An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That’s when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn’t consented to. The user, Harishankar, decided to block the telemetry servers’ IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after. After a lengthy investigation, he discovered that a remote kill command had been issued to his device.
The fact that this isn’t considered outright fraud is disturbing. This person OWNS the device, yes? They’re not leasing it.
FFS, this should be illegal.
I agree with you that this should be illegal. I expect this was in the terms of service, though. Since we have no laws restricting this kind of bullshit, the company can argue that they’re within their rights.
We need some real legislation around privacy. It’s never going to happen, but it needs to. We need a right to anonymity but that is too scary for advertisers and our police state.
Terms of service need to stop being treated like law.
They’re not law as long as you can afford the lawyers and legal costs to fight them. Which is, of course, the problem and the system working as designed.
I expect this was in the terms of service, though
While I expect the same, there’s also just a reasonablility standard. If Meta and Google updated their TOS to say that users agreed to become human chattle slaves to mine cobalt and forfeit their rights, no court (…right, SCOTUS?..right?) would uphold that. A TOS is a contract, but it’s mostly for the protection of companies from liability. Takign active steps to brick someone’s device over the device not connecting to it’s C2 server (the company had zero evidence this was done intentionally and a router firewall misconfiguration could just have easily done the same thing), is IMO something that should result in a lawsuit.
How often are the terms of service evident at the time of purchase? It’s unreasonable to assume at the checkout that the price is only for a limited time of use. I doubt the put it on the box or on the Amazon page when you purchased stuff like this. Are you supposed to buy it and then return it after reading the fine print in the instruction booklet after opening it up?
There needs to be a huge neon orange warning on the Front of these products that explains, clearly, that you don’t own it, your privacy will be invaded and the company can disable it at anytime. This will stop people from buying this garbage, and hopefully companies will stop if they want our money.
My life rule is, if it says Smart on it, it’s never going to be smart. It will always cause trouble.
IMO “Smart” refers to the lawyers that got paid to write a 900-page TOS that lets a company do whatever they want.
And, unfortunately, a 900 page TOS guarantees that the average consumer never reads it.
No they are sharts
No that’s called “smarmy”.
Unfortunately this is from a Chinese company and China will never make it illegal; hell they’re more likely to pass a law requiring ILIFE to share the personal data with the government than tell them not to collect them. This could be enforced for US based companies but as long as we buy luxury goods from China this is going to be a fact of life.
My robot vac will only operate when connected to the Internet so it’s only allowed to communicate when actually in use. As soon as it returns to the charger Internet access is automatically blocked.
Unfortunately the manufacturer has deliberately made this as inconvenient as possible. If communication is blocked for more than a few hours the vacuum loses all maps and will no longer even load saved maps from the Tuya app. To use it the vac must be powered down and the app killed. Only then can a saved map be restored.
It’s too bad it’s so useful.
Name and shame.
from the Tuya app.
My robot vac will only operate when connected to the Internet
That would trigger me to return it to the store. “It doesn’t work”
Should have read up on it before buying this crap.
Lol. Read what? Does your TV manual or privacy policy tell you what’s being transmitted? Have you ever even bought a connected appliance?
I have just purchased a Dreame L10s Ultra and have had the PCB for a breakout board made and components for setting it up ordered. In a few days I should get the last bits and I will be able to root the device and have it connect to Valetudo managed through Home Assistant. Fully local operation with basically the same features but none of the privacy issues. As soon as I can get it connected I will be able to use it just like a robot I actually own should without some random third party being involved in every single operation.
The mentioning of Valetudo should be more at the top to make people aware of the existing alternatives.
My aged Roborock S5 suddenly stopped working a year ago and only cleaned a very small segment making it effectively useless. Since I knew that data is exchanged with the manufacturer I suspected them to actively prevent the device from working properly to make me buy a new one. Thanks to Valetudo the device is working back again just fine. Meaning there never was a hardware (or software) failure, but a remote issue.
This is why free software is so important. The company can just lie to you about their product and for some reason it isn’t illegal. I really want to have a dishwasher and washing machine with an ESP32 controller and free software to control it, ideally with Home Assistant integration, but at this point I can’t find anything.
Just looked at the PCB board and man that guy is such a insufferable, gatekeeping twat.
I can see why you would feel that way but I came to a different conclusion. I agree with much of what he says given his position and circumstances.
The project is open source and anyone is welcome to fork it. He is not making something which will make money, provide a living, and secure his station as an open source guru. He is making something because he thinks it should exist and because he finds it interesting. He is not making something for end users, it isn’t for them, it is for people who have enough interest and knowledge to figure it out given the massive leg up he has provided already.
This means he does not do a bunch of things that would pull beginner users in. For example, there is not a simple GUI installer for this. He doesn’t sell kits to root your device. He doesn’t sell little server boxes based on a raspberry pi. He doesn’t have an app for quick discovery and configuration. All of these things would entice beginners and therefore induce them to install unsupported firmware on their several hundred to over a thousand dollar robot vacuum.
