DEF CON 31 - Vacuum Robot Security & Privacy Prevent yr Robot from Sucking Your Data - Dennis Giese

115,606

1,992 0

Published 2023-09-15

Exactly 5 years ago we were presenting ways to hack and root vacuum robots. Since then, many things have changed. Back then we were looking into ways to use the robots' "dumb" sensors to spy on the user (e.g. by using the ultrasonic sensor). But all our predictions were exceeded by the reality: today's robots bring multiple cameras and microphones with them. AI is used to detect objects and rooms. But can it be trusted? Where will pictures of your cat end up?

In this talk we will look at the security and privacy of current devices. We will show that their flaws pose a huge privacy risk and that certification of devices cannot be trusted. Not to worry, though - we will also show you how to protect yourself (and your data) from your robot friends.

You will learn on how you can get root access to current flagship models of 4 different vendors. Come with us on a journey of having fun hacking interesting devices while preventing them from breaching your privacy. We will also discuss the risks of used devices, for both old and new users.

Finally, we will talk about the challenges of documenting vacuum robots and developing custom software for them. While our Primary goal is to disconnect the robots from the cloud, it is also for users to repair their devices - pwning to own in a wholesome way.

All Comments (21)

@tin2001 10 months ago

My mother started buying old model iRobot Roombas off eBay years ago. She has a fleet of about 6 of them... The beauty of these old models is they literally do have just optical sensors, switch based sensors and a very low power microcontroller with no internet access at all. Some of them are now well over 10 years old, and still work great (new battery packs every few years of course).
@ImARichard 10 months ago

If I can't have full control of a network connected camera optical sensor, then that camera optical sensor can't be on my network. Sheesh these products definitely shouldn't exist. Great talk!
@wendysofficial 10 months ago

The formatting on YouTube mobile cut off “data” at the end of the title, turning it into “Prevent yr Robot Vacuum From Sucking Your…”, leading me to speculate that this video was gonna go in a wildly different direction.
@calebjpryor 10 months ago

I have benefited greatly from your work and am a huuuuuuge fan of Valetudo! Please keep up the good work.
@sygad1 10 months ago

I only want 2 things, STOP phoning home and easy/full integration into Home Assistant. Sell me that product and I wouldn't need to hack anything.
@_Mackan 10 months ago

Moral of the story: Hackers will always get into physical devices
@bastian9872 6 days ago

Huge thanks for your great work and the super interesting talk! It’s a pity cloud access and giving a lot of (private) data away is basically mandatory if you want to use a stock cleaning robot. Really, really awesome that you and Hypfer provide a well documented workaround. The Telegram support is also very helpful, although the tone is sometimes a bit rough there. Please keep up your amazing work!
@kaotiskhund 9 months ago

Great talk. The way he talked really kept my watching. Cool stuff there.
@harveyspecter1653 6 months ago

Damn you guys are persistent 😀I rally enjoyed watching this. Good stuff guys. Thanks to your hard work these companies have to make their stuff secure.
@Notaustieg 10 months ago

"companies can say alot of things if the day is long" hahahaha now I'm 100% hes german.
@-r-495 9 months ago

Oh, that‘s the answer to many questions of mine concerning embedded devices. This may well work on NAS and also some routers 🧐
@sjoervanderploeg4340 10 months ago

And my friends tell me I'm crazy for having IoT devices on their own VLAN :D
@NeverGiveUpYo 10 months ago

Great talk!
@illens08 7 months ago

great talk. thanks for all your research, tho I know you must also love doing it!
@user-qi2ml3pl2e 9 months ago

admirable work ! I hope you get some honor and reward for it !
@justinclark9258 9 months ago

Thanks for single handedly doubling the cost of a robot vacuum
@geniferteal4178 10 months ago

Why do these things need the cloud at all?
@theminer49erz 10 months ago

I am Jack's complete lack of surprise
@gwalther00 10 months ago

Man, I wish he were devoting even 1% of this awesome energy into hacking Litter Robots. They're locked down now and don't work with Homekit anymore.
@DelticEngine 6 months ago

A 'white hat' take on this would be using a vacuum robot instead of a radio-controlled drone or car and run around the house with it having fun while doing something genuinely useful at the same time. A stereoscopic vacuum robot and VR glasses would also provide an interesting view of the world. If there are pets, and they are used to such as device, then with the vacuum motor off one of these could be used to quietly check up on a pet or even a child without arousing suspicion from the owner or parent. There a positive and helpful uses of such a modified device. Using a modified robot vacuum as a security robot (possibly as well as a vacuum) could also be very helpful, It could be programmed to quietly conduct surveillance of a room or even and entire floor. This could be tied in to an advanced security system with the 'robot vacuum' sent to 'investigate' a detection by the main security system.