I guess the most plausible explanation is incompetence, there wouldn’t be a reason to do this on purpose (a backdoor), right? Since the company could have easily used different credentials per device that they store anyway?
SnotFlickerman@lemmy.blahaj.zone
on 22 Feb 20:30
nextcollapse
The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools, all without their owners ever knowing.
Suprise, if it has cameras, microphones, gps, data mapping capabilities and speaks to a server outside of your home it is by definition is a surveillance tool.
All of this has always been predicated on the idea that the surveillance will never be used against you somehow. I don’t know why anyone ever bought into that.
FineCoatMummy@sh.itjust.works
on 22 Feb 21:33
nextcollapse
if it has cameras, microphones, gps, data mapping capabilities and speaks to a server outside of your home
It has also happened with baby monitors. Well, almost endless other IoT devices too. But baby monitors are a particular issue. They have speakers in them too. Attackers were exploiting it and playing very disturbing sounds to cause extreme distress to babies.
Which is why we need to de-normalize this thought process. People should always ask, why does my vacuum need to go online? Or at the very least, can I turn that “feature” off?
because vacuum makers lock away advanced capabilities on the app making a home network the only way you can access them.
of course, when you’re shopping, it’ll use those advanced features as advertisements; but there’s no way to know that ahead of time unless you’re buying the most expensive models available.
And to top that off, those features have a terms contract you need to accept to use. Yet you don’t know what that entails until you spend a lot of money.
Both your point and this also needs to be denormalized. We should be able to have full visibility for purchase decisions and have no push back on returns if we don’t.
threaded - newest
Gosh, their drones are getting banned in the US. This just seems to help their case.
I guess the most plausible explanation is incompetence, there wouldn’t be a reason to do this on purpose (a backdoor), right? Since the company could have easily used different credentials per device that they store anyway?
I would rather say ignorance. They just shit on IT-security for the sake of fast product launches.
A slightly similar event happened to Pudu service robots last year August. An auth token that could be used for all their robots.
.
Suprise, if it has cameras, microphones, gps, data mapping capabilities and speaks to a server outside of your home it is by definition is a surveillance tool.
All of this has always been predicated on the idea that the surveillance will never be used against you somehow. I don’t know why anyone ever bought into that.
It has also happened with baby monitors. Well, almost endless other IoT devices too. But baby monitors are a particular issue. They have speakers in them too. Attackers were exploiting it and playing very disturbing sounds to cause extreme distress to babies.
Remember, the S in IoT stands for security.
Which is why we need to de-normalize this thought process. People should always ask, why does my vacuum need to go online? Or at the very least, can I turn that “feature” off?
because vacuum makers lock away advanced capabilities on the app making a home network the only way you can access them.
of course, when you’re shopping, it’ll use those advanced features as advertisements; but there’s no way to know that ahead of time unless you’re buying the most expensive models available.
And to top that off, those features have a terms contract you need to accept to use. Yet you don’t know what that entails until you spend a lot of money.
Both your point and this also needs to be denormalized. We should be able to have full visibility for purchase decisions and have no push back on returns if we don’t.
That really sucks.
For those with a robot vacuum you might want to look into Valetudo. Or just not connect it to the internet.
valetudo.cloud
Also this project for Neatos. github.com/Philip2809/neato-connected
<img alt="" src="https://lemmy.world/pictrs/image/77f05258-5a14-495d-a706-b7b4f0a5f919.gif">