Get the top HN stories in your inbox every day.
dlenski
vintagedave
The old joke: people who are into tech have an Alexa, a smart thermostat, a fridge connected to the internet.
People who work in tech keep an axe next to the toaster.
projektfu
No way I'm putting an axe near an appliance like that. I need to sleep at night.
alt227
Do you want a slice of toast?....
blarg1
i dont want any smegging toast!
ddmf
so you're a waffle guy?
Ir0nMan
I'm sorry Dave, I can't toast that.
jcgrillo
The "smart" thermostat stuff is scary. I have Haier minisplits in my house and they have some "smarts" built into each head unit. The way it works from the user's perspective is you connect to the device in the GE Home app via Bluetooth, enter your WiFi network's credentials, then the minisplit joins your wifi network and phones home to GE Cloud. Then your GE Home app can monitor and control your minisplit via GE Cloud.
I haven't done anything to analyze it further, instead after trying that out once I promptly changed my WiFi password and never looked back. The long term solution will involve some ESP32s, AHT20 temp/humidity sensors, and IR rx/tx.
But it just occurred to me reading this that if there's a similar vulnerability in HVAC system controls an attacker could cause one hell of an unanticipated power demand spike.
WalterBright
My problem with smart thermostats is the user interface couldn't be more awful. It's just nuts. You cannot do anything without the squinty manual in one hand and the squinty touchscreen in the other. So, you finally get it programmed. Then you want to change something, and boom, start all over.
I gave up.
I use a simple dial the temperature, turn on/off thermostat. I turn it off when going to bed, turn it on in the morning. Very happy.
WalterBright
I had a similar problem with the water sprinkler. The user manual was something like 50 pages. Utter madness. Now I just water the lawn manually, when I get around to it.
rpcope1
This is honestly why it's important to insist on Z-wave or Zigbee if you don't have control over the device firmware and must have smart controls. Why people don't seem to understand now that if it's "WiFi" it's suspect at best, I'll never understand.
jorvi
This, pretty much.
The ideal setup is having a separate vlan for your IoT things, that has no internet access. You then bridge specific hubs into it, so the hubs can control them and update their firmware.
If you have IoT devices that are unsafe but cannot be updated any other way, you can temporarily bridge the IoT VLAN to WAN.
Honestly, what IoT stuff needs is something similar to LVFS. Make it so all the hubs can grab updates from there, and can update any IoT device that supports Matter. It would also serve as a crapware filter because only brands that care about their products would upload the firmwares.
wowczarek
Many WiFi-based "smart" devices can run locally without Internet access just fine and are supported by HA or other such platforms, which then doesn't require you using the vendor's app, which might have you need to be on the same broadcast domain as the device. They can use multicast (few home users will have multicast routing between VLANs), or direct broadcast - meaning you will likely give them Internet access because your phone needs it - well unless your WiFi is smart enough to limit individual clients. So a restricted VLAN plus HA or some such solves this.
The real problem is those devices that actually don't let you control the device locally - Tuya being one notable example. There are thousands of products that just went and dropped in a Tuya board.
Tuya is completely cloud-controled. To control these locally you need a "local key" that is buried deep in their developer platform, and changes every time you re-pair the device, and getting it without registering the device is, on purpose, near-impossible without tricks like using an Android emulator with an old version of their app that stores the key, and even then requires effort to exfil the file out of Android. Horror. A device you physically own, only responds to control from the mothership.
So yes, you don't get those kinds of issues with RF protocols, of course unless you put the vendor's "bridge" on your network...
A friend of mine found Zigbee unreliable where he was, and just wired the home for 1-Wire. Temperature sensors, relays, heating PIDs etc. Not only it just won't die, but good luck to anyone hacking it without extra equipment and ripping wires from walls, and firstly being inside, unsupervised and undetected.
jcgrillo
None of the existing smart controls stuff I've found really does it for me. I'm trying to build a hybrid heating system with 4 hydronic zones and 8 minisplits. For my HVAC controls the design is converging to a round mechanical Honeywell thermostat for each hydronic zone with a "smart" thermostat (no cloud) wired in parallel--TBD whether buy vs build. For the minisplits I'm building my own thing that can speak their IR protocol, which will also double as a per-room temperature sensor. It all gets tied together with outdoor temp sensor via HomeAssistant. So if all the "smart" stuff fails, the trusty mechanical guy will keep the house from freezing.
