In this Security Ledger Podcast (#254), I speak with Dennis Giese, an independent security researcher and world-renowned IoT device hacker. Dennis is famous for his investigations into the workings of robot vacuum cleaners made by firms like iRobot, Roborock, Dreame and Shark. In this conversation, Dennis and I talk about the evolution of vacuums into smart, autonomous robots bristling with cameras and microphones and capable of collecting reams of data about you and your surroundings. He also talks about his mission to liberate robot vacuums from the control of their manufacturers, letting owners tinker with their own devices and – importantly – hold on to the data they collect.

[Video Podcast] | [MP3] | [Transcript]

---

In this week’s episode, we’re speaking with the independent security researcher and IoT hacker Dennis Giese. Dennis is one of the foremost researchers exploring the security of connected devices- in particular: robot vacuum cleaners. In fact, he spoke at this year’s DEF CON conference in August about his work on Vacuum Robot Security and Privacy – and how to prevent your robot from sucking your personal data away. 

Forget the IoT. Meet the IoZ: our Internet of Zombie things

I reached out to Dennis this fall after I realized that he was in Boston, where he’s been pursuing his PhD at Northeastern University. We met for coffee in Harvard Square, Cambridge, soon after, and I asked him to come on the show – an invitation he graciously accepted. 

Wanted: Smart Device Liberation

I really wanted to talk to Dennis because one of the things that I’m really interested in and focused on these days is the intersection between security research and what I consider the larger project of smart device “liberation.”(See my August podcast with Colin O’Flynn about his work reprogramming a wonky electric oven.)

Episode 241: If Its Smart, Its Vulnerable a Conversation with Mikko Hyppönen

As software worms its way onto pretty much every type of modern appliance, consumers have benefitted from amazing features. But software and always-on Internet connectivity have also enabled abusive practices, such as mass, commercial surveillance of consumers and de-facto monopolies on things like service and repair. Today, your Internet connected car is collecting gigabytes of data every hour of operation about your movements, driving behaviors, associations and even – possibly – your conversations. It’s sending that data off to cloud-based systems owned and operated by automakers, which use that data to…well…nobody really knows. Regulators and lawmakers are just now – in 2023 – are getting around to asking hard questions and demanding accountability from smart device manufacturers. (See also: the recent Tesla recall to fix balky self driving car features.) 

Your Robot Vacuum Is Spying On You

As Dennis notes in this podcast: even innocuous objects like robot vacuums are now brisling with cameras, microphones and other sensors. Ostensibly this is to enable features such as voice recognition and better navigation. But sensors are a two way street: a microphone lets us talk to our vacuum cleaner, but it can also listen to what we’re saying and record that. 

Dennis’s work isn’t so much about disabling these surveillance features, as liberating the devices and the data they collect from the grips of manufacturers – remote – often foreign owned – multinationals with unclear designs on our data. Its also about liberating smart device owners to imagine new uses for the technology they’ve acquired – like using LIDAR and other sensors on robot vacuums to enable fall detection features that aren’t currently offered by vacuum manufacturers.

Episode 252: Colin O’Flynn On Hacking An Oven To Make It Stop Lying

To start off our conversation, I asked Dennis to talk about how he first got interested in hacking stuff. Like most of the prominent security researchers I spoke with, he told me that his curiosity about how things worked blossomed at a young age.

Video Podcast and Transcript

Video Podcast

Transcript

​ [00:00:00]

Paul Roberts (Security Ledger): Hey, welcome back to the Security Ledger Podcast. I’m Paul Roberts, editor in chief at The Security Ledger. In this week’s episode, we’re speaking with independent security researcher and IOT hacker, Dennis Geise. Dennis is one of the foremost researchers exploring the security of connected devices in particular: robot vacuum cleaners.

I really wanted to talk to Dennis because one of the things that I’m really interested in and focused on these days is the intersection between security research and what I consider to be the larger project of smart device liberation. As software has wormed its way into pretty much every type of modern appliance, consumers have benefited from amazing features . But software and always on Internet connectivity have also enabled abusive practices such as mass commercial surveillance of [00:01:00] consumers and de facto monopolies on things like service and repair .As Dennis notes in this podcast, even innocuous objects like robot vacuum cleaners are now bristling with cameras, microphones, and other sensors. Ostensibly, this is to enable features such as voice recognition and better navigation , but those sensors are a two way street. Microphone lets us talk to our robot vacuum cleaners, but it also lets our robot vacuum cleaners listen to whatever we might happen to be saying.

