This is extremely similar to what I accidentally discovered and disclosed about Mysa smart thermostats last year: the same credentials could be used to access, inspect, and control all of them, anywhere in the world.
People who work in tech keep an axe next to the toaster.
I haven't done anything to analyze it further, instead after trying that out once I promptly changed my WiFi password and never looked back. The long term solution will involve some ESP32s, AHT20 temp/humidity sensors, and IR rx/tx.
But it just occurred to me reading this that if there's a similar vulnerability in HVAC system controls an attacker could cause one hell of an unanticipated power demand spike.
I gave up.
I use a simple dial the temperature, turn on/off thermostat. I turn it off when going to bed, turn it on in the morning. Very happy.
The ideal setup is having a separate vlan for your IoT things, that has no internet access. You then bridge specific hubs into it, so the hubs can control them and update their firmware.
If you have IoT devices that are unsafe but cannot be updated any other way, you can temporarily bridge the IoT VLAN to WAN.
Honestly, what IoT stuff needs is something similar to LVFS. Make it so all the hubs can grab updates from there, and can update any IoT device that supports Matter. It would also serve as a crapware filter because only brands that care about their products would upload the firmwares.
The real problem is those devices that actually don't let you control the device locally - Tuya being one notable example. There are thousands of products that just went and dropped in a Tuya board.
Tuya is completely cloud-controled. To control these locally you need a "local key" that is buried deep in their developer platform, and changes every time you re-pair the device, and getting it without registering the device is, on purpose, near-impossible without tricks like using an Android emulator with an old version of their app that stores the key, and even then requires effort to exfil the file out of Android. Horror. A device you physically own, only responds to control from the mothership.
So yes, you don't get those kinds of issues with RF protocols, of course unless you put the vendor's "bridge" on your network...
A friend of mine found Zigbee unreliable where he was, and just wired the home for 1-Wire. Temperature sensors, relays, heating PIDs etc. Not only it just won't die, but good luck to anyone hacking it without extra equipment and ripping wires from walls, and firstly being inside, unsupervised and undetected.
There are halfway decent hybrid controls available for ducted systems but you can't afaik buy anything off the shelf to merge hydronic + minisplits. And as far as I can tell, none of the off-the-shelf smart thermostats has any built in analog backup. I view that as absolutely critical for my use, if the power goes out and I'm not around I need to be 100% certain that when the power comes back on the heat will also.
EDIT: Digging around a little more it seems that Mitsubishi H2i minisplit systems don't speak zwave or zigbee, neither does Haier Arctic. I'm not 100% sure if that's accurate, but I haven't been able to find any documentation in the affirmative or negative. Those are the two heat pump options available locally. I'll be remodeling a small barn into an ADU this summer, that project will be more amenable to a forced air hybrid system, so maybe I'll be able to get away with a Honeywell smart zigbee capable thermostat that can drive it.
> EDIT: Digging around a little more it seems that Mitsubishi H2i minisplit systems don't speak zwave or zigbee, neither does Haier Arctic
There are no mini-splits in the US that speak anything remotely standard. If you want to go with ducted systems, TRANE and others have smart AC units that use "communicating thermostats". The protocol is based on Envirocom system and it's pretty basic.
Good news is that you can still control them by shorting the wires with a traditional thermostat, so you still can have an analog backup in case the regular digital thermostat fails.
Bare bi-metallic strips don't work as well because contacts tend to get oxidized and/or stuck. They are also a pain to calibrate.
A small microcontroller with a relay tends to be more reliable.
Until some bug surfaces that requires a reboot to -fix- work around, but since the device is powered by a battery (EDIT: still puzzling through what might happen when this battery runs out..) which isn't user serviceable and has no reset switch... The device I tore down this morning fits that description. I'll take my chances with a bit of calibration and some yearly maintenance. My vehicles all have grease points and maintenance schedules, I can handle also greasing my thermostat contacts ;)
That said, the regulators taking away the mercury switch isn't an excuse for the user hostility. They could have made a device that is less sketchy. Even if they actually did a great job and it's in fact much safer and more reliable than the analog device (in which case they should show data), I know I can open up the analog one and make it work. I can figure out how to keep it working. I can look at it and evaluate whether I trust it. I cannot do that with some proprietary blob on an MCU.
