50 comments

[ 4.6 ms ] story [ 78.2 ms ] thread
[flagged]
> Why would they not be homogenous?

Why would a business have the power to decide what should and what shouldn't be homogeneous about the property of others? A transaction took place, property has legally changed hands and the former owner is exerting control over property that isn't theirs any more.

How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?

This is a cool article, and neat he got it working in the end.

One thing that is odd - if he blocked it calling home, it doesn't make sense that the kill code was issued remotely. It makes more sense that there is a line of code internally that kills the machine when it can't call home (which would be far less malicious).

> How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?

I've seen this movie. Only, the twist was that the home was built 100+ years ago and the builder long since dead. The family living in the home currently had to resort to an exorcist.

Edit to say that the sarcasm is direct rebuttal with the preposterous nature of the hypothetical.

> How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?

And if you complain he kicks you and your wife out of the house you bought. And if you dare to close off the backdoor he sends you to jail.

The owner did not hack the vacuum, he blocked the IP address on his network for the telemetry server. Same thing tons of people do with Pi-Hole DNS blocking, for example.

There's no sane world where it is defensible to remotely brick a device because it can't communicate with a telemetry server.

Not just devices. Same for apps. If you block the live monitoring features of some crash accumulators apps will not function. (Looking at you dexcom)
> There's no sane world where it is defensible to remotely brick a device because it can't communicate with a telemetry server.

Just today: Setting up an old smartphone: "Google assistant cannot work on this device." The only choice was "back". Had to search on the internet the solution: do not connect to wi-fi.

> As the business running the servers of smart vacuums, if I saw an atypical device reporting in, without context, I too would kill that device.

If you want to block a device from accessing your servers because it's behaving in an odd way, such as this one that was contacting the update server but not the telemetry server, that's not entirely unreasonable. Sending it a command to modify its software to stop it from operating entirely is outrageous.

Does low-effort rage-bait belong on HN? aka, are you f**ing kidding?
I wish I had the abilities of the engineer, plus the time he could devote to the problem.
There is a significantly easier option (although still more work than just buying a vacuum and using it as the manufacturer intended): get one of the Valetudo supported vacuums[0]. This firmware replacement blocks telemetry and allows for near complete feature parity with the original firmware, and flashing is (usually) relatively simple. Certainly much simpler than the process described here.

[0] https://valetudo.cloud/pages/general/supported-robots.html

Thankful for people like this - with kids and family and work I’d probably have had this sit bricked for a year in my garage before finding time to tinker with it. Now I can just never buy any iLife product ever.

We should probably update this story to link directly to the hackers blog, they deserve the credit! https://codetiger.github.io/blog/the-day-my-smart-vacuum-tur...

> I wish I had the abilities of the engineer, plus the time he could devote to the problem.

Ability is a matter of patience and persistence. And both are the results of motivation. Anyone can learn anything as long as they really want it. (barring disabilities like depression that destroy motivation. But some people use even that as an opportunity to learn new skills that in turn help them recover.) But Time is an entirely different matter. You can find time if you really want to, but life has other priorities too - including time doing nothing (rest). Finding the extra time in between all that will depend on your craftiness. That's the true skill here.

I block this nonsense before it gets to the cash register.
That's always a good idea, but how many people have the resources to research these details? First of all you have to be aware that this issue even exists. Then you have to scrape the corners of the internet for whether an appliance has any anti-features, because no manufacturer will ever write "collects unsolicited data about you, we will break the appliance if you refuse us your personal information" on the box. And finally you need to be able to afford the time and patience for the whole process.

I don't own a smart vacuum cleaner because the trouble is not worth it to me. However, I can see smart vacuum cleaners being very good for elderly or disabled people, or someone who has very limited free time and could let the robot clean the house on its own while the owner is out. It is really disgusting that scumbag manufacturers are exploiting those people.

I don't. I take it home, open the package and return it as defective.

You see the same everywhere. Lawnmowers even. A goat is more user friendly.

I suspect this is not the full story. Why would someone waste their time manually disabling a device? That makes me think that this device was doing something malicous to their servers, enough to trip an alert.
Might just be a "could not contact server for X days in a row" thing.
To "encourage" the owner to re-enable the connectivity. Google threatens to ban your Youtube account if you block ads. Companies will go out of their way to nudge, push, or force you to keep the data collection (or ads) gravy train going.
> Why would someone waste their time manually disabling a device?

What what makes you think it was manual?

> That makes me think that this device was doing something malicous to their servers, enough to trip an alert.

Sounds like a them problem, and not a problem that should affect the consumer (beyond losing functionality directly tied to the server, which bricking of any kind goes far beyond)

>What what makes you think it was manual?

The article said that someone from the company logged in to his device and edited a file on it to disable it. Even if it was automatic someone would manually have to write a script to login and edit a file.

"From there, he built a Raspberry Pi joystick to manually drive the vacuum, proving that there was nothing wrong with the hardware."

He should make these and sell them. It would be worth it to just drive it in "discovery" mode and give it the exact path to follow while cleaning. The constant inability to learn the floor plan is beyond annoying.

