Robot Phone Home…Or Else

We would have enjoyed [Harishankar’s] tear down of a robot vacuum cleaner, even if it didn’t have a savage twist at the end. Turns out, the company deliberately bricked his smart vacuum.

Like many of us, [Harishankar] is suspicious of devices beaming data back to their makers. He noted a new vacuum cleaner was pinging a few IP address, including one that was spitting out logging or telemetry data frequently. Of course, he had the ability to block the IP address which he did. End of story, right?

No. After a few days of working perfectly, the robot wouldn’t turn on. He returned it under warranty, but the company declared it worked fine. They returned it and, indeed, it was working. A few days later, it quit again. This started a cycle of returning the device where it would work, it would come home and work for a few days, then quit again.

You can probably guess where this is going, but to be fair, we gave you a big hint. The fact that it would work for days after blocking the IP address wouldn’t seem like a smoking gun in real time.

The turning point was when the company refused to have any further service on the unit. So it was time to pull out the screwdriver. Inside was a dual-CPU AllWinner SoC running Linux and a microcontroller to run the hardware. Of course, there were myriad sensors and motors, too. The same internals are used by several different brands of vacuum cleaners, so these internals aren’t just one brand.

Essentially, he wrote his own software to read all the sensors and drive all the motors using his own computers, bypassing the onboard CPU. But he found one thing interesting. The Android Debug Bridge was wide open on the Linux computer. Sort of.

The problem was, you could only get in a few seconds after booting up. After that, it would disconnect. A little more poking fixed that. The software stack was impressive, using Google Cartographer to map the house, for example.

But what wasn’t impressive was the reason for the repeated failures. A deliberate command was sent to kill the robot when it quit phoning home with telemetry. Of course, at the service center, it was able to report and so it worked fine.

The hardware and the software are impressive. The enforcement of unnecessary data collection is not. It does, however, make us want to buy one of these just for the development platform. [Harishankar] has already done the work to make it useful.

It isn’t just vacuums. Android phones spew a notorious amount of data. Even your smart matress — yes, there are smart matresses — can get into the act.

58 thoughts on “Robot Phone Home…Or Else

  1. In the linked article, he IDs the thing to be an iLife A11. Listed as “Currently unavailable” with very bad reviews on Amazon. A12 ($169.99) and A30 ($189.99) are still available and I have little doubt that they have the same “feature.”

    In other privacy news, Flock Safety, the AI aided license plate tracker system (which they also brag about being able to track cars without a needing a plate simply by other characteristics unique to a particular car) are teaming up with the Ring home security camera service.

    Go to Musk’s grok and request the following without the quotes: “Palantir + Flock Safety + Ring + Starlink + AI. Connect the dystopian dots in detail.”

  2. And this is why I’m on a wired network. I have a so-called “smart” tv, and I didn’t set up the wifi on it.
    I just watch my local news and weather. I don’t need wifi for that.

    1. I get my local news and weather by sitting down to my pc and calling up the local news website. Quick scan, Done. Don’t have to listen to talking heads. Weather is simple too with duck duck go. weather in search bar. Done. Less than a minute or two, I have the info I need for the day. My systems use wired networking as well. But do have Wifi available for company if needed.

      What I don’t understand, is I have to ‘login’ to my wifi router to use the internet. How does the vacuum do it with out someone ‘setting up’ the device in the first place to get access??? And if the box says you need internet/account to setup device, that is big warming bell in my mind to not buy. Like M$ does. Nope notta! Only local access wanted. There is a reason I have a local home network, and the internet network. Home automation devices only get access to home network.

      1. @rclark
        In front of my house I have a weather road. If the road is wet it is raining, if the road is white it is snowing etc,etc. I don’t watch tv news as it is usually too depressing.

    2. Smart TVs are super useful, especially if you blacklist them from getting traffic out of your network.

      Plenty of them can have useful apps sideloaded on them.