> I can look at it and evaluate whether I trust it. I cannot do that with some proprietary blob on an MCU.
Your air conditioner/heater likely has a controller. Probably several, at least for thermal protection and overcurrent.
I was very surprised to find the battery. This thermostat is designed to be compatible with older 3-wire systems, so I suspect they slapped a "10 year" battery in it and hope for the best. It's also marketed fairly deceptively. Or at least enough have fooled me--I thought I was buying an analog device.
EDIT: now I'm looking at the data sheets for an LM57 and getting some ideas
The HVAC guy probably thought that I was nuts for wanting the one that I got, since the price was similar. Six years later and I'm still controlling it from Z-Wave.
Absolutely. This was one of the things I realized could be a substantial risk when I discovered the Mysa vulnerability. https://snowpatch.org/posts/i-can-completely-control-your-sm...
Thankfully, Mysa responded very rapidly to fix it, but if they hadn't I was planning to notify the BC provincial electric utilities which were cross-subsidizing these devices.
There's enough broken stuff to fix at work.
Cool, I'll start a HW-FOSS robo-vac company in California tailored to your consumer preferences, that will be profitable without selling your data. Buy one for only $4,999. Orders start now.
...fast forward 12 months ...
Damn, why did we already go out of business, I thought according to consumer preferences, people would pay 10x markup for privacy compared to spyware Chinese models?
You could make a healthy profit selling a robot vacuum for under $200 although you'd probably want models that cost a bit more for customers who wanted something more fancy (https://cookierobotics.com/060/)
I guess it comes down to "market failure."
Many people would probably say that they care about security/privacy/maintainability of their electronic devices, but in practice they buy based on cost and features, and they remain oblivious to security/privacy/maintainability unless and until there's a major problem.
This is probably rational behavior for most consumers:
There's no real way for them to evaluate claims about security/privacy/maintainability of their devices. Basically every Internet-connected device advertises an enormous list of security-flavored bullet points. "Supports IEEE 802.11g/n/ac/ax, including Wi-Fi Easy Connect for secure passwordless connections", "Secure Boot to ensure only authorized firmware runs on the device", "Hardware cryptographic acceleration", "24/7 monitoring by our dedicated security incident team", yadda yadda.
But those claims don't in any way cover the massive attack surface of a cloud-connected device where the server and client sides have been co-developed with a bunch of rushed and dangerous assumptions about how neither the client to the server will ever talk to any misconfigured or adversarial peer. Finding those kinds of security vulnerabilities is basically my stock in trade.
<elmo_on_fire.gif>
Why not? They bought roving cameras that surveil their homes and connected them to internet servers they neither own nor control.
They obviously don't give a shit about privacy or they've room-temperature IQs.
I work in tech, I never thought about buying one, so I never looked into them. Still, I am surprised they come with microphones.
The first and most obvious question an owner should ask "why does a vacuum cleaner need to talk with the internet?" It's hard to have sympathy for people who go out of their way to act dumb.
Despite my comments I cannot agree more. When it comes to IT, computers and the internet governments have failed abysmally to protect consumers from exploitation, both online and otherwise.
I've been in tech since the IBM-360 and the 4004 uP days and I am still staggered by what's happened—how governments have deserted their citizens and sided with Big Tech. To me, what has happened is the biggest failure of democracy in my lifetime.
It would take a book for me to expand that further. Suffice to say when governments abrogate their primary responsibility of protecting their citizens then it's everyone for themselves—there is no other practical option.
By now, the evidence is clear that people have to protect themselves as they're not going to be helped by governments.
The bitterness in my original post comes from the fact that it is now 49 years since the launch of the first truly consumer IT products such as Tandy's TRS-80 and Apple's Apple-II in 1977—that's one year shy of half century and there's still stuff-all regulation to protect consumers.
We perhaps can forgive the fact that regulation is a 'cuss' word—a profanity—in the US but when it comes to computer tech the 'regulations' deficit is worldwide. Up until 2000—nearly a quarter century after computers had become popular—govermnents could be forgiven for not regulating tech but by then it was already abundantly clear regulations were needed.
