How I Chased a BPFDoor Backdoor in My Robot Vacuum (And Found a Microsecond Timer)
5/18/2026 TL;DR UniFi IDS signature 2069175 (ET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND]) fired on a Roborock Q10 robot vacuum on my IoT VLAN. After a week of “investigation” — packet captures, custom Scapy trigger scripts, isolated test VLANs, the works — the root cause turned out to be a Suricata false positive with an identifiable mathematical cause: the vacuum sends an ICMP heartbeat every 20 seconds whose payload includes a 32-bit microsecond timestamp counter, and that counter rolls through values containing 0x58 0x3a (“X:”) at the rule’s match offset approximately once every few thousand packets. ...