ABC News hacks into popular robot vacuum, watches owner through camera
puffl | 316 points | 8mon ago | www.abc.net.au
dikkechill|8mon ago
I found the open source Valetudo (https://github.com/Hypfer/Valetudo) project quite interesting, as it sits between the vendor firmware and (cloud) connectivity. The project is made possible due to Dennis Giese's research.
It currently supports Dreame, Xiaomi, Roborock and some others. But not Ecovacs. And not sure it prevents this type of Bluetooth vulnerabilities.
FredFS456|8mon ago
Dennis works closely with the Valetudo developer. On one of the Valetudo Telegram channels, they announced the following:
> As you might know, we looked into Ecovacs as an alternative for Dreame&Roborock. However, we found security and privacy being completely broken. If you have a X2, a Goat lawnmower, or newer than 2023 devices, you might want to turn them off for now. There is a BLE RCE, that lets an unauthenticated attacker send a payload via Bluetooth, that gets executed as root on the device. It does not appear that Ecovacs wants to fix that. More information: https://twitter.com/lorenzofb/status/1822002515279270079 https://techcrunch.com/2024/08/09/ecovacs-home-robots-can-be...
FloatArtifact|8mon ago
I specifically shopped for vacuum using that website and it wasn't too bad to set up.
pkulak|8mon ago
Same. Had to spend a bunch of time on Telegram finding a breakout board in NA, but once I did that, it was just a matter of following directions. It’s my favorite piece of tech at the moment, and it cost me 180 bucks brand new.
matheusmoreira|8mon ago
The breakout board is the reason I haven't bought and hacked one of these robots yet. I have to source the PCB and then solder the components myself. I've never done this before and learning this is taking up significant amounts of my free time. Personally I would rather get a manufactured PCB that would no doubt be better built.
I respect their "learn to solder" stance but it's a fact that a lot more people would be involved in the project if it wasn't required.
xkcd-sucks|8mon ago
+1 for Valetudo, not only does it work, but it is also maintained and keeps getting better. Moreover old vacuums are still maintained as new ones are added
dugite-code|8mon ago
Yup, my first gen roborock is still trundling along quite happily because of Valetudo. Would be nice if the base ubuntu was updatable but as it's offline except for a connection to a homeassistant instance it's probably safer than 99% of IOT devices
pj_mukh|8mon ago
Wow.
Can Valetudo provide artificially blocked cloud features? For example the Roborock S5 doesn't have persistent maps, though it would be trivial to just keep one loaded in the cloud, but Roborock would rather you upgrade to an S7.
Would that work?
darknavi|8mon ago
I have two Roborock S5s running Valetudo with persistent maps. Works well and integrates into Home Assistant.
jve|8mon ago
Someone advertise me why vacuum cleaner needs internet?
I have xiaomi unit and I haven't connected it to an app, so it has no connectivity. It does it's job - cleans house 1st floor.
Is it useful to target specific places to clean? Ok, that is a feature that would be useful but I can live without.
Remotely starting? Fancy feature not sure I need - you can aswell start it when leaving the house. Maybe useful for some people when wanting to cleanup after guests remotely, but then again who knows what's dropped on floor there.
kaibee|8mon ago
> Someone advertise me why vacuum cleaner needs internet?
It doesn't. And it isn't like hosting a web-portal is some kinda alien technology that can only be done in the cloud. There's absolutely no reason that a robot vacuum couldn't serve its own web interface.
pj_mukh|8mon ago
Amazing
Quail4056|8mon ago
Only v1 does not have persistent maps, as it is not supported by the firmware. Valetudo only supports whatever the firmware supports already.
hedora|8mon ago
I have some modern (mapping) roombas laying around. Any idea what they could be useful for?
If it involves vacuuming, mopping, or returning to their docks, they are pretty useless.
Tier3r|8mon ago
No truck on this robot vacuum race because I don't own one, but one an incredible name.
cassianoleal|8mon ago
For (some) Ecovacs, there's Bumper [0]. Not exactly the same as Valetudo but serves a similar purpose.
ncr100|8mon ago
Ecovacs notified in December 2023
> “Ecovacs has always prioritised product and data security, as well as the protection of consumer privacy,” they said in a statement.
Still not fixed, today.
Mobile Webcam exploit at 100 meters.