> he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.
This is extremely similar to what I accidentally discovered and disclosed about Mysa smart thermostats last year: the same credentials could be used to access, inspect, and control all of them, anywhere in the world.
The ideal spy army. Nobody expects the spanish inquisition I mean, being able to spy into households via cheap house-cleaning devices.
The "smart" thermostat stuff is scary. I have Haier minisplits in my house and they have some "smarts" built into each head unit. The way it works from the user's perspective is you connect to the device in the GE Home app via Bluetooth, enter your WiFi network's credentials, then the minisplit joins your wifi network and phones home to GE Cloud. Then your GE Home app can monitor and control your minisplit via GE Cloud.
I haven't done anything to analyze it further, instead after trying that out once I promptly changed my WiFi password and never looked back. The long term solution will involve some ESP32s, AHT20 temp/humidity sensors, and IR rx/tx.
But it just occurred to me reading this that if there's a similar vulnerability in HVAC system controls an attacker could cause one hell of an unanticipated power demand spike.
This is honestly why it's important to insist on Z-wave or Zigbee if you don't have control over the device firmware and must have smart controls. Why people don't seem to understand now that if it's "WiFi" it's suspect at best, I'll never understand.
Edit: misread.
Is this cutting corners on manufacturing/assembly where they're skipping installing a unique set of keys on each device?
The vulnerability was in their backend cloud structure. The backend wasn't restricting access to only devices associated with your account.
> Out of sheer laziness, I connected to the Mysa MQTT server and subscribed to the match-everything wildcard topic, #. I was hoping I’d see messages from a few more MQTT topics, giving me more information about my Mysa devices.
> Instead, I started receiving a torrent of messages from every single Internet-connected production Mysa device in the whole world.
The devices had unique IDs, but they were all connected to one big MQTT pub/sub system that didn't even try to isolate anything.
It's lazy backend development. This happens often in IoT products where they hire some consultant or agency to develop a proof of concept, the agency makes a prototype without any security considerations, and then they call it done because it looks like it works. To an uninformed tester who only looks at the app it appears secure because they had to type in their password.
> The vulnerability was in their backend cloud structure.
The vulnerability is in having a backend cloud structure.
(There are plenty of ways to provide remote access without that, and no other feature warrants it.)
I think it's about being a configuration management nightmare. If every device has a unique password, you need the decoder ring for serial number to password. However, not all processors have unique IDs. So you either need to find a way to reliably serialize each board during manufacturing and hope it stays (like a sticker/laser/printer/etc) or add a serial number chip which is cost and complexity. It's not impossible, it's just extra work that usually goes unrewarded.
> It's not impossible, it's just extra work that usually goes unrewarded.
That sounds like profit motivated negligence, and it sounds like a standard justification for why Europe is going to hold companies liable.
I'm a long way from embedded development. But I was under the impression a lot of microcontrollers these days have some ID capability built in, even some relatively low-end ones. This strikes me more as laziness than anything.
Moreover, on any device that is connected to Internet you already have a unique MAC address on its Ethernet or WiFi interface.
You can hash this unique MAC address, together with other data that may be shared with the other devices of the same kind, to generate unique keys or other kinds of credentials.
This is true, for example many stm32 series have a 96 bit unique id which is derived from the lot number, wafer id and position [1]. Even the low cost stm32g0b1 series I am using has them, but they are missing from some older series.
Surprisingly it's not everywhere. I'm very in embedded development and cannot count the amount of time I look for "unique" "id" etc in a reference manual and come up short. It's certainly more common than not, but you often have to design systems for the lowest common denominator.
I have not knowledge of this kind of software dev/hw production, so can you please explain why the units cant just be born with a default pass and then have the setup process (which is always there) Force the owner to set a new password?
Knowledge or not, this..
> It's not impossible, it's just extra work that usually goes unrewarded.
.. is just not an acceptable way for business to think and operate i 2026, especially not when it comes to internet connected video enabled devices
I'll answer your question with a question: how often do you see people complaining about needing setup processes vs the old way of just plug and play? There's no perfect answer that placates all sides. Things can certainly be better, but when those people win and you no longer need to have a setup process, then what?
While true that in $current_year it would be nice if things were more secure, the sad truth is that most people don't care.
