back to article Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets' camera, and remote-control the gizmos. Security researchers at Positive Technologies (PT) this week disclosed that Dongguan Diqee 360 smart vacuum cleaners contain security flaws that hackers can exploit to snoop on people through the …

  1. Chronos
    FAIL

    More unfortunate naming fails

    "Someone's spying on my diqee!"

    That'll teach you for sending dick pics via social media...

  2. whoseyourdaddy

    So...

    Android is the underlying OS?

    You didn't buy a Dyson? That sucks in so many ways...

  3. Paul Herber Silver badge

    IoT

    Internet of Toasters.

    Toasters create crumbs, hence the vacuum cleaner.

    No buns, baps, bagels or bageuettes, please.

    1. VinceH

      Re: IoT

      Ah, so you're a waffle man!

      1. Anonymous Coward
        Happy

        Re: IoT

        > Ah, so you're a waffle man!

        Waffles are the same as pancakes but ribbed for added pleasure.

  4. Warm Braw

    superuser rights on the vacuum

    I think that neatly encapsulates the full idiocy of the genre.

    1. Anonymous Coward
      Anonymous Coward

      Re: superuser rights on the vacuum

      All Unix OSes require root to do a lot of things, so avoiding the use of it isn't feasible. Perhaps they could have taken steps to minimize their use of root for network facing services, but the real problem was the same old story - not programming with security in mind. A shell script was able to be run with a %s argument supplied by the attacker.

      No doubt the argument they supply is something of the form "foo; <command of your choice>". Those ';' (or & or | or whatever) attacks are as old as Unix, and easy to leave in place if you hire someone on the cheap who does the minimum possible to make things work according to spec, and neither management nor the programmers give security a passing thought. After all, who would want to break in to a vacuum, right?

      1. JohnFen

        Re: superuser rights on the vacuum

        "Perhaps they could have taken steps to minimize their use of root for network facing services"

        Not perhaps. There is no reason for network facing services to have real root access.

        1. jake Silver badge

          Re: superuser rights on the vacuum

          Never mind network services having root access. Start from the beginning.

          There is no fucking reason, at all, for any fucking vacuum cleaner anyfuckingwhere, to run any variation of un*x. Period. What fucking moron decided this was a good idea? They should be put in the stocks in the marketplace and laughed at until they die of embarrassment. Morons.

          Now ... on to the OBVIOUSLY much needed cameras and microphones and Internet access on vacuum cleaners ... Geebus H. Christ on a pogo stick, what has the world come to?

          1. JohnFen

            Re: superuser rights on the vacuum

            I disagree. There's nothing wrong with the choice of a Unix derivative as the base OS. The primary issues here (ignoring ancillary ones like why in the world is there a camera on this thing at all, let alone a night vision one?) are that the device has network connectivity at all, and that the network connectivity was poorly implemented.

            1. jake Silver badge

              Re: superuser rights on the vacuum

              JohnFen, have you never heard of the folly of swatting mosquitoes with a shotgun? There is overkill, and then there is really fucking stupid, over the top overkill. And a couple of orders of magnitude on the stupid scale beyond that is putting a general purpose, multiuser, multitasking operating system on a fucking vacuum cleaner.

              1. JohnFen

                Re: superuser rights on the vacuum

                You are aware that there are numerous Unices that are intended for dedicated systems and are lean, not multiuser, and not even multitasking, right?

                1. jake Silver badge

                  Re: superuser rights on the vacuum

                  But JohnFen, we're not talking about one of those, now are we?

                  1. JohnFen

                    Re: superuser rights on the vacuum

                    I was.

          2. Teiwaz

            Re: superuser rights on the vacuum

            There is no fucking reason, at all, for any fucking vacuum cleaner anyfuckingwhere, to run any variation of un*x

            Ah, of course, what could one be thinking, Windows is the perfect solution for Vacuum Cleaner O.S, it sucks too.

            1. Adam 1

              Re: superuser rights on the vacuum

              Shirley it should be an iOS derivative? Needs to have lots of shiny.