Dennis’s work isn’t so much about disabling these surveillance features as liberating the devices and the data they collect from the grips of manufacturers and giving it to the owners whose data it is to begin with.

To start off our conversation, I asked Dennis to talk about how he got interested in hacking stuff. Like most of the prominent security researchers I’ve spoken with over the years, he told me that his curiosity about how things worked blossomed at a young age.

Hey, welcome back, everybody. [00:02:00] This is another episode of the Security Ledger podcast. And we’re in the studio today talking with Dennis Giese. Dennis, welcome to Security Ledger podcast.

Dennis Giese: I’m glad that I can be here. Thank you.

Paul Roberts (Security Ledger): We’re thrilled to have you here. So Dennis, you are a noted and celebrated device hacker who has really done some pretty amazing work around consumer devices and IOT.

For our Listeners, Dennis, who aren’t familiar with you just tell us a little bit about who you are and also like your journey into cyber.

Dennis Giese: Yeah. So I’m security researcher in a way, so I do it’s started as my hobby, but it’s now it is my day to day business. I have a physics and electrical engineering background, so I went to German electrical school. I was also in Boston I did like my cyber security degree there and what I do daily is to basically [00:03:00] disassemble and hack devices, which are in some way or form connected to the Internet.

It can be cameras, this can be smart toilet seats, this can be vacuum robots, which are my specialty. This can be literally everything which is has power and is connected to something. So I’m very curious about things. And the way, how I generally started with all the, hacking stuff was like when I was a kid when I was like six or seven years old, I had a computer and had some software on it which was a trial version.

I didn’t have internet as a kid, you have a lot of time. And so I started to open with a hex editor, like some files and mess with them around. And, it was able after lots of work to, make it a full version. And this was like my first “aha” moment. And since then, I’m basically, looking at interesting things.

This can be also like locks. I do a lot of lock picking. Everything, which is security related, where people build something to keep one out that kind of attracts me to figure out how to get in.

Paul Roberts (Security Ledger): Were your parents like in technology or engineers?

Dennis Giese: My parents were like, more like in business and physics. It’s technology, but less so my dad was like doing some [00:04:00] it stuff. So he brought me like old computers from work, which were way older than I was. So this was a good thing to play around. And so I learned like all the technologies , from zero basically.

So I it took a lot of time before I had some graphical interface in my life. I was like working with DOS, it was working with Linux, all kinds of things.

Paul Roberts (Security Ledger): One of the questions I love asking folks like Dennis is how they approach a new challenge, like hacking a robot vacuum cleaner. That’s because their answers to those questions have a lot of clues for companies about where the security risks in their devices are and how best to harden them against attacks.

So here’s what Dennis had to say when I asked him about how he went about hacking robot vacuum cleaners.

If you were talking to someone who was maybe new to this topic, interested in doing security research into internet of things, devices, what would your advice to them be and what’s your approach as you look at a new IOT device? Like what, [00:05:00] where to, how to approach it from a security standpoint.

Dennis Giese: IOT devices are, extremely interesting from, if you think about that they are like some device in your home, which has access to particular data, which has cameras, which can, do control things in your home, but it’s connected to the internet and you don’t see the inner workings in contrast, if you have a, MacBook or like a desktop where you can, click around and it’s so it’s completely opaque to you.

And. These kinds of device become cheaper and cheaper all the time, right? Last week we had, or this week we had actually Amazon Cyber Monday and Black Friday and everything, and lots of connected devices. And this can be literally everything I saw, light bulbs was where one of the first things which I saw at some point that makes sense, but nowadays it’s even the trash cans are internet connected, right?

And From that aspect, because it’s like everywhere around us the, one of the things which I’m always asking myself hey, okay, so how did they do it? So I tried to get the device, I tried to assemble it and try to see okay how is it done? And so for someone who starts also like from mapping or is interested in the topic, this is like most of the time the case where You know, you just need to, [00:06:00] swallow the bitter of pill of getting a device and, disassemble it and look into it.

Or you might find sources for pictures from inside, but most of the time you wanna touch, touch a device. And the cool thing with that is typically as soon as I touch a device, there’s only very rare cases where you don’t get success, right? But it eats more time, that’s the disadvantage of that many people think it’s like a 9 to 5 job, but most of the time you need to be, reading a lot of things and just play around with things forever.