There are halfway decent hybrid controls available for ducted systems but you can't afaik buy anything off the shelf to merge hydronic + minisplits. And as far as I can tell, none of the off-the-shelf smart thermostats has any built in analog backup. I view that as absolutely critical for my use, if the power goes out and I'm not around I need to be 100% certain that when the power comes back on the heat will also.
EDIT: Digging around a little more it seems that Mitsubishi H2i minisplit systems don't speak zwave or zigbee, neither does Haier Arctic. I'm not 100% sure if that's accurate, but I haven't been able to find any documentation in the affirmative or negative. Those are the two heat pump options available locally. I'll be remodeling a small barn into an ADU this summer, that project will be more amenable to a forced air hybrid system, so maybe I'll be able to get away with a Honeywell smart zigbee capable thermostat that can drive it.
thangalin
I replaced all my thermostats for both of my homes with Sinopé products. Here's the hardware, software, and setup:
fullstop
Mine is Z-Wave, the next model up required an internet connection and a subscription if you wanted to access it from remote.
The HVAC guy probably thought that I was nuts for wanting the one that I got, since the price was similar. Six years later and I'm still controlling it from Z-Wave.
dlenski
> But it just occurred to me reading this that if there's a similar vulnerability in HVAC system controls an attacker could cause one hell of an unanticipated power demand spike.
Absolutely. This was one of the things I realized could be a substantial risk when I discovered the Mysa vulnerability. https://snowpatch.org/posts/i-can-completely-control-your-sm...
Thankfully, Mysa responded very rapidly to fix it, but if they hadn't I was planning to notify the BC provincial electric utilities which were cross-subsidizing these devices.
jcgrillo
This is an awesome writeup, thanks for sharing. And good on Mysa for responding so favorably to your research.
Induane
I have an old zen thermostat with home assistant support but no WiFi. They don't make them anymore sadly but it was the perfect balance.
dilyevsky
UniFi has ppsk setup where you can put an EU on a separate vlan with a separate password. Seems ideal for this
undefined
irishcoffee
Edit: misread.
shevy-java
The ideal spy army. Nobody expects the spanish inquisition I mean, being able to spy into households via cheap house-cleaning devices.
lysace
Some of us do. I specifically picked a device that (supposedly) lacked cameras and microphones. LIDAR seemed okay.
gattilorenz
I picked something that can be rooted and made cloud-free with Valetudo for the same reason
hilbert42
"Nobody expects the spanish inquisition…"
Why not? They bought roving cameras that surveil their homes and connected them to internet servers they neither own nor control.
They obviously don't give a shit about privacy or they've room-temperature IQs.
iSnow
Ordinary users don't know. They bought a robo-vac, they do not necessarily know it comes with a microphone or camera.
I work in tech, I never thought about buying one, so I never looked into them. Still, I am surprised they come with microphones.
mexicocitinluez
One thing people don't realize with regard to smart thermometers is that they're a goldmine to people who break into houses.
A 51 straight weeks of 70 degree temperate followed by a week > 70 might imply they're on vacation. People who turn down the heat/ac and turn it back on when they come home from work is also a pattern pretty apparent by that info.
fullstop
Couldn't they get that information by pointing a thermal camera at the house? Most windows and doors would leak enough to show this information.
Or they could watch the air conditioner fans to know if it's on.
sillyfluke
Not having to go the house for that specific info and being able to create a shortlist of houses beforehand would be preferable I would think.
tharkun__
You would need an army of thieves going around and physically pointing thermometers and the ROI isn't there.
VS. just checking your computer once and going to the correct place. Heck, set up alerts and get notified where to break in next.
tartoran
Instead of going around pointing thermal cameras they simply have a dashbord, by neighborhoods, property taxes, maybe even incomes and all that.
dlenski
> A 51 straight weeks of 70 degree temperate followed by a week > 70 might imply they're on vacation. People who turn down the heat/ac and turn it back on when they come home from work is also a pattern pretty apparent by that info.
