The big concern should be DJI having access to cameras and microphones in who knows how many millions of households.
The bigger concern should be that this is how badly coded and how little concern there is about security there is with smart appliances in people’s homes.
Working as a consultant and seeing the code that runs online services made me realize how fucked up everything is and to accept that nobody knows or cares about what they are doing with other people’s integrity. AI in coding is barely making a dent in it.
That’s less of a concern over the corporate actors who have infiltrated our houses.
Even if it was completely secure, they would still have access to this information and that would be by utilised by a state in some capacity against us.
Every device we have is sending our data to these companies, our homes and streets are full of Orwellian Telescreens surveilling our every move. It’s inescapable and as the means for them to better amalgamate and act on this data increases, the bleaker our future becomes.
We should probably take “engineering” out of software titles.
Anybody can code an application, it takes a software engineer to barely code it.
Always remember:
the S in IoT stands for security
Hey look a fellow dev that actually tries. Good to meet you.
‘Company deliberately has control of over 6,700 robot vacuums while selling them to unsuspecting general public’
tinkerer built an app to control their own device with a PlayStation controller.
who used Claude Code to reverse engineer the protocol
Did they build it though? Sounds like vibe-coding to me
the problem does not lie in the encryption used by the robot vacuum when communicating with its server, but that all the data is stored in plain text and can easily be read by anyone who gains access to the server.
Having said that, this is atrocious!
What’s the point in encrypting user data in transit if you’re just gonna leave it unencrypted at rest??
If you’re going to store user data, at least have the decency to make sure its protected against malicious actors.
It’s very lucky that the person who discovered it was a vibe-coding good Samaritan, rather than somebody willing to exploit it for money
A lot of times encryption “at rest” is just encrypting the partition the DB is sitting on. There are options for encrypting the database when it’s in use, but if you don’t set up the right access controls the on-the-fly decryption can have it show up as plaintext.
The best option for this is to do the decryption/encryption in the application, so even if they get the DB credentials for the app user it’s still encrypted. One disadvantage is that you can’t do searches in the DB anymore.
Of course, all of these are in increasing level of difficulty and adding them after the fact becomes a more daunting task the longer you put it off.
What’s the point in encrypting user data in transit if you’re just gonna leave it unencrypted at rest??
Basic HTTPS does the trick of encrypting transfer, easy as fuck to set up, does not mean the app is any more secure tho.
Database encryption is usually not necessary if it is kept on a private network. Setting up sensible auth is usually enough. They kept some doors unlocked, tho.
Did they build it though? Sounds like vibe-coding to me
For all my gripes with AI/LLM and stolen valor-type misrepresentation, I’m not going to put too many asterisks on someone’s personal project. Especially when it exposes shady corporate practice. It doesn’t seem like they were professionally hired to create this app. There’s plenty of tinkerers I follow that phone a friend to get a project back on track.
But I have no idea what his day job is, being an AI Strategist
This code uses truly global varriables.
Nice :)
Security? How much? No. Skip it.
“AI Strategist” <vomit>
You don’t have to be smart to use a broom but you have to be stupid to buy a vacuum with microphone and camera.
Or just ignorant.
honestly, in today’s world and in this context, it’s often the same thing
if you’re ignorant of what these smart devices are doing in [current year], you’re almost definitely stupid for choosing to be ignorant of it. it’s been a whole decade of this stuff now. you’ve been exposed to it, and you’ve made the chose to remain ignorant.
Most people I talk to doesn’t even know who Edward Snowden is
connected to a server outside of your house
Or disabled and unable to sweep :(
broom gang broom gang
Shame they didn’t get access to the analytics. It would be very interesting to see the extent these data collected are used.
For instance, training voice AI on customer data. Or voice printing to make a location map of users and selling that data. Or customizing ads that show up on their devices based on what’s in the home, etc etc
Why is any of this connected to a spinning turbine sucking air into a filter bag? We have collectively failed as a society, instead of building a leisure society, we build a society of useless over-engineered gadgets programmed by people driving to the office for no reason while being told to reduce our carbon emissions.
I hate when someone’s house has an Alexa or whatever and I either have to accept it’s listening to me, or spend social credit asking if they can turn it off when I’m there (I’ve never actually made that request).
I have some suggestions about how their security engineer’s routine looks like:
That’s a tuff number boiii
Its a pretty good example of things you can do with Claude.
Why are they collecting this data in the first place? You can’t mishandle data you don’t have. The fact that remote access to video is even possible, is very alarming.
