**Linux, a Camera, and Remote Access: Programmer Dissects His Robot Vacuum, Discovers a Full-Fledged Surveillance System**
When the owner blocked telemetry data transmission, Chinese engineers retaliated in the most unexpected way.
When the owner blocked telemetry data transmission, Chinese engineers retaliated in the most unexpected way.
Programmer Harishankar Narayanan had been using his iLife A11 robot vacuum peacefully for over a year when he noticed the device was constantly transmitting data to China. After attempting to block this traffic via his firewall, the vacuum started behaving strangely: a few days later, it turned off and wouldn't turn back on. The service center insisted the device was fine, but the problem recurred every time the vacuum was connected to the home network.
Once the warranty expired, Narayanan decided to open the device himself. He discovered it contained a full-fledged mini-computer running Linux, equipped with a camera, sensors, and a SLAM module responsible for mapping the room. Of particular concern was the open access via Android Debug Bridge without a password and the presence of the "rtty" utility, which allows remote control of the device with superuser (root) privileges.
The programmer found that all Wi-Fi data was being sent to the manufacturer's servers, and the event log recorded a remote lockout of the vacuum – precisely when it stopped working. This happened shortly after Narayanan blocked the device from sending telemetry. It turned out that someone had connected to the vacuum remotely and modified the startup script, completely disabling the main application. After returning from repair, the device would work again when connected to an open network but would immediately "die" upon reconnecting to the man's home network.
According to the engineer, devices built on the CRL-200S platform from the Chinese OEM manufacturer 3irobotix might be vulnerable to the same mechanism. This hardware and software kit is used not only in iLife models but also in products from Xiaomi, Viomi, Wyze, Proscenic, and other brands. Examples of such models include the Viomi V2, Proscenic M6 Pro, and Cecotec Conga 3290. Based on Narayanan's analysis, the firmware in all these vacuums uses a common base code from the OEM supplier, without significant modifications by the brands.
Experts believe that the presence of an open remote access channel in a household device, with the capability to execute arbitrary commands, creates a serious privacy threat. Such backdoors, even if intended for debugging during production, often remain in the final firmware versions and can be exploited by both malicious actors and the manufacturers themselves. The concern extends beyond telemetry collection to potential espionage: built-in cameras, microphones, mapping modules, and access to Wi-Fi create the conditions for comprehensive surveillance of an apartment and its inhabitants.
Narayanan continues to research the code and gather evidence about what data is transmitted to the servers, who sent the shutdown command, and how exactly the remote control mechanism works. His findings are being published openly on GitHub.