For instance, the three-year long US antitrust proceedings† against Microsoft which commenced in 1998 resulted in little more than a slap over the wrists with a feather for Microsoft. The world watched this case with interest and essentially nothing happened to protect consumers. Despite at the time it being patently obvious consumer protection was needed over a quarter century later they're still not forthcoming (except at the very margins).
That said, the rich and powerful had no trouble getting laws to protect themselves—witness the Digital Millennium Copyright Act. That tells you who is in charge and actually running the country.
The Citizenry isn't doing itself any favors by sitting on its hands doing SFA. We need citizens in the streets demanding that governments enact laws to protect consumers' privacy, and from exploitation, etc.—laws that not only effectively penalize corporations and their shareholders but also target those within the corporations who set corporate policy (we will never get to the root of these problems whilst those responsible are able to hide behind corporate walls).
Those who are not old enough to remember the anti-Vietnam war rallies of the late 1960s ought to take note. When millions take to the streets legislators move very quickly to change things (check YouTube for videos from those times/1968-72).
† https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor...
In high school I was really interested in the antiwar and civil rights movements of the 1960s. Bush invaded Iraq during the spring semester of my freshman year. There were marches and protests, but it didn't really change anything. I remember being really interested in trying to understand why. In any case, none of that got anywhere near the intensity of '68 which is a shame. If it had it might have made a difference.
Me too, what are they for?
But let's suppose you are designing RoboVac vers. 1.0 OS, 1.0 OS does not use microphone, but one of our smart fellows wrote a document suggesting that we might want to have RoboVac be voice controlled! Maybe we can roll that out by 1.4, with some simple commands!! Let's put a Microphone in so we can add that feature later.
Later on you get fired, and smart fellow who wrote document gets fired, and OS 1.4 rolls out with spy tech to mark common product names and send them back to Amazon with your location data.
RoboVac 2.2 is out now, still no voice control, and you wonder why whenever you go to buy all your favorite products online there is 10% inflation on prices although news suggests inflation should actually be decreasing for the next half year.
A 51 straight weeks of 70 degree temperate followed by a week > 70 might imply they're on vacation. People who turn down the heat/ac and turn it back on when they come home from work is also a pattern pretty apparent by that info.
Or they could watch the air conditioner fans to know if it's on.
VS. just checking your computer once and going to the correct place. Heck, set up alerts and get notified where to break in next.
Sure, there are cameras and the cops can respond and that's certainly a deterrent, but a few masks and a quick getaway renders them moot.
Yes, exactly. I made this point in my write-up: if you can a home's thermostats, you can probably figure out when people are away. https://snowpatch.org/posts/i-can-completely-control-your-sm...
> Out of sheer laziness, I connected to the Mysa MQTT server and subscribed to the match-everything wildcard topic, #. I was hoping I’d see messages from a few more MQTT topics, giving me more information about my Mysa devices.
> Instead, I started receiving a torrent of messages from every single Internet-connected production Mysa device in the whole world.
The devices had unique IDs, but they were all connected to one big MQTT pub/sub system that didn't even try to isolate anything.
It's lazy backend development. This happens often in IoT products where they hire some consultant or agency to develop a proof of concept, the agency makes a prototype without any security considerations, and then they call it done because it looks like it works. To an uninformed tester who only looks at the app it appears secure because they had to type in their password.
The vulnerability is in having a backend cloud structure.
(There are plenty of ways to provide remote access without that, and no other feature warrants it.)
If it's not quite as consumer-friendly as you want it to be, contribute your engineering hours to the Home Assistant product until it is.
Bonus points for giving it 25-250W audio output to power speakers and letting you pair them together to play music in sync across different rooms of your house connected to speakers of your choice.
The number of people who 1) really want local-only control and 2) can deal with Home Assistant and Tailscale but 3) don't actually have the skill set to put together a Raspberry Pi or other small Linux box and set up HA and TS themselves is tiny.
The cloud systems are insecure and invasive, but it's really hard to get Normal People to understand why it's a problem. "So someone can tell if I'm not home; so what? I live in a gated community, they can't just drive in at night and burgle the house." They're not entirely wrong about that; it is unlikely. The hard push for subscription services by these companies has turned out to be the best way to push people into locally hosted alternatives, because they don't want to pay for another service, but the usual approach is just to do without the service when they realize that the "smart" functions are not that useful. Most people don't have the free time, knowledge, or inclination to set up and maintain Home Assistant. They can appreciate it when they see it done well, but they aren't going to pay for a professional installation and maintenance and they aren't able to do it themselves.