Yes, exactly. I made this point in my write-up: if you can a home's thermostats, you can probably figure out when people are away. https://snowpatch.org/posts/i-can-completely-control-your-sm...
morkalork
Is this cutting corners on manufacturing/assembly where they're skipping installing a unique set of keys on each device?
Aurornis
The vulnerability was in their backend cloud structure. The backend wasn't restricting access to only devices associated with your account.
> Out of sheer laziness, I connected to the Mysa MQTT server and subscribed to the match-everything wildcard topic, #. I was hoping I’d see messages from a few more MQTT topics, giving me more information about my Mysa devices.
> Instead, I started receiving a torrent of messages from every single Internet-connected production Mysa device in the whole world.
The devices had unique IDs, but they were all connected to one big MQTT pub/sub system that didn't even try to isolate anything.
It's lazy backend development. This happens often in IoT products where they hire some consultant or agency to develop a proof of concept, the agency makes a prototype without any security considerations, and then they call it done because it looks like it works. To an uninformed tester who only looks at the app it appears secure because they had to type in their password.
JoshTriplett
> The vulnerability was in their backend cloud structure.
The vulnerability is in having a backend cloud structure.
(There are plenty of ways to provide remote access without that, and no other feature warrants it.)
dlenski
Quite ironically, they do install a unique TLS cert and key on each thermostat, although it's done on first-wifi-connection of each thermostat, rather than pre-installed at the factory.
And then the thermostat uses those keys to mutually authenticate itself with the MQTT server. It actually makes it quite tedious (not impossible :-D) to 2-way-MITM the device's connection to the server.
It's just that, as @Aurornis wrote, the MQTT server itself did not have any checks to prevent sending and receiving messages to other owners' thermostats. ¯\_(ツ)_/¯
[ I've actually discovered a whole lot more details about the Mysa thermostats than what I published. Many of them can be used to subvert and reconfigure the devices in interesting ways, but only with a witting/willing device owner who has local access. So I don't feel any obligation to disclose them, although I might eventually get around to building a de-cloud-ifying tool using them: https://github.com/dlenski/mysotherm/blob/main/README.md#fut... ]
Neywiny
I think it's about being a configuration management nightmare. If every device has a unique password, you need the decoder ring for serial number to password. However, not all processors have unique IDs. So you either need to find a way to reliably serialize each board during manufacturing and hope it stays (like a sticker/laser/printer/etc) or add a serial number chip which is cost and complexity. It's not impossible, it's just extra work that usually goes unrewarded.
HFguy
I'm a long way from embedded development. But I was under the impression a lot of microcontrollers these days have some ID capability built in, even some relatively low-end ones. This strikes me more as laziness than anything.
NegativeK
> It's not impossible, it's just extra work that usually goes unrewarded.
That sounds like profit motivated negligence, and it sounds like a standard justification for why Europe is going to hold companies liable.
Msurrow
I have not knowledge of this kind of software dev/hw production, so can you please explain why the units cant just be born with a default pass and then have the setup process (which is always there) Force the owner to set a new password?
Knowledge or not, this..
> It's not impossible, it's just extra work that usually goes unrewarded.
.. is just not an acceptable way for business to think and operate i 2026, especially not when it comes to internet connected video enabled devices
Perepiska
I've heard about some home internet provider in Georgia (country, not US state) which has the same default password on all of it's fiber routers. It could easily found in internet just by googling router model name.
PatronBernard
Why does a robot vacuum have a microphone? Voice control?
Filligree
Voice control is the claim. In my experience the voice control is entirely unusable, and can’t be fully turned off.
science_casual
[dead]
NalNezumi
As part of my thesis work almost 10 years ago I worked on a robot vacuum cleaner, (working on their sensor data) and one smart hardware implementation they had was that they had separated the computer vision module from the main board.
This way, only processed vision data would be physically sent to the main board. This constituted of mostly just "line segments", almost like a sparse point cloud, to detect obstacles and edges. They argued that this was more privacy safe because there's no way for the main module to access any raw vision data. It did however make the SLAM part harder to make work.
