I found the open source Valetudo (https://github.com/Hypfer/Valetudo) project quite interesting, as it sits between the vendor firmware and (cloud) connectivity. The project is made possible due to Dennis Giese's research.
It currently supports Dreame, Xiaomi, Roborock and some others. But not Ecovacs.
And not sure it prevents this type of Bluetooth vulnerabilities.
Dennis works closely with the Valetudo developer. On one of the Valetudo Telegram channels, they announced the following:
> As you might know, we looked into Ecovacs as an alternative for Dreame&Roborock. However, we found security and privacy being completely broken. If you have a X2, a Goat lawnmower, or newer than 2023 devices, you might want to turn them off for now. There is a BLE RCE, that lets an unauthenticated attacker send a payload via Bluetooth, that gets executed as root on the device. It does not appear that Ecovacs wants to fix that.
More information:
https://twitter.com/lorenzofb/status/1822002515279270079https://techcrunch.com/2024/08/09/ecovacs-home-robots-can-be...
Same. Had to spend a bunch of time on Telegram finding a breakout board in NA, but once I did that, it was just a matter of following directions. It’s my favorite piece of tech at the moment, and it cost me 180 bucks brand new.
The breakout board is the reason I haven't bought and hacked one of these robots yet. I have to source the PCB and then solder the components myself. I've never done this before and learning this is taking up significant amounts of my free time. Personally I would rather get a manufactured PCB that would no doubt be better built.
I respect their "learn to solder" stance but it's a fact that a lot more people would be involved in the project if it wasn't required.
+1 for Valetudo, not only does it work, but it is also maintained and keeps getting better. Moreover old vacuums are still maintained as new ones are added
Yup, my first gen roborock is still trundling along quite happily because of Valetudo. Would be nice if the base ubuntu was updatable but as it's offline except for a connection to a homeassistant instance it's probably safer than 99% of IOT devices
Can Valetudo provide artificially blocked cloud features? For example the Roborock S5 doesn't have persistent maps, though it would be trivial to just keep one loaded in the cloud, but Roborock would rather you upgrade to an S7.
Someone advertise me why vacuum cleaner needs internet?
I have xiaomi unit and I haven't connected it to an app, so it has no connectivity. It does it's job - cleans house 1st floor.
Is it useful to target specific places to clean? Ok, that is a feature that would be useful but I can live without.
Remotely starting? Fancy feature not sure I need - you can aswell start it when leaving the house. Maybe useful for some people when wanting to cleanup after guests remotely, but then again who knows what's dropped on floor there.
> Someone advertise me why vacuum cleaner needs internet?
It doesn't. And it isn't like hosting a web-portal is some kinda alien technology that can only be done in the cloud. There's absolutely no reason that a robot vacuum couldn't serve its own web interface.
It currently supports Dreame, Xiaomi, Roborock and some others. But not Ecovacs. And not sure it prevents this type of Bluetooth vulnerabilities.