Comment by dlenski
2 days ago
> he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.
This is extremely similar to what I accidentally discovered and disclosed about Mysa smart thermostats last year: the same credentials could be used to access, inspect, and control all of them, anywhere in the world.
The old joke: people who are into tech have an Alexa, a smart thermostat, a fridge connected to the internet.
People who work in tech keep an axe next to the toaster.
No way I'm putting an axe near an appliance like that. I need to sleep at night.
Do you want a slice of toast?....
i dont want any smegging toast!
7 replies →
I'm sorry Dave, I can't toast that.
The "smart" thermostat stuff is scary. I have Haier minisplits in my house and they have some "smarts" built into each head unit. The way it works from the user's perspective is you connect to the device in the GE Home app via Bluetooth, enter your WiFi network's credentials, then the minisplit joins your wifi network and phones home to GE Cloud. Then your GE Home app can monitor and control your minisplit via GE Cloud.
I haven't done anything to analyze it further, instead after trying that out once I promptly changed my WiFi password and never looked back. The long term solution will involve some ESP32s, AHT20 temp/humidity sensors, and IR rx/tx.
But it just occurred to me reading this that if there's a similar vulnerability in HVAC system controls an attacker could cause one hell of an unanticipated power demand spike.
My problem with smart thermostats is the user interface couldn't be more awful. It's just nuts. You cannot do anything without the squinty manual in one hand and the squinty touchscreen in the other. So, you finally get it programmed. Then you want to change something, and boom, start all over.
I gave up.
I use a simple dial the temperature, turn on/off thermostat. I turn it off when going to bed, turn it on in the morning. Very happy.
I had a similar problem with the water sprinkler. The user manual was something like 50 pages. Utter madness. Now I just water the lawn manually, when I get around to it.
This is honestly why it's important to insist on Z-wave or Zigbee if you don't have control over the device firmware and must have smart controls. Why people don't seem to understand now that if it's "WiFi" it's suspect at best, I'll never understand.
This, pretty much.
The ideal setup is having a separate vlan for your IoT things, that has no internet access. You then bridge specific hubs into it, so the hubs can control them and update their firmware.
If you have IoT devices that are unsafe but cannot be updated any other way, you can temporarily bridge the IoT VLAN to WAN.
Honestly, what IoT stuff needs is something similar to LVFS. Make it so all the hubs can grab updates from there, and can update any IoT device that supports Matter. It would also serve as a crapware filter because only brands that care about their products would upload the firmwares.
Many WiFi-based "smart" devices can run locally without Internet access just fine and are supported by HA or other such platforms, which then doesn't require you using the vendor's app, which might have you need to be on the same broadcast domain as the device. They can use multicast (few home users will have multicast routing between VLANs), or direct broadcast - meaning you will likely give them Internet access because your phone needs it - well unless your WiFi is smart enough to limit individual clients. So a restricted VLAN plus HA or some such solves this.
The real problem is those devices that actually don't let you control the device locally - Tuya being one notable example. There are thousands of products that just went and dropped in a Tuya board.
Tuya is completely cloud-controled. To control these locally you need a "local key" that is buried deep in their developer platform, and changes every time you re-pair the device, and getting it without registering the device is, on purpose, near-impossible without tricks like using an Android emulator with an old version of their app that stores the key, and even then requires effort to exfil the file out of Android. Horror. A device you physically own, only responds to control from the mothership.
So yes, you don't get those kinds of issues with RF protocols, of course unless you put the vendor's "bridge" on your network...
A friend of mine found Zigbee unreliable where he was, and just wired the home for 1-Wire. Temperature sensors, relays, heating PIDs etc. Not only it just won't die, but good luck to anyone hacking it without extra equipment and ripping wires from walls, and firstly being inside, unsupervised and undetected.
None of the existing smart controls stuff I've found really does it for me. I'm trying to build a hybrid heating system with 4 hydronic zones and 8 minisplits. For my HVAC controls the design is converging to a round mechanical Honeywell thermostat for each hydronic zone with a "smart" thermostat (no cloud) wired in parallel--TBD whether buy vs build. For the minisplits I'm building my own thing that can speak their IR protocol, which will also double as a per-room temperature sensor. It all gets tied together with outdoor temp sensor via HomeAssistant. So if all the "smart" stuff fails, the trusty mechanical guy will keep the house from freezing.
There are halfway decent hybrid controls available for ducted systems but you can't afaik buy anything off the shelf to merge hydronic + minisplits. And as far as I can tell, none of the off-the-shelf smart thermostats has any built in analog backup. I view that as absolutely critical for my use, if the power goes out and I'm not around I need to be 100% certain that when the power comes back on the heat will also.
EDIT: Digging around a little more it seems that Mitsubishi H2i minisplit systems don't speak zwave or zigbee, neither does Haier Arctic. I'm not 100% sure if that's accurate, but I haven't been able to find any documentation in the affirmative or negative. Those are the two heat pump options available locally. I'll be remodeling a small barn into an ADU this summer, that project will be more amenable to a forced air hybrid system, so maybe I'll be able to get away with a Honeywell smart zigbee capable thermostat that can drive it.
4 replies →
I replaced all my thermostats for both of my homes with Sinopé products. Here's the hardware, software, and setup:
https://news.ycombinator.com/item?id=45145220
Mine is Z-Wave, the next model up required an internet connection and a subscription if you wanted to access it from remote.
The HVAC guy probably thought that I was nuts for wanting the one that I got, since the price was similar. Six years later and I'm still controlling it from Z-Wave.
> But it just occurred to me reading this that if there's a similar vulnerability in HVAC system controls an attacker could cause one hell of an unanticipated power demand spike.
