https://www.abc.net.au/news/2024-10-05/robot-vacuum-deebot-ecovacs-photos-ai/104416632
Ecovacs robot vacuums, which have been found to suffer from critical cybersecurity flaws, are collecting photos, videos and voice recordings – taken inside customers’ houses – to train the company’s AI models.
https://www.abc.net.au/news/2024-10-04/robot-vacuum-hacked-photos-camera-audio/104414020
The largest home robotics company in the world has failed to fix security issues with its robot vacuums despite being warned about them last year.
Without even entering the building, we were able to silently take photos of the (consenting) owner of a device made by Chinese giant Ecovacs.
…
Ecovacs initially said its users “do not need to worry excessively” about Giese’s findings.
After he first revealed the vulnerability in public, the company’s security committee downplayed the issue, saying it requires “specialised hacking tools and physical access to the device”.
It’s hard to square their statement with the reality. All it had taken was my $300 smartphone, and I hadn’t even laid eyes on Sean’s robot until after hacking into it.
Ecovacs eventually said it would fix this security issue. At the time of publication, only some models have been updated to prevent this attack.
Several models — including the latest flagship model released in July this year — remain vulnerable.
https://www.schneier.com/blog/archives/2024/05/the-uk-bans-default-passwords.html
The UK is the first country to ban default passwords on IoT devices.
https://www.schneier.com/blog/archives/2023/08/the-need-for-trustworthy-ai.html
If you ask Alexa, Amazon’s voice assistant AI system, whether Amazon is a monopoly, it responds by saying it doesn’t know. It doesn’t take much to make it lambaste the other tech giants, but it’s silent about its own corporate parent’s misdeeds.
When Alexa responds in this way, it’s obvious that it is putting its developer’s interests ahead of yours. Usually, though, it’s not so obvious whom an AI system is serving. To avoid being exploited by these systems, people will need to learn to approach AI skeptically.
https://www.forbes.com/sites/alexandralevine/2023/05/30/tiktok-creators-data-security-china/
TikTok has stored the most sensitive financial data of its biggest stars — including those in its “Creator Fund” — on servers in China. Earlier this year, CEO Shou Chew told Congress “American data has always been stored in Virginia and Singapore.”
Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.
…
The images were not taken by a person, but by development versions of iRobot’s Roomba J7 series robot vacuum. They were then sent to Scale AI, a startup that contracts workers around the world to label audio, photo, and video data used to train artificial intelligence.
Amazon’s Ring devices are not just personal security cameras. They are also police cameras—whether you want them to be or not. The company now admits there are “emergency” instances when police can get warrantless access to Ring personal devices without the owner’s permission. This dangerous policy allows police, in conjunction with Ring, to decide when access should be granted to private video.
Millions of digital locks worldwide, including on Tesla cars, can be remotely unlocked by hackers exploiting a vulnerability in Bluetooth technology, a cybersecurity firm said on Tuesday.
In a video shared with Reuters, NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device attached to a laptop which bridged a large gap between the Tesla and the Tesla owner’s phone.
“This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world,” the UK-based firm said in a statement, referring to the Bluetooth Low Energy (BLE) protocol – technology used in millions of cars and smart locks which automatically open when in close proximity to an authorised device.
…
NCC Group said such a vulnerability was not like a traditional bug which could be fixed with a software patch and added BLE-based authentication was not originally designed for use in locking mechanisms.
https://www.theverge.com/2022/4/28/23047026/amazon-alexa-voice-data-targeted-ads-research-report
A report released last week contends that Amazon uses voice data from its Echo devices to serve targeted ads on its own platforms and the web. The report, produced by researchers affiliated with the University of Washington, UC Davis, UC Irvine, and Northeastern University, said the ways Amazon does this is inconsistent with its privacy policies.
Popular “smart” device follows commands issued by its own speaker. What could go wrong?