Paul Roberts (Security Ledger): You’re best known, Dennis, as the guy who hacks robotic vacuum cleaners. Of course, Robot vacuum cleaners are just another IOT device, but how did you get specifically interested in robot vacuums? And how far back does this go with you? How long have you been looking at this particular category of IOT device?

Dennis Giese: I hack now lawnmowers too, because lawnmowers are like vacuum robots, but just with knives.

Paul Roberts (Security Ledger): Just a robot vacuum with teeth, basically. That’s a lot more.

Dennis Giese: Just a little bit bigger. But actually surprisingly if I [00:07:00] look at my security kind of career the vacuum robots are recent things. So I started the robots in 2016-2017.

And first I had a completely dumb vacuum robot, which was just, like a random ball driving around and, doing nothing. But at some point I saw some ads of where windows said oh yeah, we have this cool technology, like LIDAR. We have three processors, we have this very powerful hardware and I was looking in forums and everything, people try to install like a custom some packages on them, but no one had really success.

And I was like wondering okay what’s the hot thing there? This was like a completely new field, but no one touched it before. So I think it was lucky on that. And then I got one of these devices. And started to disassembled it, looked at it, try to figure out like, “Hey, can I, do something for that in terms of get access?”

One thing which was helpful to me is that they use the same processor of like devices, which I had before like something like a Raspberry Pi like device. So I had some experience with that. This was very helpful. And yeah, and at the day, I used like aluminum [00:08:00] foil to, not aluminum foil, but how the Americans say to get under one of the chips shorted and basically do a fault injection.

And with some more tricks, I had like root access. And this was my first talk at the CCC and the Chaos Communications Congress in Germany in 2017. And then from there it’s okay, they bring out new products. And then I looked like, okay, how they, how did they develop to the same things that work because the whole robot market obviously develops like They started with just dumb robots, then they had LIDAR, then they had at some point, you know cameras, then mapping functions, now they have microphones.

So it’s like a developing market, which kind of keeps giving in a particular way. So there’s always something new. And that, that kind of keeps me going. Now I have , I think, a collection of 60 robots. This is both vacuum robots and lawnmowers. But yeah, it’s I wouldn’t say it’s like an addiction in a way,

Paul Roberts (Security Ledger): Your carpets must be very clean.

Dennis Giese: I have one floor, but yeah, I only use one of them by the way, so the others are like in the shelf or like for experiments and through all this [00:09:00] development, one thing is, I didn’t realize how much effort it would be, but I maintain that kind of like a software or like information for people to look at things and I get every day between 1500 requests from people where okay, they have like this and this robot, they want you to know Hey can you root it?

What kind of data is it saving? Or I get like requests from people. And this is like important for you the way where the device stopped working after one year and two months. So exactly out of the warranty. And Hey it’s a way to figure out like what’s going on with this device is fixable.

And yeah, all the kinds of things, right? I get completely random requests from people Which don’t have rooted devices, but typically I help people which have rooted devices. But I get also now there’s a lot of requests from people from normal customers, consumers, which said Hey, I tried to talk to, to, to the vendor to get this thing repaired and they just ignored me.

Did you see that before is where anything I can do to test and everything. Which is, it’s a little bit tricky in the sense of if you talk to normal non technical persons because we have a [00:10:00] less understanding of our mission in a way, but I try to help as much as I can.

So it’s like. The life of an open source maintainer is very difficult and doesn’t pay well, doesn’t pay at all.

Paul Roberts (Security Ledger): What do these vacuums look like under the hood? You mentioned Raspberry Pi and like from a hardware and software perspective, do you see a lot of similarities between different makes and models of vacuum cleaners or are they all bespoke?

Dennis Giese: OKay. So all of them are similar. There’s some companies which are slightly different, like iRobot in particular, but most of the robots they more or less using they have a quad core or like octa core CPU, like an ARM CPU, the second best standard thing.

They have like between five and 12 to two gigabyte or four gigabyte of RAM and some flash cards, which can differs a little bit and surprisingly most of the companies, if you look like for example, Roborock, this was like one of the first ones, which I started with the heartbeat didn’t change much in the last, five years or five or six years.

And this is more or less the case for all companies. So that’s one of the reasons why, if know one of the robot [00:11:00] companies, you know all of them in a particular way. And when I was giving like my talk this year, I was able to basically root four different companies, right?

