Internet of Things, Privacy

When it comes to privacy, it remains complicated and near impossible for a consumer to make an informed decision.

DEF CON 31: Robot vacuums may be doing more than they claim

A presentation at DEF CON, 10 am on a Sunday morning in Las Vegas. My expectation was it would be poorly attended – I could not have been more wrong. A packed room greeted Dennis Giese, a renowned expert in “hacking” robot vacuum cleaners. The theme of the presentation was how to stop your robot vacuum cleaner from sending data back to the vendor, a discussion based on privacy and security.

Last month my colleague Roman Cuprik published an article on WeLiveSecurity detailing how these home vacuuming devices may be spying on their owners, so I will not get into the weeds of the potential issues of spying here but rather discuss the standout parts of Dennis’s excellently delivered presentation.

The researcher Dennis led had a simple goal – could they root the target device without disassembling it? Rooting the device in simplistic terms means gaining access to the underlying software used to control the device, and possibly modifying it. In the current case, this creates an opportunity not to make the device go rogue but rather for the software to be modified in order not to share personal data and to give ultimate control back to the owner.

A play on words 

I am assuming at this point you are either savvy enough to have read Roman’s article or that you have a grasp on the privacy issues, such as robot vacuums with cameras sending pictures back to the vendor’s cloud servers, potentially identifying all the things you have in your home.

One of the issues highlighted by Dennis is that vendor claims may not match reality: for example one company called out in the presentation claims it does not send any data back to the cloud, it never duplicates data, and that the cameras on its devices are only there to protect objects in your home from collisions. This sounds feasible, but another feature listed for the same device is that you can access the camera remotely and watch the device working. So how do they do that if the image or video stream is not shared through the company’s cloud servers that provide the functionality; maybe there is some genuine wizardry involved.

Another issue raised in the presentation was the wording used by companies to describe the functionality and features of the products. Due to bad press in recent years relating to devices with cameras on them, and especially the possibility of abuse, some manufacturers have reputedly removed cameras; their documentation instead says their devices utilize “optical sensors”. This is just a play on words; they are — of course — cameras and it was demonstrated in the presentation that they are capable of capturing images: they are cameras.

The presentation went into more details and examples that were all just as shocking; it also highlighted that many of the devices tested and found to have privacy and security issues are certified by some renowned testing labs; the examples of certifying authorities given were a respected German testing authority and, more broadly, the European Union certification of devices.

Statements versus reality 

In Roman’s blogpost, he recommends conducting pre-purchase investigation of devices, which I fully concur with in most instances had I not listened to this presentation at DEF CON. It’s clear that while security has improved in the firmware and operation of these dust-collecting devices, it remains complicated and near impossible for a consumer to make an informed decision.

A device that states it shares no data to the cloud, has no onboard cameras, and carries certification for security and privacy from widely respected testing labs would seem to meet all the requirements of a privacy-conscious consumer; in reality, though, what is happening under the hood may be completely different. The presentation was not about one manufacturer or model but listed numerous cases of both. Until there is clarity, I’ll stick to pushing my handheld vacuum around the house.

One last comment – a callout to Dennis Giese for delivering such a great presentation on a Sunday morning in Vegas. But I urge you not to divulge issues to a public audience and rather follow industry-coordinated disclosure standards. I am sure the robot vacuum cleaner companies would appreciate this, as would most consumers. No one wants to own a device with a vulnerability that has no patch due to disclosure not following industry best practices.