Programmer Discovers His Smart Vacuum Was Spying on Him

From smartphone cameras capable of watching you without your knowledge or consent to Amazon's Alexa shutting down when asked uncomfortable questions – the further we move into the 21st century, the more the idea of common household items spying on you shifts from a quirky conspiracy theory to a cold, hard fact.

Joining the list of appliances that reveal more about you than you might like are apparently smart vacuum cleaners, with a recent article by Programmer and Software Architect Harishankar highlighting how at least one model could be spying on its users.

In his write-up, the programmer recounted his experience with the ILIFE A11 smart vacuum, manufactured by Zhiyi (Zhongshan) Technology Company. According to Harishankar, after he began monitoring the device's network traffic, he quickly discovered a constant stream of data packets being sent to servers somewhere across the globe – logs and telemetry that he had never agreed to share.

This is where the fun begins: after blocking the A11's data-logging IP address, the device soon bricked, trapping Harishankar in a cycle where he would send the vacuum to the repair center, they would claim it was working fine, it would indeed function for a while, and then inexplicably shut down again – a cycle that continued until the service center refused further repairs, citing an expired warranty.

Realizing he had nothing left to lose, the programmer took the vacuum apart himself, and after quickly accessing its Android Debug Bridge – which was completely open and unprotected – and then gaining entry to its system, he made some unnerving discoveries.

Among other things, Harishankar discovered that the IRL weaponized roomba was sending logs, configuration files, and even unencrypted Wi-Fi credentials to the manufacturer's servers. It was also running Google Cartographer, enabling the device to create a detailed 3D map of his home.

Most worryingly of all, the programmer found out that the command that shut down the vacuum was issued remotely – suggesting the manufacturer had root access via pre-installed rtty software, which allowed them to run any command or install any script on the device – meaning ILIFE/Zhiyi either manually bricked the vacuum in response to Harishankar blocking data transmission, or had automated scripts that did so.

To state the obvious, the programmer's main gripe with the vacuum cleaner wasn't that it was mapping his house – the LiDAR and 360° scanning functions are clearly disclosed in ILIFE's tech blog and on A11's product page (now only accessible via the Wayback Machine) – and it wasn't that it was sending some data to its creator, since even a layman could assume that the mapping was done externally, not on the device itself.

The real issue was that the manufacturer never explicitly stated what types of data the device was actually sharing and kept it secret that they could remotely transform a "$300 smart vacuum into a mere paperweight." In the end, though, Harishankar won by bringing the device back to life "on his terms," gaining full local control, blocking manufacturer access, and even improving its mapping capabilities – all at the cost of the warranty. A pretty sweet deal, I think many would agree.

Read the full story here and don't forget to subscribe to our Newsletter, join our 80 Level Talent platform and our new Discord server, follow us on Instagram, Twitter, LinkedIn, Telegram, TikTok, and Threads, where we share breakdowns, the latest news, awesome artworks, and more.