Manufacturer Remotely Bricks Smart Vacuum After Its Owner Blocked It From Collecting Data
An engineer named Harishankar discovered that his iLife A11 smart vacuum was continuously sending logs and telemetry data to the manufacturer, something he hadn’t consented to. When he blocked the telemetry servers’ IP addresses on his network, while keeping the firmware and OTA servers open, the vacuum began to fail to boot. He sent it to the service center multiple times, but the technicians could not find any hardware issues.
After disassembling the device, Harishankar found a GD32F103 microcontroller managing its sensors, including Lidar, gyroscopes, and encoders. He created PCB connectors and wrote Python scripts to control them, testing each component individually. He then built a Raspberry Pi joystick to manually drive the vacuum, proving the hardware was functional.
His investigation revealed that the vacuum used Android Debug Bridge, providing full root access without any password or encryption. The manufacturer had implemented a makeshift security protocol by omitting a crucial file, causing the device to disconnect after booting. Harishankar bypassed this and discovered the vacuum used Google Cartographer to build a live 3D map of his home.
He found that the device was sending this data to the manufacturer, which he deemed concerning. Additionally, he discovered a kill command in the logs with a timestamp matching the exact time the vacuum stopped working. Reversing the command and rebooting the appliance brought it back to life.