      I have two spare Android TVs that have remote desktop clients on them and no access outside the LAN. They make great thin clients, since you can just plug a keyboard and mouse directly into them.

      The bedroom tvs also have no internet access, but we use the Jellyfin app to access my local media server with all the movies and t shows on it. I have 2 units that record broadcast tv dumping to the server too. The difference between broadcast 4k and the “4k” you get from a streaming service is astounding. That streaming garbage is so over compressed it’s a joke.

      My primary monitor is also a TV. Modern “gaming” TVs are better monitors than a corpo LCD.
      Less than $450 for a 55inch 4k, HDR, 144hz, freesync ‘display’ with multiple inputs and the ability to sideload Android apps on it while keeping it offline is insane.
      Plus it also has 4x picture-by-picture if I actually need to remote desktop into several servers at once.

      I’m not saying people should just buy and use one.
      But you CAN use their advantages without compromising security if you want.

  3. DuckDuckGo publish an app for Android that hooks into Android’s VPN system to block a lot of telemetry to known tracking companies. It allows you to see counts of what apps have been blocked and to which receivers.

  4. There are smart matresses? OMG! I’m just imagining how this probably gets used. Customer ‘had a good night’ last night. Customer is probably amenable to buying from this list of goods which studies show happy people buy. Customer hasn’t ‘had a good night’ in months. Customer might be amenable to buy from this other list.

    This is hell right? When did I die?

    1. Even more fun, when AWS went down a couple days ago, many of these “smart” mattresses ceased to respond to commands, leaving them in inclined positions or with the heat turned on, for example.

    2. Various algorithms and neural nets basically have a photograph of your soul on file from analyzing twenty years of your online life and they know you far better than you or your close friends and family know you.

      The machine knows if you’re getting any or not, they don’t need to bug your mattress

    3. It’s way worse.
      Sleeping patterns, temperature, nighttime movement, and sometimes even ‘wireless device awareness’ are used to extrapolate ‘medical’ information without having to deal with all that pesky HIPAA compliance.

      This is then sold to the usual aggregators, and used for all sorts of fun things from assessing the risk factor on car insurance to denying relatives medical coverage. (Our records indicate a family history of untreated sleep apnea. That’s going to be 10% extra on the premiums. And we don’t even have to tell them why!)

      It’s a bit sensationalist today, but already happening on the fringes.
      Grandma doesn’t realize or doesn’t care that the $3 she saves on prescriptions by giving that data away is going to cost the grandkids in the long run.

      People who give away data like this are directly effecting everyone they associate with.
      Literally.
      Association is a big indicator for these aggregators.

      Spend a lot of time around people who just had a baby? You are now going to get gt adds for baby products because you are in that bucket now.

    1. You are, of course, free to respect whom you will, but why have you drawn such an arbitrary line? If he had given the same description of the image he wanted to his friend to draw for him, would that cause him to lose your oh-so-important respect?
      AI is just a tool, like the computer you used to post your illogical comment.

      1. Generative ‘AI’ is not just a simple tool.
        It is ethically bankrupt theft.

        Every model in use today was built with, trained on, or distilled from datasets packed full of nonconsensual or downright stolen data. ‘Art’ datasets are some of the worst.

        Every time you use one you are not just condoning the theft and use of other artists work, you are doing the stealing again. Period.

        It is NOTHING like describing an idea to a human artist and having new art made for you.
        It is nothing like an artist learning a style and using it themselves.

        GenAI isn’t an artist.
        It is a search engine.
        A fancy search engine, sure, but a search engine nonetheless.
        It returns ‘features’, not full works.

        GenAI cannot create a new work. That is not what the tool does.

        GenAI is a tool for laundering the work of artists without having to credit them.
        It is NEVER okay to use GenAI.

    2. I’m wondering if that header image was a hand drawn cartoon, depicting the same scenario, if we would react as strongly. Or if it were an AI rendered, non-realistic cartoon. Is it an uncanny valley effect?