In the case of HVAC systems the danger is a collective one not individual. Sure if someone really wanted to they could watch you and wait until you're not home then turn your heat off and freeze your pipes. But they're not gonna do that, probably. Instead the kind of havoc they'll wreak with this access is to wait until some off-peak time and instantaneously fire up all the AC units and shut them down simultaneously, repeatedly, causing a huge demand spike. If supply doesn't ramp up fast enough then frequency will drop and then the grid will start trimming off branches to self-correct (or something like that? I'm not a power grid expert someone correct me) and you basically have chaos.
So you don't need to get individuals to care about it, and there's some argument to be made that they shouldn't, or at least shouldn't have to. But the power company damn well should, and governments damn well should.
https://snowpatch.org/posts/i-can-completely-control-your-sm...
EDIT: the major issue here is the people who are affected by a vulnerability like that aren't the people who purchased and installed the attack vector. They're everyone on the same power distribution network. So it's not like "oh well, they did a dumb thing and trusted a tech company" it's far bigger than that.
And then the thermostat uses those keys to mutually authenticate itself with the MQTT server. It actually makes it quite tedious (not impossible :-D) to 2-way-MITM the device's connection to the server.
It's just that, as @Aurornis wrote, the MQTT server itself did not have any checks to prevent sending and receiving messages to other owners' thermostats. ¯\_(ツ)_/¯
[ I've actually discovered a whole lot more details about the Mysa thermostats than what I published. Many of them can be used to subvert and reconfigure the devices in interesting ways, but only with a witting/willing device owner who has local access. So I don't feel any obligation to disclose them, although I might eventually get around to building a de-cloud-ifying tool using them: https://github.com/dlenski/mysotherm/blob/main/README.md#fut... ]
[1] https://community.st.com/t5/stm32-mcus/how-to-obtain-and-use...
You can hash this unique MAC address, together with other data that may be shared with the other devices of the same kind, to generate unique keys or other kinds of credentials.
That sounds like profit motivated negligence, and it sounds like a standard justification for why Europe is going to hold companies liable.
Knowledge or not, this..
> It's not impossible, it's just extra work that usually goes unrewarded.
.. is just not an acceptable way for business to think and operate i 2026, especially not when it comes to internet connected video enabled devices
While true that in $current_year it would be nice if things were more secure, the sad truth is that most people don't care.
No, it doesn't. Unless it's supposed to spy on you (or "harvest training data") there's no reason it needs to phone home at all (c.f. Roombas).
Anyway regardless of wifi, bluetooth, or something else there will be a setup process.
For that matter, I'm unclear why there needs to be a setup process. I understand that this may be key to the vendor's business model, but that's their need, not something the products needs, and certainly nothing I need.
Once you introduce control via phone the most straightforward approach is either wifi or bluetooth which requires a setup process.
This way, only processed vision data would be physically sent to the main board. This constituted of mostly just "line segments", almost like a sparse point cloud, to detect obstacles and edges. They argued that this was more privacy safe because there's no way for the main module to access any raw vision data. It did however make the SLAM part harder to make work.
In hindsight, a good decision. I got one as a thank you for thesis work and it's still running just fine (with battery and brushes replaced once) and good to know that with the years of software update it still can't check me walking around in underwears in my apartment
Why do companies insist on connecting every single device to the internet? Fortunately it's mostly an optional feature, so still works just fine without it, but in general it's a pretty strong signal to me to not buy that product.
Any CEO whose company engages in spying and theft should be criminally charged and thrown behind bars just as you or I would be for those same acts, but right now companies can do pretty much anything they want to you and if they do happen to face any consequence it'll just be a slap on the wrist that costs them a fraction of the profit they made ripping you off and violating your privacy.
At one of the AWS builds I worked at there was a water dispenser. It had one button to dispense cold still water, one for fizzy, one for hot water, etc.
Instead of JUST PRESSING THE BUTTON WITH YOUR FINGER, you could—and I am not making this up—download an app that would allow you to pair to the dispenser via a QR code, and then remotely trigger the water-dispensing action… so that you wouldn't have to press the button.
