With some tech savvy, you can disconnect your robot vacuum from the cloud
Dennis Giese taught DEF CON attendees how to secure their robot vacuums.
Robot vacuums may seem like mindless suction machines with wheels. But today, “basically these devices are like smartphones,” Dennis Giese, PhD student at Northeastern University who researches robot vacuum security, said. From internet capabilities to video recording to voice control, robot vacuums have become an advanced Internet of Things technology, but the security upkeep hasn’t caught up.
“You don't have any insight, what kind of data they’re recording, what kind of data is stored on the device, what kind of data is sent to the cloud,” Giese told Engadget. That might seem harmless for a device that sweeps your floors, but the real-life consequences have already taken effect.
Like in 2022 when the iRobot Roomba J7 captured private moments including photos of a woman on the toilet that the company sent to startup Scale AI to label and train AI algorithms. Amazon, which has experienced countless surveillance and data privacy scandals, is currently attempting to acquire iRobot for over $1.4 billion.
With all these features, robot vacuums can act as a surveillance system in your own home, meaning there’s a world where someone can access live view functions and spy on you. Companies can say this information is secure and only used when needed to improve your experience, but there’s not enough transparency for reviewers or consumers to figure out what’s actually going on. “People like me are catching the companies basically lying,” Giese said.
So, Giese is on a mission to give people more control over the robot vacuums in their homes because every device he’s tested has some sort of vulnerability. He spoke at DEF CON on Sunday about how people can hack their devices to disconnect from the cloud. Not only does this help protect your data from being used by the company, but it also gives access to the device so that you can repair it on your own terms. The “right to repair” ethos means that even if the warranty ends or the company goes bankrupt and stops supporting it, you can still use it.
Unfortunately, hacking into your robot vacuum’s firmware isn’t for newbies. It requires a level of technical expertise to figure out, according to Giese, but owners of robot vacuums can take steps to improve on-device data security. What you can do is make sure that you wipe all of the data before selling or getting rid of a robot vacuum. Even if the device is broken, “as a malicious person, I can just repair the device and can just power it on and extract the data from it,” Giese said. “If you can, do factory resets.”
Or, for full data privacy control but none of the convenience, stick to the standard push vacuum.