is you end up with a different remote control for every device in the house. There's also a range problem, and wifi offers a single means of communication, i.e. a standard which can be used by all manufacturers.

    It's tricky, Leave manufacturers to devise their own solutions and it will arguably be a worse disaster.

  45. John Brown (no body) Silver badge

    Re: IoT foolishness

    "I can't think of a good reason why your vacuum cleaner needs access to the internet at all. This is just more IoT madness."

    ...and why does it need an SD card, which the article implies is removable?

  46. Martin
    FAIL

    Re: IoT foolishness

    So yes, you need your app and the vacuum cleaner to be on the same network, so they can talk to each other. That I get.

    But WHY do they then have to talk to the internet?

  47. DropBear Silver badge

    Re: IoT foolishness

    "why does it need an SD card, which the article implies is removable?"

    That's actually one of the sanest backup ways to deliver updates in an unbrickable and also user-friendly way, if an OTA update borks the device for some reason. Most users would manage to download a file to an SD card and stick it into the vacuum cleaner if it went TITSUP (Total Inability To SUck Properly). The devil is in the details (and the haxxors in all your base) of course...

  48. Joe Harrison Silver badge

    Re: IoT foolishness

    It needs the SD card in case it crashes into another robot vacuum cleaner and the video will show who was at fault.

  49. ShelLuser
    Joke

    IoT vacuum?

    So your vacuum cleaner is spying on you? Well, that sucks :P

  50. Anonymous Coward
    Anonymous Coward

    It's not the damn vacuum that I'm afraid of...

    I"m trying to figure out how to run a packet sniffer to see what"s up with my microwave oven.

    https://gizmodo.com/kellyanne-conway-we-can-be-watched-by-microwaves-that-1793211493

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018