Home / News / Your favorite home robot probably poses a huge privacy risk

Your favorite home robot probably poses a huge privacy risk

120
a hacker pulling the strings

Key things

  • Smart vacuum cleaners can be hacked, leading to privacy concerns.
  • Smart vacuum cleaners use images of beta testers to train AI. These can end up being shared online without the user’s knowledge.
  • Smart Vac apps can leak private information despite end-to-end encryption.



Imagine for a moment that you have just purchased a high-end smart vacuum cleaner. You get it home, unpack it and set it up. But while you’re on your way back, expecting to enjoy some extra free time, something ominous happens.

Unbeknownst to you, hackers are quietly preparing to attack your new device. When they do, they gain access to the video provided by the vacuum cleaner. They will use this feed to view live video and pictures of the inside of your home – intimate pictures – maybe even pictures of you and your family.


Smart Vac security can be scary

“”>

SvetaZi/Shutterstock


While this scenario sounds like the plot of an A24 horror movie, the reality of smart vacuum security concerns is all too real. Privacy concerns related to robotic vacuum cleaners have increased as these smart helpers become smarter, prompting researchers to explore these privacy issues in depth. Some stories even made it into the news. MIT Technology Review reported on a young woman who was exposed while using the toilet, while Australia’s ABC News reported on a vulnerability in the Ecovac smart vacuum that allows them to be hacked.

The research and incidents pose a compelling question: is everyone’s favorite revolutionary smart device nothing more than a massive security risk? The answer is both terrifying and complex.

Is your smart vacuum cleaner spying on you?

Ecovacs Deebot X2 Combo status lights
Kris Wouk/MakeUseOf


An MIT Technology Review article published in December 2022 brought a sobering revelation to many smart home vacuum cleaner owners. The story said 15 photos taken by iRobot’s J7 series Roomba robotic vacuum were shared over the Internet. The MIT Technology Review eventually obtained these photos, and among them were intimate images of a woman on the toilet.

After the story broke, iRobot commented on the images, saying they were taken by “special development robots with hardware and software modifications that are not and have never been present on iRobot’s consumer products for purchase.” While this may comfort some, it cannot be ignored that the images eventually made their way onto the internet.

Some footage was innocuous, showing only rooms, walls and furniture. Others, however, were a bit more dubious. In many of them, the user’s faces were visible. One of the photos even showed every parent’s nightmare: the face of an underage child who was captured staring confusedly at a robotic vacuum cleaner.


Smart vacuum cleaners use images of beta testers to train artificial intelligence

“”>

man repairs smart vacuum cleaner with tools
Andrew Angelov/Shutterstock

These types of photos are commonly used to train onboard AI for smart devices. However, they are almost always locked and privately uploaded to the cloud. But in the case of the 15 photos submitted to MIT Technology Review, those photos were made available and then circulated by Venezuelan concert workers to an online forum. It’s scary to think about, especially when you consider that the sharing of these photos may not have been an isolated incident.

Many companies like iRobot are trying to improve the AI ​​performance of their latest smart vacuum cleaners by relying on beta testers to help train their AI systems. These testers often agree to have images captured and uploaded to company servers, not knowing they could end up elsewhere.


For example, iRobot is accused of sharing data collected by test users with a global data supply chain, as reported by MIT Technology Review. Where every picture could be seen and even commented on by foreign suppliers. If these vendors choose to share images or take screenshots, personal photos can be exposed to unexpected corners of the Internet. That seems to be exactly what happened when 15 photos of the iRobot surfaced.

Smart vacuum cleaners have access to private information

“”>

a person entering a secure password on a smartphone screen
1st shot/Shutterstock

However, beta testing is not the only security risk. Smart vacuum cleaners can also be exposed to vulnerabilities presented by applications control them. Scientists from the Institute of Information Security and Communication Technologies [PDF] in Norway concluded that even if a smart app requires end-to-end encryption, there is still a possibility of personal data being stolen.


During the study, the researchers used a simple Raspberry Pi equipped with Wireshark, an open-source packet analyzer, to capture 8% to 26% of the smart vacuum’s network traffic, while the study concluded:

Despite manufacturers implementing end-to-end encryption to protect user data, our findings show that unencrypted network header metadata can still reveal private and sensitive information.

This means that your personal data may not be as safe as you think about your smart vacuum cleaner.

This type of “packet sniffing” is not common. However, this can easily be done using commercially available devices such as Raspberry Pi and Flipper Zero.

Smart vacuum cleaners can be hacked

Ecovacs Deebot X2 Combo with extended vacuum attachment
Kris Wouk/MakeUseOf


Probably the most worrying aspect of smart however, the security of the vacuum is the likelihood that your smart vacuum will be taken over by hackers. That’s exactly what happened at the beginning of 2024, when cyberattacks compromised several smart vacuum cleaners from the Ecovacs brand in a security breach (according to PC Mag).

In a move straight out of the classic 80s movie Maximum Overdrive, one of the vacuum cleaners stormed into the living room and started yelling racist obscenities at the owner. Another chased the family dog ​​around the house. This behavior sets a grim precedent that opens the door for other nefarious types of hacking.

In addition, as detailed earlier, in October 2024 cybersecurity researchers took control of the Ecovacs Deebot X2 device. Once the device was compromised, the researchers discovered they could control it from anywhere in the world. We recently reviewed the Ecovacs Deebot X2 combo and found its performance to be impressive. However, device security raises several lingering concerns.


Should you give up your smart vacuum cleaner?

As with many questions, the answer here is: it depends. While it’s easy to believe that your smart vacuum cleaner isn’t susceptible to security risks, the truth is that anything connected to the internet can be a potential weak spot inviting abuse. However, that doesn’t mean you should just ditch your expensive smart vacuum cleaner and go back to using an upright stand.

The decision ultimately comes down to whether you’re willing to trade the potential security of your device for the convenience of less time spent cleaning your home. Many people might be willing to make this trade-off, especially if they haven’t had problems in the past.

But for those who maintain a watertight level of security for their home networks, or who desire more than average privacy, you might want to think twice before introducing a smart vacuum into your home.

Comments

The font awesome 6.