So Roborock Dreamy which is like a, U.S. Company Shark robots and Xiaome, obviously. So it’s you can apply same kind of vulnerabilities to multiple of them. Software wise, they run most of the time on Linux OpenWrt. All of the companies use Chinese, manufactured chips. And many companies, even if they have different names, they are FAB-less manufacturers, so they buy IP cores from, Some companies put them together on a chip and manufacture a chip. And so most cases if you find like one vulnerability in one of the IP cores, it will work for many things. Tricky part is to disclose that.

Paul Roberts (Security Ledger): One of the big messages that Dennis has for all of us and that we should all keep in mind is that manufacturers like the ones that make robot vacuum cleaners are engaged in a kind of deception, namely they foist new models of their vacuums on the marketplace that are nearly identical [00:12:00] under the hood to previous models.

The changes in new robot vacuum models is almost entirely software based. The hardware is almost identical to previous versions. In this part of the conversation, we talk about that. That discussion prompted me to ask Dennis what he thought the actual business model of robot vacuum cleaner makers is.

And you mentioned to me that for consumers often, if you’re buying the latest model of whatever robot vacuum, in all likelihood, that is the same hardware as the earlier model. What’s changed is just the software features that they’ve delivered on it. And maybe some new sensors or something like that?

Dennis Giese: Yeah, that’s quite often the case. As soon as some product is like released and it’s in the market and they started to optimize the software, they realized, okay, we can, cut down a little bit on like RAM on flash and just get away with less but it’s like a standard thing, which you see also for other devices, I see it also for Amazon echos, which are, also have rooted and hacked.

It’s one of the ways that companies can generate income because obviously as soon as they sold you the vacuum robot [00:13:00] they got your money and they don’t earn money with you anymore. So basically from there on, you’re like a cost. So what they’ve tried to do is basically release like a new model, which kind of is only just changed a little bit, but looks like completely new from like the consumer perspective.

And with new features for obviously new price. So they get the money again, while if you look under the hood, it’s basically mostly software changes, which they could have ported to all the devices, but they have obviously no, financial interest to do that.

Paul Roberts (Security Ledger): It’s funny because when you look on your, on the list of all the robots, vacuum robots you’ve worked on going back, whatever it is now, eight years, right? So many of them are end of support, end of life, EOS, EOL which means that the vendor has stopped supporting, issuing software updates, including security patches for these devices- stopped issuing software updates. Two questions. First of all, as a vacuum owner, what does it mean practically when they EOL the device in terms [00:14:00] of maintaining it, patching it?

What does that really mean as the vacuum owner when the manufacturer has ended support? And what are your options at that point?

Dennis Giese: One, one thing, which I didn’t mention before, but most of the robots nowadays are based on Ubuntu 14. 04, so the kernels are extremely old and this part of the reason is Many of the companies started from like an open source software, which they got inspired off, let’s say so.

And that software was whoever developed the software initially based off the development, like in 2016 or so, and it requires particular libraries and some other stuff. So it only runs on Ubuntu 14. 04. The kernel versions are like massively old, even for new devices, if you buy today one it still has a kernel version from 4 or 5 years ago.

When I build a device it’s a tricky question because, typically this devices don’t expose too many interfaces. If you look at the threat model, like making robots or like IoT devices, typically nowadays, it’s more like. Either you have [00:15:00] local attacks or someone is in your local network, or the vendor gets hacked and, then you’re screwed no matter what, right?

One thing which is important for what you want to have from the updates is that they find quirks, like in navigation, for example, and we see that quite often with vacuum robots, but, they You know, fix their machine learning model that picks up a couple of random things where the road, behaves weirdly and so if you don’t get firmware updates, then obviously don’t get them.

The same cases for if they add features and, for example the 1st generation of Xiaomi robots, we couldn’t save the map. So we could see the map, but they explore the apartment every time again, every time that we’re running through. And then the 1 of the the year after that, they introduced that for newer models, actually saving that we could save the map so that you could just.

Point to robot and it just goes there. But the hardware for both of these robots, which were released is exactly the same. We have just a different case, but they never backported like the feature, back and other questions like, Hey, from a perspective of a owner. Hey, do I spend $500, $600 again [00:16:00] for, basically the same product in a different case but, some software features on?. In the ideal case, we would backport the same thing if the hardware supports it but obviously they drop the support after typically a year or after 2 years, something like that.

Paul Roberts (Security Ledger): What is the business model of these robot vacuum makers as you understand it? Is it harvesting data from folks homes and reselling it, or what’s going on? Why are they adding all these cameras and mics to floor vacuums?