This would be hell. Each user with a new and unique way of not understanding the instructions would come up with new failures in an area where bricking your very expensive machine is easy. Can you imagine how much of a dick he would have to be to say “Nah, this is super easy, come give it a go” when the outcome would definitely be causing at least some people to lose hundreds of dollars in a few minutes? That would be him acting like a dick.
What he is doing has a second function. I have just ordered my first custom PCB. I have some components on the way and will be doing my second major electronics project once the parts arrive. I am much more experienced on the software end of things so I get all of the basics around using a terminal etc but now I am learning about using the UART interface and while it is a little bit sink and swim I am at a level where I understand how far outside my knowledge base this is and can take a reasonably informed risk. I am learning and growing and I am actually really excited. If it doesn’t work I will know enough to be helped through by the community but my expectation is I will fail at first and maybe take a few weeks to figure it out. Because of that expectation I am not doing this after my last vacuum broke and now I just desperately need this to work, that would add so much stress, instead I am doing this in the least stressful and most enjoyable way possible.
If I had been correctly scared off early I wouldn’t have lost a bunch of photos accidentally wiping a drive while installing Linux for the first time, so I would have used virtual machines for longer, but I also would have eventually gotten there. I got there by losing some data, but if I had a community around me it would have been better. He actively encourages community building and sharing knowledge. I think that is cool and would be an awesome outcome. I know I will be posting about my spare adapters once I am done making them to see if anyone else wants to learn how to do it.
If I don’t own it 100% then reimburse me if you disable it.
For me the worst part is that someone developed the functionality to monitor and track, until the signal is lost, and if so, kill. It’s really crazy how daring this is.
I specifically got one which can run valetudo and it works great for over two years now. Without sending images of my flat to china or the us
I specifically got a Dreame L10s Pro Ultra so that I could use Valetudo on it. Got the needed adapter on eBay to do it but have had no time as of late to follow the steps as there are quite a few things needed to get it done.
The devs are very touchy, from what I understand, but I get it as the general public can be vexing to take questions/feedback from.
Having not read the article: “Let’s apply Hanlon’s Razor: Oh, probably it just collects the data locally and caches it until the vendor’s servers are reachable. After a while the data partition was full and it stopped working as this case was never deemed possible when this was developed.”
Having read that the kill command was logged and he found it in the logs: “ok, there are no technical details, so there might still be a misunderstanding, but that’s not what I expected!”
Why talk if you don’t know what you’re talking about? If you didn’t read the article whatever you say is irrelevant.
Why talk if you haven’t read the comment you replied to until the end?
I don’t think any compatible machines can be acquired in my region any more. The only one I saw semi recently had a revision a few years ago but no packaging or model change to match so you can’t verify if its the older model that works or the newer one that doesn’t.
How is this legal?
Shitty terms of service.
…when i ‘buy’ something, should i not own and be able to use it and all functions until the end of it’s mechanical processes?..
Had a kill command actually been sent, or does the device just not work without a remote server talking to it every so often?
Because the second one is probably worse from a “what if this company goes bust” standpoint.
Don’t worry, the quality of the modern hardware is so shitty, it will not outlive the company for long
Furthermore, the engineer made one disturbing discovery — deep in the logs of his non-functioning smart vacuum, he found a command with a timestamp that matched exactly the time the gadget stopped working. This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life.
Libre alternative?
A broom? /s, but not really
remote kill command had been issued to his device.
What the actual fuck?!
while this is good, we really don’t need all these smart devices in the first place
As a layman, can someone explain what the ramifications of smart devices sharing your data is. I know it’s bad, but I don’t understand why it’s bad and how it’s used against you.
The problem that is created by a person’s private data being collected against their will is primarily a philosophical one similar to the “principle of least privilege”, which you may be familiar with. The idea is that those collecting the data have no reasonable need for access to it in order to provide the services they’re providing, so their collection of that information can only be for something other than the user’s benefit, but the user gets nothing in exchange for it. The user is paying for the product/service they get, so the personal data is just a bonus freebie that the vendor is making off with. If the personal data is worthless, then there is no need to collect it, and if it does have worth, they are taking something of value without paying for it, which one might call stealing, or at least piracy. To many, this is already enough to cry foul, but we haven’t even gotten into the content and use of the collected data yet.
There is a vibrant marketplace among those in the advertising business for this personal data. There are brokers and aggregators of this data with the goal of correlating every data point they have gotten from every device and app they can find with a specific person. Even if no one individual detail or set of details presents a risk or identifies who the specific person is, they use computer algorithms to analyze all the data, narrowing it down to exactly one individual, similar to the way the game “20 questions” works to guess what object the player is thinking of–they can pick literally any object or concept in the whole world, and in 20 questions or less, the other player can often guess it. If you imagine the advertisers doing this, imagine how successful they would be at guessing who a person is if they can ask unlimited questions forever until there can be no doubt; that is exactly what the algorithm reading the collected data can do.