              1. jake Silver badge

                Re: superuser rights on the vacuum

                iOS is to all intents and purposes BSD in this discussion. Same issues, for the same reasons.

      2. Warm Braw

        Re: superuser rights on the vacuum

        All Unix OSes require root to do a lot of things

        The chain of reasoning really needs to start before the point of assuming that a floor sweeper is in need of an OS of any kind.

        1. Nolveys

          Re: superuser rights on the vacuum

          The chain of reasoning really needs to start before the point of assuming that a floor sweeper is in need of an OS of any kind.

          It's hard to have decent AI without an underlying operating system and without decent AI we will never be able to teach vacuum cleaners to drive cars.

  5. Anonymous Coward
    Alert

    Spy vs Spy

    When I said get the dirt on this guy, I didn't mean hack his vacuum but I guess that works.

  6. Kevin McMurtrie Silver badge

    Useless warranties

    There needs to be a global effort to categorize software bugs as manufacturing defects covered by warranty. Idiot of Things makers might take notice when their entire shipped inventory is returned as defective and all the money is gone.

    With a crap vac like this, you can literally see the looks on their faces when it's all returned.

    1. Anonymous Coward
      Anonymous Coward

      Re: Useless warranties

      Even if they did that, unless the law required MANDATORY returns, it wouldn't impact them much. Go tell your friends their Roomba is a security risk, watch them look at you funny and not care. If someone they knew had their Roomba compromised and it took pictures of them coming out of the shower (hey Roomba, what are you doing in the bathroom?) they'd have a different view but these attacks are too theoretical to care about.

      Very few would bother to return their Roomba for replacement, so Roomba still wouldn't have much incentive to invest in security. Though it sounds like they wouldn't have to actually return them, based on the security alert it sounds like the Roomba in question supports wifi. If so it should be able to receive software updates from home base, right?

    2. Doctor Syntax Silver badge

      Re: Useless warranties

      "you can literally see the looks on their faces"

      Unless I were present I literally couldn't.

      1. Nolveys

        Re: Useless warranties

        Unless I were present I literally couldn't.

        Couldn't you use the cameras in the vacuum cleaners?

  7. spold Silver badge

    A set of stairs should mitigate the risk to privacy

    1. John Brown (no body) Silver badge

      "A set of stairs should mitigate the risk to privacy"

      Until they independently invent anti-grav!

    2. DropBear
      Joke

      That's what you thought would save you from Daleks too. How well did that work out...?

  8. Sureo

    password 88888888

    That's a refreshing change from 11111111.

    1. Anonymous Coward
      Anonymous Coward

      Re: password 88888888

      The world has advanced a lot since Donald Trump Dark Helmet used 12345 for his luggage combination.

      1. andy k O'Croydon

        Re: password 88888888

        It wasn't Dark Helmet who had that combination on his luggage, it was President Scroob!

  9. Anonymous Coward
    Anonymous Coward

    Of course it is snooping on you

    That is the nature of the shit that is IoT.

    If you assume that every 'gadget' is spying on you and phoning home your every move, you wont be far off the truth.

    I won't have any of this [redacted] [redacted] and [redacted] in my home.

    Call me a luddite but I don't want 'the man' and also every add agency and worse knowing what I do at home.

    Posting AC but that won't stop them if they are really determined.

    1. Anonymous Coward
      Anonymous Coward

      "If you assume that every 'gadget' is spying on you and phoning home your every move"

      That sums it up right there.... Whether its Reality 'Distortion-Field' economics or the Surveillance-Economy, not many of us want this. Yet our input is never listened to. From Silly 'con' Valley to South Korea, tech executives are deaf! With Android-slurp, Win10-slurp, SmartTV-slurp, Car-slurp, Hoover-slurp etc, CES should really be renamed 'Surveillance-World'! Plus, we're supposed to give thanks anyway, like dealing with God!

  10. Camilla Smythe

    Perhaps Mr Chope...