Absolutely insane.
Yeah, I imagine that this feature was dreamed up during the early part of the COVID pandemic where it was hypothesized that COVID spread on high-touch surfaces. Still doesn't make it any less insane. (And also, that theory was pretty clearly highly sus from the start.)
Ignore the security issues for a bit, because most buyers don't know/think about those. If it wasn't for the enshittification, having your dishwasher online would be useful. Not groundbreaking, but being able to look up how long it still has without having to walk to the kitchen, get a notification when it's done, be able to look up error codes or check the status of consumables would be kind of nice if it weren't for the downsides that come with it. But those downsides are not something people think about.
Very impressive, but I disagree that this is the clear best choice for anywhere close to anyone.
> First of all, please do not try to convince people to use Valetudo.
A good realist position for such a project to take.
Many geek hobbies like 3D printing and home automation are becoming full of unnecessarily smug evangelization if you're not using hivemind approved software and tools, even if it requires a lot more work to do.
It's nice to a see a project encourage their userbase to be realistic about what it is and refrain from trying to force it on everyone as the only acceptable way to use a robot vaccuum.
A mix between gatekeeping and tribalism. Reasonable people realize that others who want to enjoy a hobby do not have to do the hobby the same way as they do, or make the "right" choices.
- all the same downsides as keeping the stock OS would have ("it's opinionated software", "it's not about you", and the last one "it's not a community" basically means "you can't tell me how to change my software and be confident I'll do it")
- that this fan project is not necessarily as polished as the original software (as I would have expected)
- Only supported robots are supported (as the author themselves say: duh)
- it only works in english
- you can't revert to stock software if you don't like it
For me, the latter is the only thing worth mentioning. You made me curious what all these compelling downsides are but the rest is obvious and the latter isn't surprising / I would have known to check beforehand
How did you come to the conclusion that it's not likely the right choice for nearly anyone? Do you think so many people wouldn't understand enough English to operate the controls of a robot vacuum cleaner? Have you found features to be missing or clunky/fragile enough that people would frequently want to revert to stock? Do you think people care so much about it being community-driven FOSS that they'd rather keep the proprietary OS instead of open source that isn't community-driven?
Btw I have no experience with the project whatsoever and am not involved, only interested in trying it out once we need a new vacuum. I just came to a very different conclusion and am quite surprised by yours
(FWIW, I do not use multi-floor robots myself, only using an old random-walking Roomba in a single-floor setting, but considering getting another robotic cleaner for a two-floor house, where it does seem reasonable to manually move it between floors, as I would move any other cleaning tools.)
Not sure what one needs a map for though, I know what my floors look like and the only thing I want from a future robot is that it drives around cables instead of suffocating on it
I occasionally take my Roborock upstairs on weekends for a vacuum. Turns out it will also do a basic mop run with the water in the tank. Takes me 5 minutes of setup/tear down to get an extra floor for no extra cost. It would take me more time to babysit the extra base cleaning task of a second mop, so this saves me time and money.
To me, this demonstrates that Valetudo is intended to be hobby pursuit of maximal automation/freedom at all costs, resulting in a system that has worse features and takes more work than the base software. I applaud the creator for being so clear in this mission to the point of explicitly encouraging me not to use it.
I was pretty mad about it but also tried to play ball and not make too much of a fuss because I learned some pretty private things without meaning to and didn’t want to inadvertently make them public. Should have been more vocal.
Though over the years, I've learned to calibrate that discretion proportional to how much of a good-faith effort the counterparty involved seems to be making. If they clearly don't give a shit that they're incompetent, they can expect my megaphone to blare.
Screenshot, redact, mass email everyone. Problem solved. Financial institutions don't deserve any leeway with security issues when it comes to their reputation. Handling your money securely and privately is the totality of their reason for existence.
It would temporarily suck for consumers, having their devices exploited and their privacy abused, but it would lead to wider awareness of the problem, shaming of the companies, financial and legal pressure, and hopefully change things in the long run.
Disclaimer: This is not a call to action to do illegal things. Your decisions are your own.
“In my house there's this light switch that doesn't do anything. Every so often I would flick it on and off just to check. Yesterday, I got a call from a woman in Germany. She said, 'Cut it out.'”