I am shocked really, i think this is actual law in China.
This is just people working 24/7 for 50 dollars a month? Because we want cheap shit
Anyone who's somewhat technically inclined should, in my opinion, only be buying valetudo [0] compatible vacuums and replacing the default software as soon as possible.
I found the “Why Not Valetudo” page on that site extremely persuasive. I would consider myself technically inclined. I also own a robot vacuum so I can spend more time doing important things that leverage my skills. Valetudo does not serve this mission.
Very impressive, but I disagree that this is the clear best choice for anywhere close to anyone.
Also, the first line in "Why Valetudo?"
> First of all, please do not try to convince people to use Valetudo.
A good realist position for such a project to take.
That is very refreshing.
Many geek hobbies like 3D printing and home automation are becoming full of unnecessarily smug evangelization if you're not using hivemind approved software and tools, even if it requires a lot more work to do.
It's nice to a see a project encourage their userbase to be realistic about what it is and refrain from trying to force it on everyone as the only acceptable way to use a robot vaccuum.
The main value proposition is privacy and security. If you are content with the privacy and security of your existing vacuum, then yes, I'd agree it's not for you. That being said, your critique seems to imply that Valetudo will increase your overall time spent managing the vacuum, and this has not been my experience. There is the initial setup time which I'm sure varies by robot, but for me took (conservatively) and hour or two, and then I never think about it again, to the same degree that I would before. You still have schedules, etc. and all the same features that make a robot vacuum a time saving item.
[deleted]
Companies this inept really need to get fined.
Like how many layers of people had to have OKed having the same password for all of them? It’s incompetence on an impressive scale.
Agreed, this sort of thing should at minimum be considered gross negligence at this point, but because regular consumers who buy these products rarely see and almost never understand these news articles it doesn't really impact sales so the company doesn't care.
If this discovery was guaranteed to result in meaningful fines companies would get their act together pretty quickly. 7000 counts of negligent exposure of private data (camera/mic feeds) should in a just world be millions of dollars in fines at the least and arguably criminal charges for management.
Exactly. If GDPR fines can be so high, then something like this that is pretty much intentionally leaking personal data should be in the same ballpark.
Just one underpaid dude.
> In order for the Romo, or really any modern autonomous vacuum, to function it needs to constantly collect visual data from the building it is operating in.
I specifically bought one without a camera or mic.
Are there any like that that would have automatic emptying?
Roborock q revo
Ive got a q revo pro, which can dry the mops.
Happy with it but note that I dont have carpets, I guess for carpets you need something with more features.
The Q Revo series does have a camera and mic.
They don't, the camera equipped ones are the maxV series.
Q Revo has an IR sensor which doesn't transmit that data anywhere.
I had a Q Revo Edge that had a mic (it responded to "Hey Rocky" commands) and I could remotely view my house through the camera.
Are you thinking of the S8 line? That's the one with the MaxV model.
How do you know? For sure, I mean?
I wrapped mine in foil to be safe and now it's fabulous
I mean your coffee maker could be a one-off spy device with nation-state backing. But it seems unlikely.
if they can build an internet connected coffee maker with mic and camera for 60 bucks that's freakin' amazing!
I'm pretty sure they'd be happy to swallow the loss when building a one-off device to specifically target you.
defeated by walking into a random shop and picking one off the shelf
rather than buying it from scamazon
Undefeated when they break into your home
at that point the coffee machine is sort of redundant
Would it include a cell radio and SIM card? Or are they hoping for an open WiFi network in range?
Radiate the signal out through its power cord, silly.
phew, yet another reason it pays off to not be a coffee drinker.
:) I'm sticking with my Aeropress
Does your smartphone have a mic?
You've brought up such a brilliantly useless point to this discussion. I'm really appreciative of your efforts
Smartphones at least have some semblance of security, whereas iot devices are a free for all
“Accidentally” is not accurate. He used AI to inspect the source and found credentials that work in all devices. He also never gained control of anyone else’s devices. He never used the exploit.
I didn't read the article but based on the title and subheading I assume they say "accidentally" because he was trying to reverse engineer the communication protocol to use his own device and he did not expect to find something as dumb as master credentials that would work on others' devices.