  5. I’m struck by the amount of compute power here and yet the support people somehow weren’t able to detect that the robot stopped working because it couldn’t phone home. I’d be surprised if that data wasn’t available in non-volatile storage on the device.

    1. yet the support people somehow weren’t able to detect that the robot stopped working because it couldn’t phone home

      Oh I expect most of them could, but they don’t care just follow the script. And no doubt step 1 of the script is connect it to the testing network and hit run… Which in this case would just magically have it work, no problem here return it.

  6. The real winning play is to send random map data to the company servers. Mansions, little shotgun shacks, House of Leaves nonsense, whatever, just a constant stream of trash data.

    1. Someone on Mastodon recently reported that their lidar robot vacuum had discovered a whole new section of their house that they didn’t know about because it got bad data back from a full length wall mirror and was convinced there was a hallway and a room back there. So they’ll generate their own house of leaves if you encourage them a little.

  7. Why would I pay for a data collection device to roam my home? It’s enough that I have a laptop on my desk. Athough it runs Linux, I keep an hatchet nearby if its proprietary UEFI code ever goes rouge and I need to disable it.

    Some time in 2010s EU decided to cuck corded vacuum cleaners by limiting their power which turned them from appliances into toys. In 2019 my 1200W pre-regulation vacuum died so… I went and bought a 1400W shop vac to use at home.

    It was such a great decision. Unlike consumer devices it sucks, it blows, it isn’t afraid of liquids, it has a large stainless steel bin that’s trivial to empty out and it will accept any 38 mm hose, pipe and brush. Since it doesn’t have to visually appeal to women with case that has pretty shapes and fancy colours, it’s also cheap.

    At my local DIY store a 1400W shop vac costs $60. Basic 650W Electrolux consumer unit starts at $120 while more advanced models (with less power, sic!) can reach prices of up to $350. This is nuts.

    The only “disadvantage” of a shop vac is that I have to put on Peltor earmuffs while using it – which is honestly not an issue at all.

    1. Since the 90s the vacuum cleaner manufacturers have kept on releasing new products that were more and more power hungry without any increase in suction power. The regulation was necessary. Now you can finally find vacuum cleaners that make much less noise, and the best part of it is that finally the suction power and efficiency is finally stated, which are much more relevant numbers rather than just power consumption on its own.

  8. You made what looks like a deliberate decision to leave out the fact that the vacuum was an ILIFE A11, from the scumbags at ILIFE in Guangdong.

    Unethical business, like ILIFE, that are actively hostile to their customers, need to be named and shamed, loudly. It should be impossible to search for names like “ILIFE”, or products like “ILIFE A11”, without finding the information about how fundamentally worthless products like the ILIFE A11 from shady companies like ILIFE have deliberately been crippled.

    Please do better.

      1. No, the fact is the brand he bought (and identifies) isn’t really the culprit. There is a single inside that is branded by bunches of companies (who he also identifies). So the real people getting your data are probably some company you’ve never heard of. It is sort of like when you bought a “Sears” TV. Sears never had anything to do with what was inside that TV, they just sold them.

  9. This is why I never upgraded my old Roomba – I don’t need devices mapping my house. It’s battery died again though and I’m not sure about sticking a home-built lithium in.

  10. Apparently there’s been no coverage of Valetudo https://valetudo.cloud/ here yet, since surely it would have been the attention-trap link at the end of the article. (Also, did not appear in a search.) It’s open source robot vacuum software that works entirely locally. It was enabled by jailbreaks from Dennis Giese https://dontvacuum.me/. Harishankar has certainly done enough work to be able to support it in Valetudo.

  11. So…. at what point setting up this vacuum did you not think “wait a minute why am I allowing a freaking vacuum to access my home wifi?”
    I have zero sympathy.
    This is in the same bin as buying a genuine Rolex from a dude on Canal Street for $100. But buying it using a photo of your credit card and giving him your social security number and home address
    I bought a bird feeder for my mom with a camera. She opened it on her birthday and when I tried to set it up, it required an app, an email login and account, etc. I apologized to her and returned it.
    I do love the hack though.