At scale, over the Internet.
Accompanying discussion on hn https://news.ycombinator.com/item?id=47047808
I specifically bought one without a camera or mic.
Obviously at any point the brand can send a firmware update down the wire that does send a realtime video feed from my home right to Chairman Xi's bedroom. I'm aware of that, but the reality also is that the European/US brands currently don't get anywhere near the Chinese price/quality ratio, and I didn't want to muck about with Valetudo, I'm not courageous enough for that.
I'm not super happy about this situation but I am super happy about the robot. It's really very good.
IMO the random bouncing of older Roombas was unfairly pilloried. Sure, it didn't look great, but in practice it was effective at cleaning.
Happy with it but note that I dont have carpets, I guess for carpets you need something with more features.
Q Revo has an IR sensor which doesn't transmit that data anywhere.
Are you thinking of the S8 line? That's the one with the MaxV model.
list of coffee machines for under ($60-$18):
https://www.google.com/search?q=coffee+machine+under+%2442
m5stack camera: $7.10 https://shop.m5stack.com/products/unit-cam-wi-fi-camera-ov26...
m5 stack microphone: $3.50 https://shop.m5stack.com/products/pdm-microphone-unit-spm142...
m5stack atom light S3 controller: $7.50 https://shop.m5stack.com/products/atom-lite-esp32-developmen...
rather than buying it from scamazon
But I have some questions, if you've got a moment.
Why does the kettle's firmware need updating? What inhibits a future firmware update from controlling the kettle and collecting data? How would you or any other owner of this style of kettle know if it had shifted gears?
(And remember: Since the kettle has a radio and a network connection, data collection isn't necessarily limited to kettle operations. Deducing location is easy for a motivated party using wifi and/or bluetooth signals in populated areas where others are using wireless technologies; see, for example: https://www.qualcomm.com/internet-of-things/solutions/qualco... )
It's a Fellow EKG Pro kettle. They've got release notes here: https://help.fellowproducts.com/hc/en-us/articles/9593179929...
Notably, bug fixes to the same features that your drip coffee maker has (clock/scheduling stuff stuff), and the addition of new languages to the UI.
> What inhibits a future firmware update from controlling the kettle and collecting data? How would you or any other owner of this style of kettle know if it had shifted gears?
I assume these are somewhat rhetorical questions where we both know the answers - I'm not harbouring illusions here - as with any internet-connected software you have to trust the vendor.
If it were up to me, I'd prefer a Z-Wave-connected kettle that received its firmware updates via Home Assistant... but fancy pour-over kettles are niche enough that a market for a Z-Wave one simply doesn't exist.
As-is, I've got enough trust in Fellow that I'm leaving my kettle connected for firmware updates. Of course, that may change.
We do have a different out-of-band/disconnected/not-wifi way of doing firmware things, and perhaps we should use it more than we do: Bluetooth. It's about as universal as it gets.
I mean: Imagine a Venn diagram, with two groups. One group represents people who update the firmware in their kettles. The other group represents people who have Bluetooth-capable pocket supercomputers.
The two groups overlap so neatly that the diagram is indistinguishable from a circle. :)
I'd like to think that they should have reasonable security with my best interests in mind, but I really have no way of investigating what the baseband is or is not doing.
I remind myself of this no matter how much convenience I may be missing out on. (Getting a TV without em is kinda hard!)
Planning in advance, same for any AR stuff, not in my life, I'm sticking to it.
It works perfectly.
It's rather dystopian to just know and accept this, but there's really no alternative if you want to participate in modern society at a normal capacity (sans the VR headset, that really isn't a necessity).
Something something, keep your enemies closer, right?
Both of my 'TV's are big monitors with some lenovo minipcs running debian. Hardwired, but i could wifi them if i want.
Zero tracking, zero bullshit.
Somewhere else? I don't know man, the author sure seems to live in either of those two regions.
You know where to report things if you live on Earth and use the internet.
Like how many layers of people had to have OKed having the same password for all of them? It’s incompetence on an impressive scale.
If this discovery was guaranteed to result in meaningful fines companies would get their act together pretty quickly. 7000 counts of negligent exposure of private data (camera/mic feeds) should in a just world be millions of dollars in fines at the least and arguably criminal charges for management.