"Accidentally" as in his intent was to gain control of his own device but instead discovered what would in a just world be considered criminal levels of either incompetence or indifference to the most basic levels of security in the entire product line.
Well - imagine how many cat furs can be vacuumed with this!
Well it only took until the 2nd paragraph, and the words "DJI’s remote cloud servers" for me to be forehead-slappingly disgusted again.
Obviously proper diligence wasn't followed with this product, and obviously this is going to be something we've all heard before, but why does a vacuum need to talk to a server at all?
And also, to go even further back, is there anything more leopards-ate-my-face than a compromised robo-vacuum? I have never understood the appeal of these things. Except as satire. Pushing a vacuum around takes minutes, once a month, all the more so when you live in a 3m x 3m box with 12 roommates, and is badly needed exercise for a lot of pathetic little nerd noodle-arms.
>once a month
We vacuum and mop our kitchen and dining room daily. It gets dirty, especially when you have young kids.
Surely this also requires reporting DJI to the authorities for gross negligence? This is not an oopsie, this is deploying a surveillance network without telling anyone.
It is gross negligence, but to which authorities are you reporting them to and which criminal violations are you claiming they broke?
This is a DJI company? Ouch. [edit] ah it is right in the title of the og article. Wow. Just wow. In China we just use a broom, so maybe it is an oversight (aka no one uses this overprices crap)
> [...] the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio [...]
Sorry what? Why would a vacuum cleaner even need a microphone?
As an impractical idea, echo location popped into my head.
Control by voice? Not that absurd.
Audio and video surveillance via robot vacuum is a feature: you can control the vacuum, see and hear the world from its perspective, and spy on your cats. I wish I were kidding.
> he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.
This is extremely similar to what I accidentally discovered and disclosed about Mysa smart thermostats last year: the same credentials could be used to access, inspect, and control all of them, anywhere in the world.
See https://news.ycombinator.com/item?id=43392991
The ideal spy army. Nobody expects the spanish inquisition I mean, being able to spy into households via cheap house-cleaning devices.
The "smart" thermostat stuff is scary. I have Haier minisplits in my house and they have some "smarts" built into each head unit. The way it works from the user's perspective is you connect to the device in the GE Home app via Bluetooth, enter your WiFi network's credentials, then the minisplit joins your wifi network and phones home to GE Cloud. Then your GE Home app can monitor and control your minisplit via GE Cloud.
I haven't done anything to analyze it further, instead after trying that out once I promptly changed my WiFi password and never looked back. The long term solution will involve some ESP32s, AHT20 temp/humidity sensors, and IR rx/tx.
But it just occurred to me reading this that if there's a similar vulnerability in HVAC system controls an attacker could cause one hell of an unanticipated power demand spike.
This is honestly why it's important to insist on Z-wave or Zigbee if you don't have control over the device firmware and must have smart controls. Why people don't seem to understand now that if it's "WiFi" it's suspect at best, I'll never understand.
Edit: misread.
Is this cutting corners on manufacturing/assembly where they're skipping installing a unique set of keys on each device?
The vulnerability was in their backend cloud structure. The backend wasn't restricting access to only devices associated with your account.
> Out of sheer laziness, I connected to the Mysa MQTT server and subscribed to the match-everything wildcard topic, #. I was hoping I’d see messages from a few more MQTT topics, giving me more information about my Mysa devices.
> Instead, I started receiving a torrent of messages from every single Internet-connected production Mysa device in the whole world.
The devices had unique IDs, but they were all connected to one big MQTT pub/sub system that didn't even try to isolate anything.
It's lazy backend development. This happens often in IoT products where they hire some consultant or agency to develop a proof of concept, the agency makes a prototype without any security considerations, and then they call it done because it looks like it works. To an uninformed tester who only looks at the app it appears secure because they had to type in their password.
> The vulnerability was in their backend cloud structure.
The vulnerability is in having a backend cloud structure.
(There are plenty of ways to provide remote access without that, and no other feature warrants it.)
I think it's about being a configuration management nightmare. If every device has a unique password, you need the decoder ring for serial number to password. However, not all processors have unique IDs. So you either need to find a way to reliably serialize each board during manufacturing and hope it stays (like a sticker/laser/printer/etc) or add a serial number chip which is cost and complexity. It's not impossible, it's just extra work that usually goes unrewarded.