Dennis Giese: There’s two things. So one thing is the evolution wise, you had the very, very dumb robots, like back then, like before 2016, the bumper sensors, maybe some infrared sensors where we’re bumping everywhere and we were driving around a little bit randomly. And then at some point people figured out that you can build a LIDAR, like laser, which kind of rotates the tower in the back over there.

This tower thing. But you can build it fairly cheaply. So a lot of robots started to get, the LIDAR tower. But they used back then primarily ultrasonic sensors for the [00:17:00] front. So to detect like objects on the front. And this looked if it was disassembled, it reminded me a little bit of this kids robot sets, which you could buy like a couple of years ago where you put like a Raspberry Pi into it, you put some tires on it. You put like a camera and the cap is cheap. Ultrasonic sensor. But basically it was a nicer package, but it was basically the same hardware. Back when we were like, how so we have something driving around in your home, how can we, get cool data and LIDAR, like data is not as cool it’s a map of your apartment.

Okay. But it would be cooler to have some more impactful thing. And so we tried to use the ultrasonic sensor as a microphone because but most people don’t know is you can, in most cases you can use any speaker also as a microphone. So there’s ways how you can mess with if you have them plugged into your computer, you can, there’s particular ways how you can abuse them as microphones, basically to, to snoop on people, but it didn’t work back then.

At some point they started like to evolve more because the cameras some companies figured out it’s like a LIDAR is too expensive. So cameras cost only half of that. So they try to use cameras. [00:18:00] But also since a lot of people got vacuum robots, there was like the case where, you know.

If you look on Reddit, there’s a lot, there were like, a lot of robots were, the robots were driving through dog poo and spreading it out very thinly through the whole apartment and which was like a very bad thing. Yeah. And so as a lot of companies started like to use like the cameras for, to detect that.

And one thing which I noticed is that it’s not necessarily but the companies actually developed this kind of things. But the chip vendors, like an Rockchip or Qualcomm, they have like use cases for, their chips, which we sell. And at some point we have like integration of the cameras and integration of other things.

And then that’s downshifting into the, companies, which is going to and yeah, and from there nowadays we have microphones for like smart speakers the way. So the robots are like smart speakers. You can tell hey, go there and to clean up things.

Paul Roberts (Security Ledger): What’s the business, what do you think the business vacuum makers is?

Dennis Giese: It depends. I think in China, it’s primarily they want to sell the hardware, so they’re primarily kind of business models, [00:19:00] like selling the hardware for U. S. companies, and especially, I think, for iRobot, it’s slightly different they have the CEO at something at some point said hey yeah, we don’t earn that much money with hardware, but, we can sell You know, map data of, users to like, a realtor companies to, whoever and the development of cameras, you had the cases where use AI machine learning already. So why not use AI machine learning to, detect more things in the apartment and there’s rumors, which I read online from journalists, random users where one of the use cases, why Amazon wants to buy a robot, I think it’s not true yet.

Based on the process of buying it is that they can collect the data, the user data, basically, but that’s the main primarily, verb of the company,

Paul Roberts (Security Ledger): Okay. One of the things that you’re really interested in is also these questions around repair and serviceability and how to liberate hardware so that users can continue to [00:20:00] maintain and update it and in your own spirit, tweak it, modify it, adjust it to their own desires and likes.

And you talk about, jailbreaking these devices so that you can basically keep supporting them. Talk about that a little bit. And also. Have you had conversations with OEMs about that idea? Hey, users should be able to jailbreak these and keep, using them even after you’ve decided to walk away from them?

Dennis Giese: Yeah. My primarily mission with all of the IoT device, which I analyze, it’s not necessarily to find bugs. Well, I mean, obviously I find bugs, but to disconnect them from the cloud, because I don’t necessarily trust, vendors and it doesn’t matter if they’re like in China, if they’re in America, both of them are like, it doesn’t make a big difference to me. Like from like trust perspective and

Paul Roberts (Security Ledger): You keep them from uploading your data basically to the cloud.

Dennis Giese: Yeah, but not only that, but the thing is the there’s companies which go bankrupt. There were like a couple of cases where, the company went out of business and then they had to basically garbage, or we made a mistake where they didn’t extend [00:21:00] certificates, but I try to do is to get the jailbreak with different methods. Let’s say it’s not a very well paying thing because I, I over the time I realized, or like people told me like, Hey could have made like $10, 000 dollars, a hundred thousands dollars with the vulnerabilities in the sense of like by reporting them to bug bounty.

