Tom's Hardware published an interesting story about a company using a remote kill command to disable a robo vacuum:
Manufacturer issues remote kill command to disable smart vacuum after engineer blocks it from collecting data — user revives it with custom hardware and Python scripts to run offline
An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That's when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn't consented to. The user, Harishankar, decided to block the telemetry servers' IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after. After a lengthy investigation, he discovered that a remote kill command had been issued to his device.
He sent it to the service center multiple times, wherein the technicians would turn it on and see nothing wrong with the vacuum. When they returned it to him, it would work for a few days and then fail to boot again. After several rounds of back- and-forth, the service center probably got tired and just stopped accepting it, saying it was out of warranty.
Since the A11 is a smart device, it had an AllWinner A33 SoC with a TinaLinux operating system, plus a GD32F103 microcontroller to manage its plethora of sensors, including Lidar, gyroscopes, and encoders. He created PCB connectors and wrote Python scripts to control them with a computer, presumably to test each piece individually and identify what went wrong. From there, he built a Raspberry Pi joystick to manually drive the vacuum, proving that there was nothing wrong with the hardware.
[...] In the end, the owner was able to run his vacuum fully locally without manufacturer control after all the tweaks he made. This helped him retake control of his data and make use of his $300 software-bricked smart device on his own terms. As for the rest of us who don't have the technical knowledge and time to follow his accomplishments, his advice is to "Never use your primary WiFi network for IoT devices" and to "Treat them as strangers in your home."
(Score: 5, Informative) by looorg on Wednesday November 05, @01:04AM (6 children)
I'm not sure how I missed it but it was on hackaday almost a week earlier. Probably a better write up then whatever other link I found.
https://hackaday.com/2025/10/24/robot-phone-home-or-else/ [hackaday.com]
Still I'm not sure if this is just petty or overreach. If your robosucker isn't reporting everything about your home home then it must be faulty. But why remote kill it then? Why not have it display something like 'needs service, error 123'? Still I don't know why it needs the telemetry at all. If they want to have some kind of telemetry gathering it should be optional. Not required to operate.
(Score: 4, Interesting) by Anonymous Coward on Wednesday November 05, @01:24AM (1 child)
Very clever of the owner to figure all of this out.
I'm interested to know what information was being sent.
I'm fairly surprised that in spite of our highly connected world, we still don't have solid info on why all this telemetry and spying is being done.
I'm partial to "disinformation", so if I ever went to that much trouble, I'd be tempted to cause the thing to send lots of interesting garbage to the voyeurs.
(Score: 5, Insightful) by Thexalon on Wednesday November 05, @11:40AM
Most likely, because:
1. It's easy to do.
2. It's cheap to store.
3. It might come in handy someday.
4. It probably was genuinely useful in the earlier phases of the product to, say, identify when the bot got snagged somewhere and adjusting the programming to fix that.
5. Once it was there, there was zero reason for the business to bother to get rid of it.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 5, Insightful) by khallow on Wednesday November 05, @03:00AM
It also means that someone else can remote kill that device such as a disgruntled employee. Imagine their whole product suddenly gets bricked.
(Score: 4, Interesting) by Unixnut on Wednesday November 05, @09:21AM (2 children)
From that article, it sounds like it wasn't a "remote kill" command that was sent, because the bot would work once the blocked IP address was opened up again. Sounds more like a logic bomb [wikipedia.org] if we look at its behaviour.
Question is whether (1) it is a deliberate policy (e.g. "program the robot to die if we can't send telemetry") or (2) a side effect of whatever bloated framework and cheap crappy programmers they are using.
It would be extremely petty for them to do (1), because the number of people that would even be aware of the telemetry traffic is low, let alone blocking it at the firewall level and (2) anyone smart enough to work out what is going is likely to publish it on the internet, as well as find workarounds. To me it seems like a lot of negative publicity in order to prevent telemetry-grabbing, the blocking of which would only really be done by less than 1% of their customers (initially, if it becomes public along with the workaround, more people are likely to do it).
(Score: 2) by Deep Blue on Wednesday November 05, @05:43PM
Petty and dumb, but happens a lot. Even a small nuisance is a nuisance, as the saying goes.
(Score: 4, Interesting) by Username on Wednesday November 05, @05:49PM
Probably ran out of storage space for the logs, and failed when it could not write to a file. I bet if he deleted the logs, probably would have kept going.
(Score: 5, Insightful) by bzipitidoo on Wednesday November 05, @04:13AM (11 children)
I never give any IoT device my WiFi password. I try not to but IoT devices at all, but that's not so easily done. After reading this story, it sounds like refusing to connect them is the smart move.
