this post was submitted on 27 Oct 2025
904 points (98.6% liked)
Technology
76415 readers
3344 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Is it just me, or is having ADB exposed physically not that big a deal?
Tend to agree, security is always the goal but if someone is in my house hacking my vacuum, I have bigger issues. The no-notice remote kill is the bigger issue to me.
The much bigger concern is that the pathway used to send the remote kill command could very easily be utilized by nefarious actors.
To do what, wear out one section of carpet faster than the rest of your house?
If a hacker can get into the device remotely it can be an entry point to your home network.
Remote “kill”
Where does it end? First it wears down your carpets and then we’re in Maximum Overdrive.
It finds a sharp corner to rub against and hones itself into a stabby bot.
It could overcharge and overheat the battery, leading to explosion or at least fire.
It is not good. But in most cases just adb doesnt grand root access. That's just bad.
NO! It'syour device, you should have root! The fact that the manufacturer gives their product owners root is a good thing, not bad!
I will die on this fucking hill.
I agree with you. But granting root straight from adb with 0 auth is not good.
But on this threat model? Why would it not be good?
It has to physically accessed on the PCB itself from what I gather.
There are 2 "threats" from what I see:
someone at the distribution facility pops it open and has the know how to install malware on it (very very unlikely)
someone breaks into your home unnoticed and has the time to carefully take apart your vacuum and upload pre-prepared malware instead of just sticking an IP camera somewhere. If this actually happens, the owner has much much bigger problems and the vacuum is the least of their worries.
The homeowner is the other person that can access it and it is a big feature in that case.
yes and no.. i agree with the sentiment, but with root you can extract wifi credentials and various other secrets… you shouldn’t be able to get these things even when you have physical access to the device… the root access itself isn’t the problem
If I broke into your home, why TF would I carefully take apart your robot vacuum in order to copy your wifi credentials‽
Also, WTF other "secrets" are you storing on your robot vacuum‽
This is not a realistic attack scenario.
you’re on programming.dev so i assume you know that secrets is a generic term to cover things like your cloud account login (whatever form that may take - a password, token, api key, etc) for the robot vacuum service and you’re being intentionally obtuse
it’s a realistic attack scenario for some people - think celebrities etc, who might be being targeted… if someone knows what type of vacuum you have, it’s not “carefully take apart” - it’d take 30s, and then you have local network access which is an escalation that can lead to significantly more surveillance like security cameras, and devices with unsecured local access
just because it doesn’t apply to you doesn’t mean it doesn’t apply to anyone… unsecured or default password root access, even with physical access, is considered a security issue
Listen, if someone gets physical access to a device in your home that's connected to your wifi all bets are off. Having a password to gain access via adb is irrelevant. The attack scenario you describe is absurd: If someone's in a celebrity's home they're not going to go after the robot vacuum when the thermostat, tablets, computers, TV, router, access point, etc are right there.
If they're physically in the home, they've already been compromised. The fact that the owner of a device can open it up and gain root is irrelevant.
Furthermore, since they have root they can add a password themselves! Something they can't do with a lot of other things in their home that they supposedly "own" but don't have that power (but I'm 100% certain have vulnerabilities).
… and all of those things should be equally protected
they’re going to go for the easiest thing to extract information or escalate
the most absurd thing is assuming that an end-user is going do add a root password to a serial interface
i’m not saying end users shouldn’t be able to gain root somehow, simply that it shouldn’t be wide open by default… there should be some process, perhaps involving a unique password per device
Having a unique password per device is best practices. IoT vendors should be doing that regardless of whether or not they're giving the end user root.
There's supposed to be a regulation demanding an IoT "nutrition label" that has that very thing in its list of items. I wonder what happened to that?