> It's not impossible, it's just extra work that usually goes unrewarded.
That sounds like profit motivated negligence, and it sounds like a standard justification for why Europe is going to hold companies liable.
I'm a long way from embedded development. But I was under the impression a lot of microcontrollers these days have some ID capability built in, even some relatively low-end ones. This strikes me more as laziness than anything.
Moreover, on any device that is connected to Internet you already have a unique MAC address on its Ethernet or WiFi interface.
You can hash this unique MAC address, together with other data that may be shared with the other devices of the same kind, to generate unique keys or other kinds of credentials.
This is true, for example many stm32 series have a 96 bit unique id which is derived from the lot number, wafer id and position [1]. Even the low cost stm32g0b1 series I am using has them, but they are missing from some older series.
[1] https://community.st.com/t5/stm32-mcus/how-to-obtain-and-use...
Surprisingly it's not everywhere. I'm very in embedded development and cannot count the amount of time I look for "unique" "id" etc in a reference manual and come up short. It's certainly more common than not, but you often have to design systems for the lowest common denominator.
I have not knowledge of this kind of software dev/hw production, so can you please explain why the units cant just be born with a default pass and then have the setup process (which is always there) Force the owner to set a new password?
Knowledge or not, this..
> It's not impossible, it's just extra work that usually goes unrewarded.
.. is just not an acceptable way for business to think and operate i 2026, especially not when it comes to internet connected video enabled devices
I'll answer your question with a question: how often do you see people complaining about needing setup processes vs the old way of just plug and play? There's no perfect answer that placates all sides. Things can certainly be better, but when those people win and you no longer need to have a setup process, then what?
While true that in $current_year it would be nice if things were more secure, the sad truth is that most people don't care.
I am shocked really, i think this is actual law in China.
This is just people working 24/7 for 50 dollars a month? Because we want cheap shit
Anyone who's somewhat technically inclined should, in my opinion, only be buying valetudo [0] compatible vacuums and replacing the default software as soon as possible.
[0] https://valetudo.cloud/
I found the “Why Not Valetudo” page on that site extremely persuasive. I would consider myself technically inclined. I also own a robot vacuum so I can spend more time doing important things that leverage my skills. Valetudo does not serve this mission.
Very impressive, but I disagree that this is the clear best choice for anywhere close to anyone.
Also, the first line in "Why Valetudo?"
> First of all, please do not try to convince people to use Valetudo.
A good realist position for such a project to take.
That is very refreshing.
Many geek hobbies like 3D printing and home automation are becoming full of unnecessarily smug evangelization if you're not using hivemind approved software and tools, even if it requires a lot more work to do.
It's nice to a see a project encourage their userbase to be realistic about what it is and refrain from trying to force it on everyone as the only acceptable way to use a robot vaccuum.
The main value proposition is privacy and security. If you are content with the privacy and security of your existing vacuum, then yes, I'd agree it's not for you. That being said, your critique seems to imply that Valetudo will increase your overall time spent managing the vacuum, and this has not been my experience. There is the initial setup time which I'm sure varies by robot, but for me took (conservatively) and hour or two, and then I never think about it again, to the same degree that I would before. You still have schedules, etc. and all the same features that make a robot vacuum a time saving item.
Companies this inept really need to get fined.
Like how many layers of people had to have OKed having the same password for all of them? It’s incompetence on an impressive scale.
Agreed, this sort of thing should at minimum be considered gross negligence at this point, but because regular consumers who buy these products rarely see and almost never understand these news articles it doesn't really impact sales so the company doesn't care.
If this discovery was guaranteed to result in meaningful fines companies would get their act together pretty quickly. 7000 counts of negligent exposure of private data (camera/mic feeds) should in a just world be millions of dollars in fines at the least and arguably criminal charges for management.
Exactly. If GDPR fines can be so high, then something like this that is pretty much intentionally leaking personal data should be in the same ballpark.
Just one underpaid dude.
> In order for the Romo, or really any modern autonomous vacuum, to function it needs to constantly collect visual data from the building it is operating in.
I specifically bought one without a camera or mic.
Are there any like that that would have automatic emptying?