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 05, @04:34AM (2 children)
I was wondering if the A11 must be online to run, or maybe if you never let it be online, would it run? IE, if you ever let it connect, maybe then it will forever require Internet connection? Once it gets a taste...
I don't have landline Internet, just cell phone hotspot, and no way I'm allowing some thing that I can't control, to gobble up my monthly byte allotment.
(Score: 0) by Anonymous Coward on Wednesday November 05, @07:44AM (1 child)
Maybe it is like the Firefox browser. After a while the root signing certificate expires and it just dies.
https://thehackernews.com/2025/03/warning-expiring-root-certificate-may.html [thehackernews.com]
Why do software/hardware companies make devices that have an artifical defined end of life?
(Score: 5, Informative) by Ingar on Wednesday November 05, @10:30AM
Obvisouly, so they can sell you a new one.
Love is a three-edged sword: heart, soul, and reality.
(Score: 4, Insightful) by Anonymous Coward on Wednesday November 05, @07:47AM (7 children)
What would be nice is a list of these type of devices that don't require internet / signup / account with a clear view of how they can operate as a standalone device.
I'd love to buy one of these, it would really help my life, I'd be willing to pay, but not to be spyed on or be forced to sign up for an account or download software to a mobile phone.
(Score: 3, Interesting) by Unixnut on Wednesday November 05, @09:12AM (2 children)
Yes I am in the same boat. I have been thinking about one of these for years, and while I accept it needs to be able to gather data in order to map the area and function, I don't want any kind of "cloud connection" or data leaving my network.
While I have seen some home made vacuum robots, I have not yet seen an actual open HW/source project coalesce together. What work I've seen is more about taking existing commercial robot vacuums and making them work "offline".
The project I'm looking at is https://github.com/Hypfer/Valetudo [github.com] with an eye for buying a robot on their list of supported robots [valetudo.cloud]. Haven't tried it yet, but if anyone on SN has it would be good to get an idea of potential pitfalls.
(Score: 2) by corey on Sunday November 09, @07:20AM (1 child)
Same, would probably buy one if it just worked without any form of internet connection.
But then again I’ve heard lots of complaints about these little robovacs getting caught up in dirt that’s bigger than a rice particle. Not for me.
(Score: 2) by Unixnut on Sunday November 09, @01:35PM
I think it depends on the model. Some are basically useless, others can vacuum up pretty much everything, even animal hairs, and some can wash floors. Depends on how much you want to pay I guess, plus in our case, ones that can be made to work local-network only.
Saying that, I don't think these are 100% replacement for doing the vacuuming yourself, just something to help keep the place dust free for longer, thereby extending how often you have to vacuum.
(Score: 4, Insightful) by Anonymous Coward on Wednesday November 05, @09:30AM (3 children)
Reading this report from a customer having his purchase of a vacuum cleaner voided because of discovering and blocking subsequent home security issues has me even more leery of having anything in my life capable of snooping and reporting my private life to others.
I am constantly losing trust. Call me a Luddite if you want, a slow adopter, a neophobic worry-wort, but I remain highly skeptical of peeping toms.
"Give me six lines written by the most honest of men, and in it, I will find enough to hang him." - Cardinal Richelieu
Some people are accumulating enormous dossiers on each of us, all neatly organized, for sale to anyone who pays their price. A little from here a little from there, a little from so many more places it will take a computer to store it all.
Yet, somehow, people still buy in to others snooping on them. Personally I will keep my old shop-vac. It's simple light weight, and cheap to operate ( reusable filters! ).
(Score: 4, Informative) by Thexalon on Wednesday November 05, @11:54AM
The biggest effort to do that, one that's been going on in various forms, is run by the US government and has been going on for at least 20 years, and those records aren't for sale, at least in theory. When it was first created, it was called "Total Information Awareness", but it's had its name changed and which department's budget it came under changed a few times after Congress tried to defund it.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2) by Joe Desertrat on Wednesday November 05, @05:21PM
In a darker future, I can imagine companies using the information they collect on you to blackmail purchasers into purchasing additional products, or "service plans" or other such things.
(Score: 3, Informative) by aafcac on Wednesday November 05, @10:34PM
Generally speaking, I stick to things that can be run through Home Assistant and don't hook that up to the internet. I've still got a Phillips Hue v1 bridge that can't even connect to their servers at all working fine via Home Assistant.
A surprising amount of IoT devices function just fine as long as you have a compatible server on your local network.