The Day My Smart Vacuum Turned Against Me
8 days ago
- #Smart Devices
- #Privacy
- #Reverse Engineering
- The author's smart vacuum (iLife A11) was found to be sending data to remote servers without consent.
- Blocking the vacuum's data logging IP caused it to malfunction, leading to a cycle of repairs and failures.
- Reverse engineering revealed the vacuum was a sophisticated device running Linux and Google Cartographer for 3D mapping.
- The vacuum had an open Android Debug Bridge (ADB) allowing root access without authentication.
- A remote kill command was discovered in the startup scripts, intentionally disabling the device.
- The manufacturer used rtty software for remote root access, enabling them to control or disable the device.
- The service center revived the vacuum by connecting it to an open network, but it failed again when returned to the author's firewall.
- The same hardware (3irobotix CRL-200S) is used by multiple brands, raising concerns about widespread vulnerabilities.
- The author regained control by running the vacuum offline, blocking manufacturer access, and documenting findings.
- Key lessons: 'smart' devices often lack user control, cheap devices compromise security, and IoT devices should be isolated on a separate network.