Harishankar Narayanan said he filtered the vacuum’s telemetry IPs, leaving only update access.
A few days later the device stopped working “as if someone remotely ordered it off,” he wrote on his “Small World” blog.
The unit worked at a service center but failed again at home after several days, he said. When the warranty lapsed, Narayanan disassembled the device to investigate.
He found the A11 runs Linux with lidar and other sensors, and discovered an active, unsecured Android Debug Bridge (ADB), offering full access without a password or encryption.
System logs showed a “kill” command issued at the exact moment the vacuum died; reversing the command revived it, he said. He also found an installed “rtty” package enabling full remote control, which he believes could act as a remote shutoff.
Narayanan linked the model’s CRL-200S hardware platform to supplier 3irobotix, whose components, he noted, are used in devices sold under brands including Xiaomi, Wyze, Viomi, Cecotec and Proscenic—suggesting the issue could affect many units.
He ultimately reconfigured the vacuum to run locally, without cloud links. The episode, he said, shows how easily convenience can blur into surveillance in IoT devices.
“Never connect IoT gear to your main Wi-Fi. Treat them like strangers in your home,” Narayanan concluded.
(jh)
Source: Polskie Radio 24