Internet of things, privacy
When it comes to privacy, it remains complicated and nearly impossible for a consumer to make an informed decision.
August 16, 2023
•
,
3 minutes Read
A presentation at DEF CON, 10am Sunday morning in Las Vegas. My expectation was that there would be little participation – I couldn’t have been more wrong. A packed room welcomed Dennis Giese, a well-known expert in “hacking” robot vacuum cleaners. The topic of the presentation was how to stop your robot vacuum cleaner from sending data to the vendor, a discussion based on privacy and security.
Last month my colleague Roman Cuprik published an article on WeLiveSecurity detailing how these home vacuum cleaner devices could be spying on their owners, so I won’t go into the potential spying issues here, but rather discuss the parts highlights of Dennis’ excellent presentation.
The researcher led by Dennis had a simple goal: could they root the target device without disassembling it? Rooting your device in simplistic terms means gaining access to the underlying software used to control the device and possibly modify it. In the current case, this creates the opportunity not to make the device rogue, but rather to modify the software so that it does not share personal data and returns final control to the owner.
A play on words
I’m assuming at this point you’re savvy enough to have read Roman’s article or have some knowledge of privacy issues, such as robot vacuum cleaners with cameras that send images to the vendor’s cloud servers, potentially identifying all the things you have in your home.
One of the issues Dennis highlights is that vendors’ claims may not match reality: for example, one company mentioned in the presentation claims that it doesn’t send any data to the cloud, that it never duplicates data, and that its devices’ cameras are just there to protect your home items from collisions. It sounds doable, but another feature listed for the same device is that you can access the camera remotely and watch the device work. So how do they do it if the image or video stream is not shared across the company’s cloud servers that provide the functionality; maybe there’s some real magic involved.
Another issue raised in the presentation was the wording companies use to describe the functionality and features of their products. Due to the bad press in recent years regarding camera devices, and especially the possibility of abuse, some manufacturers have reportedly removed the cameras; their documentation instead says that their devices use “optical sensors.” This is just a play on words; they are, of course, cameras and in the presentation it was demonstrated that they are capable of capturing images: they are cameras.
The presentation went into more detail and equally shocking examples; also highlighted that many of the devices tested and which present privacy and security issues are certified by some renowned testing laboratories; the examples of certification authorities provided were a respected German testing authority and, more generally, European Union device certification.
Statements versus reality
In Roman’s blog post, he recommends conducting a pre-purchase investigation of devices, which I fully agree with in most cases if I hadn’t heard this presentation at DEF CON. It is clear that although security has improved in the firmware and operation of these dust collection devices, it remains complicated and nearly impossible for a consumer to make an informed decision.
A device that claims not to share data in the cloud, has no built-in cameras, and has security and privacy certification from widely respected testing labs would seem to meet all the requirements of a privacy-conscious consumer; in reality, however, what happens behind the scenes could be completely different. The presentation was not about one manufacturer or model, but listed numerous cases of both. Until there is clarity, I will continue to push my handheld vacuum around the house.
One last comment: Thanks to Dennis Giese for giving such a fantastic presentation on a Sunday morning in Las Vegas. But I urge you not to disclose issues to the public and instead follow industry-coordinated disclosure standards. I’m sure robot vacuum cleaner companies would appreciate this, as would most consumers. No one wants to own a device with an unpatched vulnerability because disclosure does not follow industry best practices.