Forget your phone spying on you — maybe it’s your vacuum you should really be worried about.
In a post on his blog Small World, the computer programmer and electronics enthusiast Harishankar Narayanan detailed a startling find he made about his $300 smart vacuum: it was transmitting intimate data out of his home.
Narayanan had been letting his iLife A11 smart vacuum — a popular gadget that’s gained mainstream media coverage — do its thing for about a year, before he became curious about its inner workings.
“I’m a bit paranoid — the good kind of paranoid,” he wrote. “So, I decided to monitor its network traffic, as I would with any so-called smart device.” Within minutes, he discovered a “steady stream” of data being sent to servers “halfway across the world.”
“My robot vacuum was constantly communicating with its manufacturer, transmitting logs and telemetry that I had never consented to share,” Narayanan wrote. “That’s when I made my first mistake: I decided to stop it.”
The engineer says he stopped the device from broadcasting data, though kept the other network traffic — like firmware updates — running like usual. The vacuum kept cleaning for a few days after, until early one morning when it refused to boot up.
“I sent it for repair. The service center assured me, ‘It works perfectly here, sir,'” he wrote. “They sent it back, and — miraculously — it worked again for a few days. Then, it died once more.” Narayanan would repeat this process several times, until eventually the service center refused any more work, saying the device was no long in warranty.
“Just like that, my $300 smart vacuum transformed into a mere paperweight,” the techie wrote.
Seemingly more curious than ever, Narayanan now had no reason not to tear the thing apart looking for answers, which is exactly what he did. After reverse engineering the vacuum, a painstaking process which included reprinting the devices’ circuit boards and testing its sensors, he found something horrifying: Android Debug Bridge, a program for installing and debugging apps on devices, was “wide open” to the world.
“In seconds, I had full root access. No hacks, no exploits. Just plug and play,” Narayanan said.
... continue reading