It’s the thing is most of the time, but give presentations about how to root or jailbreak your devices the vendors learn at the same point from this vulnerability as the people who are sitting in a talk because I don’t tell them the vendors before that, but otherwise they could, just push a firmware update and just, would defeat the purpose.

But yeah, that’s a primary thing. So this is to disconnect the cloud and, to find ways. And I was talking to many vendors and I was invited by Xiaomi multiple times to China. I was in China and Beijing. I was in Shenzen I was talking to Roborock with the CEO personally, I was talking to the Vice CEO of Xiaomi.

So I had the conversations back then and this was like in 2018 actually. And so I told like the guy from Roborock Hey, I had a meeting with all the engineers and it was presenting them how I got in. And then we were like, Oh God. [00:22:00] And I told them like, Hey, look, the thing is people are not really interested in going through a lot of pain to, to hack your devices.

The primary goal is to run them locally and, run like Home Assistant or any other personal smart home device, a smart home thing. And if you have a way to, run the devices local, like locally only and just have the same functionality, then people like me wouldn’t have any interest or not much interest, like to find, to root you, your devices and, to, to hack that.

Back then they (the OEMs) promised me like, yeah, we will have to have a method at some point that users can run locally, the problem is that never came. I continue my mission basically, because, you need the cloud mandatory, basically. And as long as that’s the case, I’m like continuing with that. I wouldn’t say it’s necessarily like a mission, but, a Lot of vendors, we just don’t understand like what, what drives us, right? In a way Hey, okay, it’s great that you have this cloud and it’s great that you have this weird cloud functionality, but let’s say the trust is not there. And it doesn’t matter if it’s a Chinese company or a U. S. company, it’s just we want to run the stuff like autonomously[00:23:00] without relying like, hey this thing doesn’t work with your cloud. AWS breaks from time to time, right? Or like some other cloud systems break from time to time. And then people have the trouble with like IoT devices because they didn’t run anymore. Disconnect them.

Paul Roberts (Security Ledger): Do they offer bounty programs and stuff like that?

Dennis Giese: Yeah. So Xiaomi does it doesn’t do it necessarily, but there’s like a lot of companies which do that again. A problem is I don’t have an incentive. I have a financial incentive to submit a check for thousands of dollars for a bug. But again, if I submit it, then you bound to the ( NDA) You can’t talk about it like for three months or so, but, you can’t release it for a particular thing. And then by the time you can talk about it, they pushed away like an OTA update and basically locked you out.

So it’s I waste a lot of money by, buying robots in the first place and not submitting bugs. But that’s, just like the mission, I guess that’s just the way it is.

Paul Roberts (Security Ledger): One of the strangest observations Dennis had was that his work hacking robot vacuum cleaners actually serves as a kind of PR for them to the point that one robot vacuum maker complained to him after his talk at a conference [00:24:00] that he wasn’t hacking their hardware. The idea as Dennis sees it is that his post promoting jailbreaks for robot vacuums that let people protect their data or modify the device are kind of unsanctioned features for those vacuums that attract people and boost sales more even than if the OEM itself was privacy centric from the start.

Dennis Giese: So generally, I think the vendors understand that there’s people want to have privacy, but I think we also understand that the group, which is understanding how privacy works and their privacy is very important. It’s like very small. Roborock sells like millions of vacuum robots, and I think In our community people which have rooted this device, I think they’re around 45,000 nowadays, right? So it’s like, compared to the broad mass of people who have devices, it’s not that, that big and they’re more worried about people, or like other companies, other Chinese companies, basically stealing IP intellectual property. So that’s why they lock things down.

And not only that, I noticed [00:25:00] after this DEF CON that vendors are very slow at fixing things. So some stuff is like still open. And I think, that’s because, it’s for them, it’s a money. So basically by us hacking the devices and basically developing a software for them to run locally, that’s for them, like a free advertisement. So what people buy exactly these devices. As a fun fact, after my talk in it was in Germany, after DEF CON. for the Chaos Communication Camp, which is like a camping site. And there was one vendor, which was, like the subcontractor of Shark (Ninja) robot which came to me and complained that, I didn’t hack them. because it’s like a free advertisement basically, it’s hey, it’s unfair, but, Roborock, Xiaomi Dreamy, and, they get all the free advertisement and not only that, it’s like a selling point for, officially we can’t say that, but it’s a selling point, obviously, but you can technically make them privacy secure in a way., I never realized by the way Hey, it’s so unfair, they sell like tens of thousands of devices just because of you guys.