    Was concerned that his new found Haxoring Skillz were about to get wasted.

  11. A. Coatsworth Silver badge
    Mushroom

    Super User rights... SD Cards... Vacuums

    Why does this exist? In the name of everything that is holy, WHY?!

    Please, stop the World, I *need* to get out

  12. JohnFen

    IoT foolishness

    I can't think of a good reason why your vacuum cleaner needs access to the internet at all. This is just more IoT madness.

    1. Remy Redert

      Re: IoT foolishness

      How else will it download updates over the air to protect it from hackers?

    2. Anomalous Cowturd
      Stop

      Re: IoT foolishness

      > I can't think of a good reason why your vacuum cleaner needs access to the internet at all. This is just more IoT madness.

      So you / I can control it from the comfort of $wherever you like$ without having to physically go and fetch it.

      If I drop crumbs on the floor, I can summon mine to the exact location for a spot clean, without leaving my chair. For us disabled folks, it's a marvel. I've ordered another one as a treat for my cleaner.

      Just because you personally don't see a reason for something, doesn't mean there isn't a very good one for someone else.

      1. John Smith 19 Gold badge
        Thumb Up

        can summon mine to..location for a spot clean, without..y chair. For us disabled folks,

        OMFG

        I believe you've found a genuine use case for this.

        F**k me sideways.

        1. jake Silver badge

          Re: can summon mine to..location for a spot clean, without..y chair. For us disabled folks,

          A use case for spot cleaning on demand, sure! But I still fail to see where having an internet connection, a camera, and a microphone make any sense. Shirley a localized means of control would be more logical? Unless you're planning on calling your vacuum to come to the rescue for a mess you made at your DearOldMum's house, clear across the country, I guess. What's the range of these things, anyway?

          1. Wensleydale Cheese

            Re: can summon mine to..location for a spot clean, without..y chair. For us disabled folks,

            "Shirley a localized means of control would be more logical?"

            The beauty of standards is that there are so many to choose from.

            The problem wiih a localized means of control is you end up with a different remote control for every device in the house. There's also a range problem, and wifi offers a single means of communication, i.e. a standard which can be used by all manufacturers.

            It's tricky, Leave manufacturers to devise their own solutions and it will arguably be a worse disaster.

      2. Martin an gof Silver badge

        Re: IoT foolishness

        > I can't think of a good reason why your vacuum cleaner needs access to the internet at all. This is just more IoT madness.

        So you / I can control it from the comfort of $wherever you like$ without having to physically go and fetch it.

        But as has been pointed out here many, many times in the past, it doesn't need internet access for that.

        If there must be a smartphone app, then the thing can communicate across the home network. But why must there be a smartphone app? A very simple remote control is probably easier to carry with you (smaller, battery lasts months, not hours) and with a teensy bit of thought the crumb-collecting device could respond to any one of a couple of different remote button pushes to "start full clean routine now" or "clean dining room" or "stop cleaning and go home because the cat has just been sick".

        The key thing here, of course, is making sure that when the device leaves the factory it actually works and doesn't need to be updated at all.

        M.

      3. Doctor Syntax Silver badge

        Re: IoT foolishness

        "So you / I can control it from the comfort of $wherever you like$ without having to physically go and fetch it."

        But do you need to control it from wherever you like? If you drop crumbs on the floor within range of the cleaner you don't need to be able to control it from somewhere else. The control never needs to go outside your WiFi zone. Your use case is valid, it's the implementation that fails.

        1. Anomalous Cowturd
          Happy

          Re: IoT foolishness

          > Your use case is valid, it's the implementation that fails.

          It works fine as a vacuum cleaner without any network connection, but you lose the facility to program scheduled clean ups, or adjust the power settings, along with many other features.

          I agree with you that the external network access is not necessary for most use cases, but it does give you the option to trigger a cleanup from afar, or watch it fill in the map as it goes around. It uses LIDAR, not a camera.

          It cost far less than any Dyson cleaner, and you don't have to do the hoovering yourself.