Absolutely. This was one of the things I realized could be a substantial risk when I discovered the Mysa vulnerability. https://snowpatch.org/posts/i-can-completely-control-your-sm...
Thankfully, Mysa responded very rapidly to fix it, but if they hadn't I was planning to notify the BC provincial electric utilities which were cross-subsidizing these devices.
This is an awesome writeup, thanks for sharing. And good on Mysa for responding so favorably to your research.
I have an old zen thermostat with home assistant support but no WiFi. They don't make them anymore sadly but it was the perfect balance.
UniFi has ppsk setup where you can put an EU on a separate vlan with a separate password. Seems ideal for this
Edit: misread.
The ideal spy army. Nobody expects the spanish inquisition I mean, being able to spy into households via cheap house-cleaning devices.
Some of us do. I specifically picked a device that (supposedly) lacked cameras and microphones. LIDAR seemed okay.
I picked something that can be rooted and made cloud-free with Valetudo for the same reason
4 replies →
"Nobody expects the spanish inquisition…"
Why not? They bought roving cameras that surveil their homes and connected them to internet servers they neither own nor control.
They obviously don't give a shit about privacy or they've room-temperature IQs.
Ordinary users don't know. They bought a robo-vac, they do not necessarily know it comes with a microphone or camera.
I work in tech, I never thought about buying one, so I never looked into them. Still, I am surprised they come with microphones.
10 replies →
Is this cutting corners on manufacturing/assembly where they're skipping installing a unique set of keys on each device?
The vulnerability was in their backend cloud structure. The backend wasn't restricting access to only devices associated with your account.
> Out of sheer laziness, I connected to the Mysa MQTT server and subscribed to the match-everything wildcard topic, #. I was hoping I’d see messages from a few more MQTT topics, giving me more information about my Mysa devices.
> Instead, I started receiving a torrent of messages from every single Internet-connected production Mysa device in the whole world.
The devices had unique IDs, but they were all connected to one big MQTT pub/sub system that didn't even try to isolate anything.
It's lazy backend development. This happens often in IoT products where they hire some consultant or agency to develop a proof of concept, the agency makes a prototype without any security considerations, and then they call it done because it looks like it works. To an uninformed tester who only looks at the app it appears secure because they had to type in their password.
> The vulnerability was in their backend cloud structure.
The vulnerability is in having a backend cloud structure.
(There are plenty of ways to provide remote access without that, and no other feature warrants it.)
13 replies →
Quite ironically, they do install a unique TLS cert and key on each thermostat, although it's done on first-wifi-connection of each thermostat, rather than pre-installed at the factory.
And then the thermostat uses those keys to mutually authenticate itself with the MQTT server. It actually makes it quite tedious (not impossible :-D) to 2-way-MITM the device's connection to the server.
It's just that, as @Aurornis wrote, the MQTT server itself did not have any checks to prevent sending and receiving messages to other owners' thermostats. ¯\_(ツ)_/¯
[ I've actually discovered a whole lot more details about the Mysa thermostats than what I published. Many of them can be used to subvert and reconfigure the devices in interesting ways, but only with a witting/willing device owner who has local access. So I don't feel any obligation to disclose them, although I might eventually get around to building a de-cloud-ifying tool using them: https://github.com/dlenski/mysotherm/blob/main/README.md#fut... ]
I think it's about being a configuration management nightmare. If every device has a unique password, you need the decoder ring for serial number to password. However, not all processors have unique IDs. So you either need to find a way to reliably serialize each board during manufacturing and hope it stays (like a sticker/laser/printer/etc) or add a serial number chip which is cost and complexity. It's not impossible, it's just extra work that usually goes unrewarded.
I'm a long way from embedded development. But I was under the impression a lot of microcontrollers these days have some ID capability built in, even some relatively low-end ones. This strikes me more as laziness than anything.
3 replies →
> It's not impossible, it's just extra work that usually goes unrewarded.
That sounds like profit motivated negligence, and it sounds like a standard justification for why Europe is going to hold companies liable.
2 replies →
I have not knowledge of this kind of software dev/hw production, so can you please explain why the units cant just be born with a default pass and then have the setup process (which is always there) Force the owner to set a new password?
Knowledge or not, this..
> It's not impossible, it's just extra work that usually goes unrewarded.
.. is just not an acceptable way for business to think and operate i 2026, especially not when it comes to internet connected video enabled devices
8 replies →
One thing people don't realize with regard to smart thermometers is that they're a goldmine to people who break into houses.
A 51 straight weeks of 70 degree temperate followed by a week > 70 might imply they're on vacation. People who turn down the heat/ac and turn it back on when they come home from work is also a pattern pretty apparent by that info.
Couldn't they get that information by pointing a thermal camera at the house? Most windows and doors would leak enough to show this information.
Or they could watch the air conditioner fans to know if it's on.
Not having to go the house for that specific info and being able to create a shortlist of houses beforehand would be preferable I would think.
You would need an army of thieves going around and physically pointing thermometers and the ROI isn't there.
VS. just checking your computer once and going to the correct place. Heck, set up alerts and get notified where to break in next.
2 replies →
Instead of going around pointing thermal cameras they simply have a dashbord, by neighborhoods, property taxes, maybe even incomes and all that.
> A 51 straight weeks of 70 degree temperate followed by a week > 70 might imply they're on vacation. People who turn down the heat/ac and turn it back on when they come home from work is also a pattern pretty apparent by that info.
Yes, exactly. I made this point in my write-up: if you can a home's thermostats, you can probably figure out when people are away. https://snowpatch.org/posts/i-can-completely-control-your-sm...
Why does a robot vacuum have a microphone? Voice control?
Voice control is the claim. In my experience the voice control is entirely unusable, and can’t be fully turned off.
[dead]