Paul Roberts (Security Ledger): They could always add that [00:26:00] as a feature if they wanted, but let’s not get crazy.

Dennis Giese: Yeah, but they actually have, so not Shark Robot itself, but the subcontractor where they have their own devices. The problem is it’s marketing, not marketing wise, but it’s publicity wise, it’s obviously better in a way, if people, hack something, it’s hey, you can use this now for some cool thing as if the company, no one talks about the company just because of the feature, but if some hackers get to talk at DEF CON Hey, I look at us, those people who, how badly we implemented it, and now you can use the device for something, it gets more attraction than company, which is like privacy aware from the beginning.

Paul Roberts (Security Ledger): Which brings us to the final question I asked Dennis, which is what some of the vacuum hackers are doing with their devices once they’ve jailbroken them. Dennis’s response is interesting, and it hints, I think, at the kind of pent up creativity and market demands that are festering in the consumer marketplace right now.

This is creativity that would be unleashed if manufacturers were required to give device owners the option of being able to jailbreak or tinker with their own property.

So you [00:27:00] mentioned all the folks , who message you and contact you based on your research. What are the customers out there using these devices looking to do with them that they’re coming to you and saying, I need help rooting it or could you help me out?

What are the types of things that they are interested in doing with their vacuum?

Dennis Giese: So many people we just want to, have privacy and to run it with their own local software. So they have like home automation already set up for the blinds or the for a lot of other things. So one of the standard example, which I get quite often is, that people, as soon as they leave the apartment, the smart home system sees, according to, the phone is not there anymore, so no one is home and they run the vacuum automatically and they come back home and, the apartment is clean. Other cases is that people want to add custom sound files to them some glados, from Portal 2 soundbots, which the vendors don’t supply, obviously, or some other stuff you see a lot of YouTube videos of it’s actually, someone has written like a tool, which is called “Oucher” where the robot hits something and we’ll shout “Ouch!”, that was a huge thing.

But I got [00:28:00] also interestingly, like cases from people who and want to create like a, from an empty apartment, like a map to kind of. Precise thing. The lighter is also very precise, right? So you have to device, which is of course, a couple of hundred bucks. You just clean the apartment once with that.

And you have a map basically. So how to pull up the map. And one thing which I got recently, we were like some researchers which look into fall detection for senior citizens, right? The robots have cameras, and if they clean around every day, they might, see, detect that a people’s where the person’s lying on the floor.

And there have been, like, lots of cases where people were lying on the floor for days still alive, and, people look into fall detection like that. So yeah, there’s it’s a broad kind of case of people who want to do that. And most of the time, it’s we just, want to have control over the device and that’s a huge driving factor. .

Paul Roberts (Security Ledger): Like pro social features, right? Yeah, senior fall detection or apartment mapping. Like this thing can help me do things that I need to do apart from what it was designed to do. And it’s [00:29:00] mine. So I should be able to tell it to do that.

Dennis Giese: Yeah, it’s can do it definitely. So the thing is it’s powerful enough to do a lot of things. The question I guess, do you want to have that in a sense of, I know remember if Blink has it or Amazon, but some the camera products had like fall detection for seniors already integrated because you have a camera, so for machine learning models on them and, you know, you can detect that. But again, do you want to have that in your house, which means the camera shoots inside and detects things.

Paul Roberts (Security Ledger): In the off chance it catches you falling the rest of the time, it’s just spying on everything in your apartment and telling Amazon about it.

Dennis Giese: Not only that, but so when I was in Australia, I would actually like talk to some people like from, law enforcement. Hey, can do this and like what kind of data is stored on that? Yeah. Because the thing is if the device is not rooted, then you don’t have access to like the data and it goes to China. And then obviously if you’re US or like Australian law enforcement, the European law enforcement wants to get data. moSt of the time the companies just tell them to pound sand. Because nowadays the devices have like hardware security [00:30:00] features. It’s like extremely difficult for like forensic people to pull out data because it’s encrypted.

So we also very careful because they have self destruct mechanisms and stuff. And yeah, so I get this question. I got, after my DEF CON talk, actually like someone came to me from one of the three letter organizations in the U.S. And asked me like, “Hey do you think we can use the vacuum robot and the camera to find people?” and I was like, huh? ” Yeah, a lot of people in China have them, right?”

Paul Roberts (Security Ledger): Yeah.