          Xiaomi Mi robot vacuum version 1. Under £250 on GearBest. One of the best performing robo vacs on the market. It's my new best friend. ;o)

      4. Yet Another Anonymous coward Silver badge

        Re: IoT foolishness

        If I drop crumbs on the floor, I can summon mine to the exact location

        I've got a lab - the crumbs don't even reach the floor

      5. Martin
        FAIL

        Re: IoT foolishness

        So yes, you need your app and the vacuum cleaner to be on the same network, so they can talk to each other. That I get.

        But WHY do they then have to talk to the internet?

    3. John Brown (no body) Silver badge

      Re: IoT foolishness

      "I can't think of a good reason why your vacuum cleaner needs access to the internet at all. This is just more IoT madness."

      ...and why does it need an SD card, which the article implies is removable?

      1. DropBear

        Re: IoT foolishness

        "why does it need an SD card, which the article implies is removable?"

        That's actually one of the sanest backup ways to deliver updates in an unbrickable and also user-friendly way, if an OTA update borks the device for some reason. Most users would manage to download a file to an SD card and stick it into the vacuum cleaner if it went TITSUP (Total Inability To SUck Properly). The devil is in the details (and the haxxors in all your base) of course...

      2. Joe Harrison

        Re: IoT foolishness

        It needs the SD card in case it crashes into another robot vacuum cleaner and the video will show who was at fault.

  13. Anonymous Coward
    Joke

    IoT vacuum?

    So your vacuum cleaner is spying on you? Well, that sucks :P

  14. Anonymous Coward
    Anonymous Coward

    It's not the damn vacuum that I'm afraid of...

    I"m trying to figure out how to run a packet sniffer to see what"s up with my microwave oven.

    https://gizmodo.com/kellyanne-conway-we-can-be-watched-by-microwaves-that-1793211493

  15. John Smith 19 Gold badge
    Unhappy

    So it's a mobile camera/network sniffer which happens to clean floors as well.

    IOW a remotely ownable surveillance drone you pay but may not be able to fully control.

    A fine contraption to separate the mostly clueless from their money and the clueful to explore an ever wider area for new and interesting images and networks to invade.

    Yeay.

  16. Anonymous Coward
    Anonymous Coward

    Hollywood

    I'm guessing this will be in at least the next Bond film and probably a few other action / spy films. When I was a kid they chased people on train roofs, can't wait to watch someone remotely clean someone else's carpet! (But only if it's a john Williams soundtrack).

    1. John Brown (no body) Silver badge

      Re: Hollywood

      "I'm guessing this will be in at least the next Bond film and probably a few other action / spy films. "

      Nah, truth is stranger than fiction!

    2. Stoneshop

      Re: Hollywood

      When I was a kid they chased people on train roofs, can't wait to watch someone remotely clean someone else's carpet!

      Nah, we can have a live view every day of an US predisent being controlled from Moscow.

  17. Anonymous Coward
    Anonymous Coward

    Our Man in Havana

    Sequel where he peddles vacuum cleaners that are REAL spy equipment!

  18. GnuTzu
    Trollface

    Voyeur Cam, Self Propelled, Buy One For The Object of Your Affection

    Wouldn't that be some marketing campaign, to the delight of stalkers everywhere.

  19. tea junkie

    Just wait until Hoi Hoi San starts shipping https://youtu.be/A6jJ9sV52l4

  20. adam 40 Silver badge
    Paris Hilton

    Unix - or VMS?

    I just saw this advert for the new Vax Blade 2 Max:

    https://www.vax.co.uk/blade2max

    now, when I were a lad, a "Vax Core Processor" meant something completely different!

    <Paris>Because it's a woman's job.</Paris>

  21. samithjhon

    vacuum cleaner

    good to see this discussion! it is really helpful for me.

  22. Ace864

    I don't mind if my vacuum spies on me unless it's cleaning the house

  23. StanHansen

    Ahaha, I'm pretty sure that this robot is spying on you. Machines will rule this world very soon, lol!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like