In hindsight, a good decision. I got one as a thank you for thesis work and it's still running just fine (with battery and brushes replaced once) and good to know that with the years of software update it still can't check me walking around in underwears in my apartment
altacc
I'm obviously wondering which company this is but understand the anonymity. I have a LIDAR vacuum to avoid cameras and from connecting to its debug socket could see the point cloud enough to know that it was very granular.
logankeenan
Which brand did you get? I’ve always been hesitant to get one, I’d like one that I could reduce the amount of data sent out to the cloud
dep_b
Internet connections on devices are an anti feature to me. I need something to work reliably without internet. And then maybe add some extras through internet access through open and secure protocols, so I can always write my own implementation.
fnands
The dishwasher at my office has WiFi.
Why do companies insist on connecting every single device to the internet? Fortunately it's mostly an optional feature, so still works just fine without it, but in general it's a pretty strong signal to me to not buy that product.
autoexec
In addition to collecting and selling every scrap of you your private data they can get their hands on, having 24 hour access to the internet also means that at any time they can push updates that disable features you paid for so that they can start charging you a monthly fee to regain access to them.
Any CEO whose company engages in spying and theft should be criminally charged and thrown behind bars just as you or I would be for those same acts, but right now companies can do pretty much anything they want to you and if they do happen to face any consequence it'll just be a slap on the wrist that costs them a fraction of the profit they made ripping you off and violating your privacy.
thegrey_one
I thought this was pretty much a known fact by now. To make more money. They sell the data, or monetize it somehow. They disguise doing it under all kinds of "features" which indeed might be useful for some people. What should ring your alarm bells is any device that needs you to make an account, at least once when setting it up. That's valuable data, who/where/email/phone number etc. If you cannot fully use the product without at least one initial access to the internet, your data will be monetized, that's the reason you're not able of using it, they need to get something out of you. Of-course there's features that don't work, or make any sense, without internet access. But if you cannot wash your clothes without an account/initial access to the internet...that's sus.
dlenski
> The dishwasher at my office has WiFi.
At one of the AWS builds I worked at there was a water dispenser. It had one button to dispense cold still water, one for fizzy, one for hot water, etc.
Instead of JUST PRESSING THE BUTTON WITH YOUR FINGER, you could—and I am not making this up—download an app that would allow you to pair to the dispenser via a QR code, and then remotely trigger the water-dispensing action… so that you wouldn't have to press the button.
Absolutely insane.
Yeah, I imagine that this feature was dreamed up during the early part of the COVID pandemic where it was hypothesized that COVID spread on high-touch surfaces. Still doesn't make it any less insane. (And also, that theory was pretty clearly highly sus from the start.)
tgsovlerkhgsel
It's cheap to do, some people like it and it can be sold to them as a premium feature, and it enables future enshittification with subscriptions and other revenue opportunities.
Ignore the security issues for a bit, because most buyers don't know/think about those. If it wasn't for the enshittification, having your dishwasher online would be useful. Not groundbreaking, but being able to look up how long it still has without having to walk to the kitchen, get a notification when it's done, be able to look up error codes or check the status of consumables would be kind of nice if it weren't for the downsides that come with it. But those downsides are not something people think about.
MostlyStable
Anyone who's somewhat technically inclined should, in my opinion, only be buying valetudo [0] compatible vacuums and replacing the default software as soon as possible.
ericpauley
I found the “Why Not Valetudo” page on that site extremely persuasive. I would consider myself technically inclined. I also own a robot vacuum so I can spend more time doing important things that leverage my skills. Valetudo does not serve this mission.
Very impressive, but I disagree that this is the clear best choice for anywhere close to anyone.
misnome
Also, the first line in "Why Valetudo?"
> First of all, please do not try to convince people to use Valetudo.
A good realist position for such a project to take.
Aurornis
That is very refreshing.
Many geek hobbies like 3D printing and home automation are becoming full of unnecessarily smug evangelization if you're not using hivemind approved software and tools, even if it requires a lot more work to do.