This is why lidar based robot vacuums are superior over random walk vacuums.
That’s a fantastic idea. The blind bumbling has always irritated me too.
Never connected my Roomba to the internet and it has worked fine for the past several years. It insists that I should connect to it via the app to resolve the occasional minor issue, but I would always ignore those. It's starting to show its wear and it's probably time for a new vacuum. I'm not sure if I'll be able to bootstrap one without connectivity, nowadays. Any good recommendations out there?
Buy a used one the same as your current one. Find one with little use and you’ll be good for many more years.
Probably a felony under the DMCA.

I'm reminded of when AWS us-east-1 went down and all the beds made by EightSleep (business model: Juicero for beds) became disabled. EightSleep put all the significant control for their beds in the cloud, doubtless because they couldn't or didn't know how to hire embedded engineers, and the only devs they could find were node.js flunkies who only knew how to do cloud. Looks like the makers of this vacuum did the same thing; they didn't know how or didn't want to build just enough smarts to do the localization and mapping itself, and said "fuck it, we'll do it in the cloud".

A good time to point out https://github.com/Hypfer/Valetudo.

I haven't tried it personally because my particular model of vacuum has some complicated and potentially destructive procedure to get the required access, but there's quite a few models where it can be installed easily.

I have it on two of my Roborocks and it rocks.
> ... because my particular model of vacuum has some complicated and potentially destructive procedure to get the required access

This right there is the root of the entire problem. We had IBM PC clones that you could recover and keep running for decades by easily replacing expansion cards, HDDs, RAM sticks, peripherals and even circuit components like caps, ICs and batteries. We used to partition our 50 GB HDD into a dozen little partitions and multiboot every conceivable OS out there. Now we have an oligarchic dystopia where even RAMs and batteries are soldered on and bonded with single-use resins instead of age-old screws. Even if you get through, you can't salvage or swap ICs because they're paired individually at device level. You can't reach the boot partition without a Ph.D in RevEng and a risk of still bricking the device 3 out of 4 times. And that's all for technological progress and security, they say! Those claims have as much credibility as their claims to making an honest living. It's weasel-speak, not engineering insight.

Modifying the device that you paid for should never be this complicated. Those greedy corpos are usurping the consumer's rights and wealth, plain and simple.

From my understanding (I might be wrong) the images are pre-built by the owner of the project right? I remember there being a form you fill and you receive a download link.

If that's the case what guarantees do I have there's no "funny business" on the image?

It runs entirely on LAN, ie; you just go to the vacuums IP address in a browser to control it. So you can block internet access for it if you're worried with no negative effects.
I am super happy with Valetudo.

Since the robots got cameras and microphones, it's a no-go for me to have it in my home connected to some cloud.

It's little bit challenging to orient oneself in the project (tip: read a couple of the last release notes), but once you do, it's great.

I bought a new robot vacuum that was specifically recommended by the Valetudo project (Dreame L10s Pro Ultra Heat). The rooting was straightforward and non-destructive. The robot works great.

And the usage is much better even for non-developer people (i.e. my wife), as the UI is simple, not constantly changing under your hands, no ads, no upseling. It's a tool as it should be.

Whenever I read about robovac. I wonder gow good are these robot vacs really?

Maybe it is just me, but surely would be less effort to hire a cleaner and they can do more than just vacuuming.

Sure, but a cleaner coming twice is the same cost of a robot vacuum that will work for a couple of years, typically. They do an okay enough job, but they need to run daily, sometimes twice a day, to really keep up considering it's limitations.
When I bought my Roomba in 2013, it cost as much total as I pay my cleaning ladies to come once every two weeks. If your floors get dirty easily, it's not really going to get them spotless, but it'll get them far cleaner than they'd otherwise be.
I think it’s one of the most idiotic devices anyone could own. Buy a normal vacuum cleaner for half the price, spend 10 minutes a week vacuuming your apartment, and you won’t come home and find that your cleaning robot spent the afternoon choking on a shoelace.
(comment deleted)
IMO a company should lose all control over technology once you've purchased it. Doesn't matter if it's "smart" or not. If the company wants to do something like telemetry, they can buy a license from you for that data. See how they like it when the tables are flipped.
First of all, it's Android Debug Bridge, which gives him full root access to the vacuum, wasn't protected by any kind of password or encryption.

Good. You bought it, you own it.

(I have no skin in this game --- my vacuum is as dumb as they come, and can be fixed with basic machine shop tools.)

Sounds like the "remote kill switch" was probably "log buffer was full", given that it comes back to life when used on a different network.
Thanks for sharing. Removed this company from my list.
How did we let things get to this point? (A rhetorical question.)
When smart devices started becoming common I looked at them and made the decision that it was a hard no from me - I didn't trust that they'd secure the data properly, I didn't trust the privacy aspect and I really didn't trust that they'd continue to support the product for the life of the hardware.

Here we are 10-15 years later and I see no reason to change that view in the slightest.

It surprises the none-techies I know that I don't have any smart devices in my home because they assume I would been a computer geek but its because I'm a computer geek that I don't.

My hoover is a switch connected to an electric motor, I can service it with a phillips screwdriver.

Even my TV is just a fedora box connected to a regular Samsung TV (which has never been on the network and never will).

I wish every product like this had giant warnings on the box, in the online listing, etc.

I bought a robot vac (after owning an early roomba for some time) - Opened it up, ready to use it - instructions said download the app to make it work.

It's back in it's box somewhere around here and never used.