    1. I can see why you would put it on the network – how else do you schedule it, feed it no go zones or receive the ‘I need more cleaning fluid’ or ‘I’m stuck’ type message should it go wrong? You are not going to get most folks hauling it to their computer (if they have one) for programming directly and it is afterall a pretty capable robot but not sentient enough to know everything it needs to do or when – it needs to be given a rulebook to play to.

      I can understand the question of why would you, as I’d not want to do so either, but there is a reasonable functionality argument.

      1. My original roomba had none of that and worked “fine.” it also had a couple invisible wall things you just set by the doorframe or top of stairs or whatever and it would stay where you wanted.
        If one insists on all that extra stuff despite, then a reasonable app without internet connectivity requirement, let alone location services, that pairs strictly with bluetooth from an iPhone or device without need for an account, login, and cloud support would also be fine. There is no need for wifi nor connectivity to the internet for a vacuum.
        There is no (to me) reasonable functionality argument and, as stated, any request by a manufacturer to have a device that does any of that can and should be seen as an attempt to do….exactly what this article is saying happens.

        I mean, it is sinister but kinda funny- getting the consumer to pay the manufacturer to give the mfgr your data is next-level and everyone just goes along with it and acts surprised too. Incredible.

        1. If one insists on all that extra stuff despite, then a reasonable app without internet connectivity requirement, let alone location services, that pairs strictly with bluetooth from an iPhone or device without need for an account, login, and cloud support would also be fine.

          That could be fine, but WiFi has longer range and better penetration of walls so if you have a larger floorplan, perhaps even with only a modest total house size like the average Brick/Concrete Bungalow in the UK Bluetooth is quite possibly not sufficient practically – I know at my Nan’s place BT can’t even get through one thickness of the internal walls, where their WiFi signal actually covers the whole garden effectively enough for this at least.

          I agree it shouldn’t NEED the internet or the cloud type stuff, though I’m sure some folks would argue being able to manually get the vacuum going now from half way across town is somehow vitally important (though I struggle to think of why – I guess maybe trying to impress somebody that your place is actually vaguely clean)… But if it is going to have those useful features beyond the basic rather dumb ‘robot’ vacuum being on a WiFi network is going to be much more reliable than Bluetooth from the connectively standpoint, and is a system almost everyone has unlike some of the other RF options – it just needs to connect into your Home Assistant install or something similarly local to post those messages and receive instructions itself, not the bleeding cloud!

    1. It’s no hidden. It’s in the 3rd line of the article: iLife A11 . But don’t hold your breath yet, the same PCB is used in many many brand so it doesn’t make sense to only put the shame on iLife, you need to account the other. To cite the article:

      This wasn’t just one rogue brand. The same hardware, the 3irobotix CRL-200S, powers devices from Xiaomi, Wyze, Viomi, and Proscenic.

      In other words, before buying any IoT, you MUST check if an open source firmware or hack exists for the gizmo. In general, you’ll find one gizmo that was freed. For vacuum cleaner, have a look to Valetudo for supported models. For camera, you’d be better using Sonoff or Ankke. And so on… This also implies you’ve some work to do at home to free the device, and fortunately, it’s not too hard for most of them.

  12. To my yet-under-coffeed mind this looks like a ripe opportunity for general extensive shenanigans and hilarity. Wouldn’t it be a lot more fun to sniff the actual data from your vacuum/TV/coffeemaker/poop scanner* and substitute your own? I should think that certain parties would love to know that my front hallway is the size of a zeppelin hangar and that I live at Point Nemo, or that my device has been running without a recharge for the last six months, sending the same data over and over…..

    *I couldn’t make this up: https://interestingengineering.com/innovation/ai-toilet-health-monitor-launch

Leave a Reply to ThinkererCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.