It's nice to a see a project encourage their userbase to be realistic about what it is and refrain from trying to force it on everyone as the only acceptable way to use a robot vaccuum.
lucb1e
For anyone else wondering, "Why Not Valetudo" <https://valetudo.cloud/pages/general/why-not-valetudo.html> lists:
- all the same downsides as keeping the stock OS would have ("it's opinionated software", "it's not about you", and the last one "it's not a community" basically means "you can't tell me how to change my software and be confident I'll do it")
- that this fan project is not necessarily as polished as the original software (as I would have expected)
- Only supported robots are supported (as the author themselves say: duh)
- it only works in english
- you can't revert to stock software if you don't like it
For me, the latter is the only thing worth mentioning. You made me curious what all these compelling downsides are but the rest is obvious and the latter isn't surprising / I would have known to check beforehand
How did you come to the conclusion that it's not likely the right choice for nearly anyone? Do you think so many people wouldn't understand enough English to operate the controls of a robot vacuum cleaner? Have you found features to be missing or clunky/fragile enough that people would frequently want to revert to stock? Do you think people care so much about it being community-driven FOSS that they'd rather keep the proprietary OS instead of open source that isn't community-driven?
Btw I have no experience with the project whatsoever and am not involved, only interested in trying it out once we need a new vacuum. I just came to a very different conclusion and am quite surprised by yours
defanor
There is also the "No multi-floor/multi-map support" point. Apparently it is treated less seriously than others there, and omitted here, but seemed particularly unfortunate to me: having per-floor dry cleaning robots seems wasteful, while in that text it is assumed that they should be fully autonomous (no manual transfer of those between floors), and likely with large and frequently used docking stations for wet cleaning.
(FWIW, I do not use multi-floor robots myself, only using an old random-walking Roomba in a single-floor setting, but considering getting another robotic cleaner for a two-floor house, where it does seem reasonable to manually move it between floors, as I would move any other cleaning tools.)
MostlyStable
The main value proposition is privacy and security. If you are content with the privacy and security of your existing vacuum, then yes, I'd agree it's not for you. That being said, your critique seems to imply that Valetudo will increase your overall time spent managing the vacuum, and this has not been my experience. There is the initial setup time which I'm sure varies by robot, but for me took (conservatively) and hour or two, and then I never think about it again, to the same degree that I would before. You still have schedules, etc. and all the same features that make a robot vacuum a time saving item.
cogogo
About 10 years ago I was at a startup that used one of the upstart 401k providers of the time. Logged in one day and could see several of my coworkers’ accounts. Really bad class of bug. Still not clear to me how they could have screwed up account atomicity so poorly but assume it was something to do with how they managed orgs.
I was pretty mad about it but also tried to play ball and not make too much of a fuss because I learned some pretty private things without meaning to and didn’t want to inadvertently make them public. Should have been more vocal.
rkagerer
I tend to err on the side of discretion as well. It's more professional.
Though over the years, I've learned to calibrate that discretion proportional to how much of a good-faith effort the counterparty involved seems to be making. If they clearly don't give a shit that they're incompetent, they can expect my megaphone to blare.
fc417fc802
> didn’t want to inadvertently make them public
Screenshot, redact, mass email everyone. Problem solved. Financial institutions don't deserve any leeway with security issues when it comes to their reputation. Handling your money securely and privately is the totality of their reason for existence.
rtchau
For a brief, beautiful moment, one man came close to sucking more than any other person in human history.
undefined
fainpul
If one's goal was to force companies to implement better security for their products, it would probably be more efficient to cause maximum reputational damage to the companies, instead of just "responsibly disclosing" vulnerabilities.
It would temporarily suck for consumers, having their devices exploited and their privacy abused, but it would lead to wider awareness of the problem, shaming of the companies, financial and legal pressure, and hopefully change things in the long run.
Disclaimer: This is not a call to action to do illegal things. Your decisions are your own.
shrubble
Due to the wonders of technology, you can now do the equivalent of the Steven Wright joke:
“In my house there's this light switch that doesn't do anything. Every so often I would flick it on and off just to check. Yesterday, I got a call from a woman in Germany. She said, 'Cut it out.'”
At scale, over the Internet.
mghackerlady
I once did something similar for car wash doors. there's a car wash door company out there that has a control panel accessible over VNC and uses the same defaults for every one they set up, so I used to connect to random ones and open and shut the car wash doors for the fun of it. The best part was when someone noticed and tried to shut it only for me to open it again, resulting in a battle where neither of us knew anything more than someone or something keeps undoing my actions
charles_f
Original story: https://www.theverge.com/tech/879088/dji-romo-hack-vulnerabi...