Consumidiotsm, is the term comes to mind. Eating up crap, is the analogy from non-technical contexts. The side effect is, that buying properly made not overcomplicated and tedious to maintain (update, refresh, pair, disgnose, update and configure connected harware, click away pushy self-promotions, the way it is not exposing you to the manufacturer or everyone) products is tedious (loosing saved efforts). Poor others just want simple and robust, not fragile and risky tech-crap doing the core thing are left out.
(Robotic vacuum is a great concept! The available implementations in the other hand are rubish!)
Anyway, what's all the fuss about (those affected couldn't give a damn about their privacy)?
Unfortunately it doesn't fly.... although if it did, that would've made this even scarier.
Sorry what? Why would a vacuum cleaner even need a microphone?
"get out of my room"?
Sigh
https://slate.com/culture/2012/01/stealth-mountain-the-twitt...
The only mistake I've noticed, besides inexplicably lapsing into Chinese mid-sentence, is parallel construction errors, like "This product is fast, lightweight, and won't break the bank!"
I'm failing to see the error. That seems like perfectly sound, vernacular English.
Not the worst error in the world, but it stands out in LLM text that is otherwise remarkably nit-free.
I guess you could argue that the first list needs an "and"? That's fair I suppose.
Yes, exactly. English grammar actually doesn't require the "and" to end a list (leaving it out is called "asyndeton" if you're curious). A good example is Lincoln's Gettysburg Address: "... and that government of the people, by the people, for the people, shall not perish from the earth."
So after all this, there actually is a way to analyze the example that is strictly valid. But most people would look askance at the standalone sentence "This product is fast, lightweight." That is, I suppose, unless someone like Abraham Lincoln worked it into his next speech.
* This product is fast/lightweight.
* This product is fast. Lightweight.
But yeah, this way lies madness. Unless we passed somewhere it in the dark back there.
Obviously proper diligence wasn't followed with this product, and obviously this is going to be something we've all heard before, but why does a vacuum need to talk to a server at all?
And also, to go even further back, is there anything more leopards-ate-my-face than a compromised robo-vacuum? I have never understood the appeal of these things. Except as satire. Pushing a vacuum around takes minutes, once a month, all the more so when you live in a 3m x 3m box with 12 roommates, and is badly needed exercise for a lot of pathetic little nerd noodle-arms.
That's a lot of assumptions.
I budget an hour every couple of weeks to vacuum the entire house (kitchen more frequently, but that's quick). When we had pets, which we'll probably have again in the future, this had to be done weekly.
And it makes sense: most people want this stuff to just work, and be accessible when they aren't at home on their WiFi network. The only reasonable way to do that these days is to have a central server that both the devices and the control apps connect to. Very few users (and yes I am one of them) are going to set up a local control server and figure out how to securely set up remote access to it.
It's a crappy situation that leads to security incidents like this one, but that's just where we are right now.
Regarding cleaning frequency: no need to repeat what the sibling commenter said, but I will say I suspect your cleaning needs are much lower than those of the average person.
We vacuum and mop our kitchen and dining room daily. It gets dirty, especially when you have young kids.
Wait, you vacuum your living space *once a month*? If that is indeed the case, I am nit surprised you do not get the appeal. But everybody I know personally has a different understanding of cleanliness. We vacuum once a week at least and ans frequency only goes up if you have kids or/and pets.
> and is badly needed exercise for a lot of pathetic little nerd noodle-arms.
I get the implication, hahaha. But in all seriousness, our Robot vacuum was the only tech purchase that I ever made based on an explicit wish of my girlfriend.
These things really make life easier for lots and lots of people.
My understanding is that there is no malice or incompetence, it's usually just "who cares"
In the US, Five Eyes, and abroad, there is at least some ceremony around calling this bad even though a similar apparatus is installed. (Supposedly with "checks and balances", but who knows?)
People in Western countries almost unanimously find corporate spying creepy. (Though ad tech has snuck in via convenience and invisibility.) We find cameras a hard line.
The TikTok and Twitch generation has different attitudes about always-on cameras, though.
>It retails for around $2,000 and is roughly the size of a large terrier or a small fridge when docked at its base station.
So, large terriers, and small [presumably 'smart'] fridges can have docking stations?