Dennis Giese: Some of the robots have a machine learning models for. Face detection for whatever reason, so some non mobiles have that, so that they detect if someone wants to steal it if it’s not the owner. But yeah,

Paul Roberts (Security Ledger): I feel confident somewhere in an office park in Virginia, someone is working on this problem.

Dennis Giese: this is always like a problem also for me, from my website, for example, where you can download a custom firmware, you get like the firmware, right? So everyone who downloads the firmware can look for more vulnerabilities and see if there’s things which are exploitable remotely.

And it’s like always a double edged sword because one time you[00:31:00] help people to make the device more secure disconnect it from the cloud. But then the other side, you give a lot of people access to like to the robot, so we can snoop around if there’s anything else, which they can abuse for spying on people.

Paul Roberts (Security Ledger): Final, final question. And this, I’m involved in the right to repair movement. What do you think the actual useful life of a robot vacuum is? Totally, if we were to take off the software end of life, the kind of imposed death by the manufacturer, how long could you keep these devices running and operating?

What is their useful life in your opinion? And what would need to happen in order for people to use them for their full useful life?

Dennis Giese: So I can more or less answer this question very precisely. I can give you an at least time. aNd so devices, which were, which we initially rooted back in 2016, 2017, the first generation of Xiaomi robots were still today, totally fine. The biggest thing which you get with time, it’s like the battery [00:32:00] kind of gets weaker.

But you can just replace the battery. Surprisingly, like for Louis Rossman, it’s like just unscrew five screws. You need to break the warranty seal, but you just can’t sort the battery because the battery packs, which we use today are the same, which we used six years ago, so you can just swap them very easily.

And these devices are surprisingly easy to repair. The parts are available. So it’s a device which, can probably last like 10 years or more. The battery is potentially like the biggest kind of aspect. But other than that there, I wouldn’t see like any big parts which would break, like except for if it’s, know, falls on the stair or something.

So the useful life, we can run them. I would assume for at least 10 years, maybe more. At some point you run into the issue that by the way if you buy a device today like a vacuum robot, you will run into an issue at least in 2038. That’s probably the limit for many devices, which you can buy today. The Unix timestamps run out. So the kernels are but we don’t support only 32 bit of time. bUt the time started in 1970 and the end time, basically, where you overflow again, back to 1970s [00:33:00] and some date in 2048 because we don’t get further updates.

We would definitely by then, but it will be that in the sense of they will get confused because they will be back in 2048, sorry, 1970s.

Paul Roberts (Security Ledger): Wasn’t Y2K. It was Y2038. We got it wrong.

Dennis Giese: Yeah we’ll see for a lot of devices and for a lot of products and for a lot of software, which will get very confused in 2038. But yeah, I think like I said, this device is surprisingly easy to repair the problem which you run into. And this is like I, I love to, I always love to watch like Lewis ROS videos back then when he was in New York, MacBooks the MacBook is like way more expensive than a vacuum robot, mean vacuum robots here, you can buy for $300, $400, $500. And then the questions like, okay I mean you could repair it, but the product, which I mean is financially viable to, gets spare parts for, and like you pay someone to repair it. So it’s like it gets to be an economic question.

Paul Roberts (Security Ledger): Dennis, it’s been an amazing conversation. Thank you [00:34:00] so much for coming on Security Ledger podcast and talking to us. I really appreciate it.

Dennis Giese: Yeah, thank you for having me here..

Paul Roberts (Security Ledger): Where can people see you talk? When are you going to be speaking next?

Dennis Giese: So I’m supposed to talk to the Chaos Communication Congress, which is end of the year. I don’t know yet if it got accepted In Germany. Yeah. I submitted a couple more talks. So CCC is typically because of Communication Congress, they release the videos very quickly. For some other venues, it’s like a little bit slower.

You find most of the videos online, or I have also on my website with all the other materials, so I have a talk, list but if people have questions, we can, just hit me up. It might take a little bit longer. It depends on what the, question is to answer it.

Cause I get so many, but I’m always happy to talk to people, especially researchers. So if people are, interested in doing that thing. I’m more than happy to talk to them.

Paul Roberts (Security Ledger): And we will provide your contact information when we post the podcast. All right, Dennis Giese, thank you so much for coming in and speaking to us, and we’ll do this again, okay?

So that brings to an [00:35:00] end this episode of the security ledger podcast. Thanks to Dennis Giza for coming in and talking to us about his work on robot vacuum cleaners. Keep an eye on your feed. We’ve got more security ledger podcast episodes scheduled for 2024, more great interviews coming up, and I look forward to seeing you all again.

​