Accompanying discussion on hn https://news.ycombinator.com/item?id=47047808
Cthulhu_
Thank you, the guidelines are clear that the original source should be linked.
RHSeeger
> In order for the Romo, or really any modern autonomous vacuum, to function it needs to constantly collect visual data from the building it is operating in.
I specifically bought one without a camera or mic.
skrebbel
My Eufy claims to do all processing locally. I admit I never verified this (eg turn off the wifi while it's running - I should actually). But they were the only Chinese manufacturer that at least bothered to write anything about data locality and privacy in their marketing materials, and that got them my money.
Obviously at any point the brand can send a firmware update down the wire that does send a realtime video feed from my home right to Chairman Xi's bedroom. I'm aware of that, but the reality also is that the European/US brands currently don't get anywhere near the Chinese price/quality ratio, and I didn't want to muck about with Valetudo, I'm not courageous enough for that.
I'm not super happy about this situation but I am super happy about the robot. It's really very good.
Marsymars
> In order for the Romo, or really any modern autonomous vacuum, to function it needs to constantly collect visual data from the building it is operating in.
IMO the random bouncing of older Roombas was unfairly pilloried. Sure, it didn't look great, but in practice it was effective at cleaning.
tgsovlerkhgsel
Are there any like that that would have automatic emptying?
valicord
Roborock q revo
arein3
Ive got a q revo pro, which can dry the mops.
Happy with it but note that I dont have carpets, I guess for carpets you need something with more features.
RHSeeger
The Roborock is what I have, and I've had no complaints; the Q5 Max+. With some googly eyes, it's pretty cute :)
bdcravens
The Q Revo series does have a camera and mic.
sverhagen
How do you know? For sure, I mean?
soopypoos
I wrapped mine in foil to be safe and now it's fabulous
brookst
I mean your coffee maker could be a one-off spy device with nation-state backing. But it seems unlikely.
jlarocco
If Google thought it was okay to hide a microphone, I'm sure less scrutinized companies try to get away with worse. https://www.bbc.com/news/technology-47303077
skeeter2020
if they can build an internet connected coffee maker with mic and camera for 60 bucks that's freakin' amazing!
soopypoos
he did say he was trained at the kremlin...
dylan604
phew, yet another reason it pays off to not be a coffee drinker.
amelius
Does your smartphone have a mic?
dylan604
You've brought up such a brilliantly useless point to this discussion. I'm really appreciative of your efforts
codeulike
Smartphones at least have some semblance of security, whereas iot devices are a free for all
ssl-3
Do they?
I'd like to think that they should have reasonable security with my best interests in mind, but I really have no way of investigating what the baseband is or is not doing.
fsflover
Yes, and a hardware kill switch for it.
suzzer99
I have my Roomba programmed to start at 5pm every day. Multiple times now it's come to life at 7pm, gone straight to my bedroom, stayed for for 5-10 minutes, then come back home to its dock and gone back to sleep. I have no idea what's going on.
qnleigh
Does it even vacuum while it's in there? From what you wrote, it sounds like it just comes in, sits menacingly at the side of your bed, and then leaves...
suzzer99
I was in the living room and didn't follow it into the bedroom. It didn't sound like it ever turned on the vacuum. It has a mapping mode (I assume) where it drives around and doesn't vacuum.
jackgavigan
iRobot is now Chinese-owned.
exegete
“Accidentally” is not accurate. He used AI to inspect the source and found credentials that work in all devices. He also never gained control of anyone else’s devices. He never used the exploit.
55555
I didn't read the article but based on the title and subheading I assume they say "accidentally" because he was trying to reverse engineer the communication protocol to use his own device and he did not expect to find something as dumb as master credentials that would work on others' devices.
wolrah
"Accidentally" as in his intent was to gain control of his own device but instead discovered what would in a just world be considered criminal levels of either incompetence or indifference to the most basic levels of security in the entire product line.
Get the top HN stories in your inbox every day.
> he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.
This is extremely similar to what I accidentally discovered and disclosed about Mysa smart thermostats last year: the same credentials could be used to access, inspect, and control all of them, anywhere in the world.
See https://news.ycombinator.com/item?id=43392991