Vacuum robot security and privacy - prevent your robot from sucking your data

Presented at DEF CON 31 (2023), Aug. 13, 2023, 10 a.m. (45 minutes).

Exactly 5 years ago we were presenting ways to hack and root vacuum robots. Since then, many things have changed. Back then we were looking into ways to use the robots' "dumb" sensors to spy on the user (e.g. by using the ultrasonic sensor). But all our predictions were exceeded by the reality: today's robots bring multiple cameras and microphones with them. AI is used to detect objects and rooms. But can it be trusted? Where will pictures of your cat end up? In this talk we will look at the security and privacy of current devices. We will show that their flaws pose a huge privacy risk and that certification of devices cannot be trusted. Not to worry, though - we will also show you how to protect yourself (and your data) from your robot friends. You will learn on how you can get root access to current flagship models of 4 different vendors. Come with us on a journey of having fun hacking interesting devices while preventing them from breaching your privacy. We will also discuss the risks of used devices, for both old and new users. Finally, we will talk about the challenges of documenting vacuum robots and developing custom software for them. While our primary goal is to disconnect the robots from the cloud, it is also for users to repair their devices - pwning to own in a wholesome way. REFERENCES: Robots with lasers and cameras (but no security): Liberating your vacuum from the cloud https://dontvacuum.me/talks/DEFCON29/DEFCON29-Robots_with_lasers_and_cameras.html Unleash your smart-home devices: Vacuum Cleaning Robot Hacking (34C3) https://dontvacuum.me/talks/34c3-2017/34c3.html Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices https://dontvacuum.me/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.html https://www.technologyreview.com/2022/12/19/1065306/roomba-irobot-robot-vacuums-artificial-intelligence-training-data-privacy/ https://linux-sunxi.org/Main_Page

Presenters:

  • Dennis Giese - Hacker
    Dennis Giese is currently a PhD student at Northeastern University and focuses on the security and privacy of IoT devices. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His most known projects are the documentation and hacking of various vacuum robots. His current vacuum robot army consists of over 45 different models from various vendors.

Links:

Similar Presentations: