Robot Vacuums May Do More Than They Claim


Internet of Things, Privacy

When it comes to privacy, it remains complicated and almost impossible for a consumer to make an informed decision.

DEF CON 31: Robot Vacuums May Do More Than They Claim

A presentation at DEF CON, at 10 a.m. on a Sunday morning in Las Vegas. I expected the turnout to be low – I couldn’t have been more wrong. A packed room welcomed Dennis Giese, a recognized expert in “hacking” robot vacuum cleaners. The topic of the presentation was how to prevent your robot vacuum from sending data back to the provider, a discussion based on privacy and security.

Last month, my colleague Roman Cuprik published an article on WeLiveSecurity detailing how these home vacuum cleaners can spy on their owners, so I won’t go into detail about potential spying issues here, but will instead discuss the standout parts of Dennis’ excellent presentation.

The researcher led by Dennis had a simple goal: could he root the target device without taking it apart? In simplistic terms, rooting the device means accessing the underlying software used to control the device and possibly modifying it. In the current case, this creates an opportunity not to turn the device rogue, but rather to modify the software so as not to share personal data and return ultimate control to the owner.

A word game

I’m guessing that at this point, you’re either savvy enough to have read Roman’s article, or you’re familiar with privacy issues, such as robot vacuums equipped with cameras sending images back to the provider’s cloud servers, potentially identifying everything what you have in the cloud. your house.

One of the issues Dennis highlights is that vendor claims may not match reality: for example, one company cited in the presentation claims that it does not send any data back to the cloud, that it never duplicates data and that the cameras of its devices are only there to protect the objects in your home from collisions. This seems doable, but another feature listed for the same device is that you can access the camera remotely and watch the device work. So how can they do this if the image or video stream isn’t shared through the company’s cloud servers that provide the functionality? maybe there is real magic involved.

Another issue raised during the presentation was the wording companies use to describe product features and specifications. Due to the bad press in recent years regarding devices equipped with cameras, and especially the risk of abuse, some manufacturers have reportedly removed the cameras; their documentation instead states that their devices use “optical sensors”. It’s just a play on words; these are of course cameras and it was demonstrated during the presentation that they are capable of capturing images: these are cameras.

The presentation gave more details and equally shocking examples; he also pointed out that many tested devices with privacy and security issues are certified by some renowned testing labs; examples of certification authorities cited were a respected German testing authority and, more broadly, European Union device certification.

Statements versus reality

In Roman’s blog he recommends doing some investigation before purchasing the devices, which I would completely agree with in most cases if I hadn’t listened to this presentation at DEF CON. It is clear that although safety has improved in the firmware and operation of these dust collection devices, it remains complicated and almost impossible for a consumer to make an informed decision.

A device that claims to share no data with the cloud, has no onboard camera, and is certified for security and privacy by widely respected testing labs appears to meet all the requirements of a privacy-conscious consumer ; But in reality, what’s happening under the hood can be completely different. The presentation did not focus on one manufacturer or model, but listed many instances of both. Until everything is clear, I’ll stick to pushing my hand vacuum around the house.

One final comment – ​​a shout out to Dennis Giese for giving such a great presentation on a Sunday morning in Vegas. But I urge you not to disclose these issues to the public and instead follow industry-coordinated disclosure standards. I’m sure robot vacuum manufacturers would appreciate this, as would most consumers. No one wants to own a device with a vulnerability that is unpatched due to disclosure that does not follow industry best practices.

Leave a comment