Roborock q revo
Ive got a q revo pro, which can dry the mops.
Happy with it but note that I dont have carpets, I guess for carpets you need something with more features.
The Q Revo series does have a camera and mic.
They don't, the camera equipped ones are the maxV series.
Q Revo has an IR sensor which doesn't transmit that data anywhere.
I had a Q Revo Edge that had a mic (it responded to "Hey Rocky" commands) and I could remotely view my house through the camera.
Are you thinking of the S8 line? That's the one with the MaxV model.
How do you know? For sure, I mean?
I wrapped mine in foil to be safe and now it's fabulous
I mean your coffee maker could be a one-off spy device with nation-state backing. But it seems unlikely.
if they can build an internet connected coffee maker with mic and camera for 60 bucks that's freakin' amazing!
I'm pretty sure they'd be happy to swallow the loss when building a one-off device to specifically target you.
defeated by walking into a random shop and picking one off the shelf
rather than buying it from scamazon
Undefeated when they break into your home
at that point the coffee machine is sort of redundant
Would it include a cell radio and SIM card? Or are they hoping for an open WiFi network in range?
Radiate the signal out through its power cord, silly.
If Google thought it was okay to hide a microphone, I'm sure less scrutinized companies try to get away with worse. https://www.bbc.com/news/technology-47303077
he did say he was trained at the kremlin...
phew, yet another reason it pays off to not be a coffee drinker.
:) I'm sticking with my Aeropress
Does your smartphone have a mic?
You've brought up such a brilliantly useless point to this discussion. I'm really appreciative of your efforts
Smartphones at least have some semblance of security, whereas iot devices are a free for all
“Accidentally” is not accurate. He used AI to inspect the source and found credentials that work in all devices. He also never gained control of anyone else’s devices. He never used the exploit.
I didn't read the article but based on the title and subheading I assume they say "accidentally" because he was trying to reverse engineer the communication protocol to use his own device and he did not expect to find something as dumb as master credentials that would work on others' devices.
"Accidentally" as in his intent was to gain control of his own device but instead discovered what would in a just world be considered criminal levels of either incompetence or indifference to the most basic levels of security in the entire product line.
Original story: https://www.theverge.com/tech/879088/dji-romo-hack-vulnerabi...
Accompanying discussion on hn https://news.ycombinator.com/item?id=47047808
Well - imagine how many cat furs can be vacuumed with this!
Well it only took until the 2nd paragraph, and the words "DJI’s remote cloud servers" for me to be forehead-slappingly disgusted again.
Obviously proper diligence wasn't followed with this product, and obviously this is going to be something we've all heard before, but why does a vacuum need to talk to a server at all?
And also, to go even further back, is there anything more leopards-ate-my-face than a compromised robo-vacuum? I have never understood the appeal of these things. Except as satire. Pushing a vacuum around takes minutes, once a month, all the more so when you live in a 3m x 3m box with 12 roommates, and is badly needed exercise for a lot of pathetic little nerd noodle-arms.
>once a month
We vacuum and mop our kitchen and dining room daily. It gets dirty, especially when you have young kids.
"sneak peak"
Sigh
https://slate.com/culture/2012/01/stealth-mountain-the-twitt...
Surely this also requires reporting DJI to the authorities for gross negligence? This is not an oopsie, this is deploying a surveillance network without telling anyone.
It is gross negligence, but to which authorities are you reporting them to and which criminal violations are you claiming they broke?
This is a DJI company? Ouch. [edit] ah it is right in the title of the og article. Wow. Just wow. In China we just use a broom, so maybe it is an oversight (aka no one uses this overprices crap)
> [...] the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio [...]
Sorry what? Why would a vacuum cleaner even need a microphone?
As an impractical idea, echo location popped into my head.
Control by voice? Not that absurd.
Audio and video surveillance via robot vacuum is a feature: you can control the vacuum, see and hear the world from its perspective, and spy on your cats. I wish I were kidding.
https://youtu.be/TltYXEDoong?t=412
Who is "you" in that sentence?
One.
accidentaly a god, a sucky kinda god, but a god none the less " I command thee to make vanish the minor sins of this world my minions"
His code sucks...
Tough crowd. Even the robots got the suction reference.