There was an infamous example of Target (the retailer) determining a young girl was pregnant before she told anyone or even knew herself, and created a disastrous home situation for her by sending her targeted maternity marketing materials to her house, which was seen by her abusive family.
These companies build what many find to be disturbingly invasive dossiers on individuals, including their private health information, intimacy preferences, and private personal habits, among other things. The EFF did a write-up many years ago with creepy examples of basic metadata collection that I found helpful to my understanding of the problem here:
https://www.eff.org/deeplinks/2013/06/why-metadata-matters?rss=1
Companies have little to no obligation to treat you fairly or even do business with, allowing them to potentially create a downright exile situation for you if they have decided you belong on some “naughty list” because of an indicator given to them by an algorithm that analyzed your info. They can also take advantage of widely known weaknesses in human psychology to influence you in ways that you don’t even realize, but are undeniably unethical and coercive. Also, it creates loopholes for bad actors in government to exploit. For example, in my country (USA), the police are forbidden from investigating me if I am not suspected of a crime, but they can pay a data broker $30 for a breakdown of everything I like, everything I do, and everywhere I’ve been. If it was sound government policy to allow arbitrary investigation of anyone regardless of suspicion, then ask yourself why every non-authoritarian government forbids it.
I know that’s a lot; it is a complicated topic that is hard to understand the implications of. Unfortunately, everyone that could most effectively work to educate everyone on those risks is instead exploiting their ignorance for a wide variety of purposes. Some of those purposes are innocuous, but others are ethically dubious, and many more are just objectively nefarious. To be clear, the reason for the laws against blanket investigations was to prevent the dubious and nefarious uses, because once that data is collected, it isn’t feasible to ensure it will stay in the right hands. The determination was that potential net good of this kind of data collection is far outweighed by the potential net negatives.
I hope that helps!
This guy fucks!
That’s an interesting article. The biggest insight is that it can go around hippa for example.
A detailed room-mapping scan is basically a wealth report disguised as vacuum telemetry: square footage, room count, layout complexity, “bonus” spaces like offices or nurserie; all of it feeds straight into socioeconomic profiling. And once companies have that floor plan, they’re not just storing it; they’re monetizing it, feeding it into ad networks, data brokers, and pricing algorithms that adjust what you see (=and what you pay) based on the shape of your living space.
And a mapped floor plan also quietly exposes who lives in the home, how they move, and what can be inferred from that.
Isn’t this information already available? Like if I’m house shopping I know how many rooms the house has and the area of the house.
You know rough dimensions you don’t have a robot going through and literally mapping every item on the floor, high traffic areas , details about amount of people that live there, possible pets, and then tying it to your IP and then selling that to advertisers.
The crazy thing isn’t that they do that it’s that you have to pay money for an item that then does that without your permission and if you attempt to stop it they brick your item that you paid hundreds of dollars for
I don’t know for certain if they sell your data (but they probably do) but you can use a wifi router and how it reflects in a room you can fully map a room with enough accuracy that you can tell what a person is typing on a keyboard which is kind of terrifying if you think about it
How is that information used?
They sell it, some of it is sold to advertisers but recently companies like palantir have been buying these large collections of data, de anonymizing it and then they can use it to develop profiles about people which they can then sell to the government
And that’s what they admit to doing
Once your data is out there it’s essentially impossible to get it back
You might get some snarky comments, but the way I envision it is that the fuller of a picture companies can get of you (when you’re running a vacuum, when you’re driving, when your lights are on and off, etc.) the more data they have to try and run predictive analytics on your behavior and that can be used in a variety of ways that may or may not benefit you. At this point it’s mostly just to get you to buy things they think you’ll buy, but what happens when your profile starts to match up with someone who commits crimes? Maybe you get harassed by the authorities a little more often? Generally the lack of consent around how the data is collected and how it’s used is the problem most people have.
what happens when your profile starts to match up with someone who commits crimes?
I’d dismiss this as fanciful ten years ago. But we’ve got ICE agents staking out grocery stores and flea markets looking for anyone passably “illegal”. Palantir seems to have made a trillion dollar business model out of promising an idiot president the ability to Minority Report crime. And then you’ve got the Israeli’s Lavendar AI and “Where’s Daddy” programs, intended to facilitate murdering suspects by bombing the households of relatives.
I guess it wouldn’t hurt to be a little bit more paranoid.
If they brick your device for wanting privacy, why should you trust them?
Email me the blueprints to your house, your address, name, and your favorite hobbies and I will tell you the answer.
The answer to all your questions is “fried green tomatoes”
Reject bottom feeder, Embrace Rigid vacuum.
broom chads stay winning
