Dennis Giese taught DEFCON attendees how to secure their robot vacuums.

How to Disconnect Your Robot Vacuum from the Cloud with Tech Knowledge

According to Dennis Giese, a PhD student at Northeastern University specializing in robot vacuum security, robot vacuums are no longer just simple cleaning machines. They have evolved into sophisticated Internet of Things devices, comparable to smartphones, with features such as internet connectivity, video recording, and voice control. However, the security measures for these advanced technologies have not kept pace with their development.

“You have no idea what kind of data they’re storing, what kind of data is stored on the device, what kind of data is being sent to the cloud,” Giese told ReturnByte. It may seem harmless to sweep your floor, but the real consequences have already set in.

Like in 2022, when the iRobot Roomba J7 captured private moments, including photos of a woman on the toilet, which the company sent to startup Scale AI to tag and train AI algorithms. Amazon, which has experienced countless surveillance and privacy scandals, is currently trying to buy iRobot for more than $1.4 billion.

With all these features, robot vacuum cleaners can act as a surveillance system in your own home, which means there is a world where someone can use the live view functions and spy on you. Companies can say that this data is safe and only used when needed to improve your user experience, but reviewers or consumers can’t figure out what’s really going on. “People like me basically make companies lie,” Giese said.

So Giese aims to give people more control over the robot vacuums in their homes, because every device he tests has some kind of vulnerability. He spoke at DEF CON on Sunday about how people can hack their devices to disconnect from the cloud. Not only does this protect your data from corporate access, but it also gives you access to the device so you can fix it on your own terms. “Right of repair” means that even if the warranty expires or the company goes bankrupt and stops supporting it, you can still use it.

Unfortunately, hacking the firmware of a robot vacuum cleaner is not for beginners. Giese says it takes a certain level of technical expertise to figure it out, but robot vacuum owners can take steps to improve their device’s security. What you can do is make sure you wipe all data before selling or getting rid of the robot vacuum. Even if the device is broken, “as a bad guy, I can just repair the device and just turn it on and extract data from it,” Giese said. “If you can, do a factory reset.”

Or if you want full privacy control but none of the convenience, stick with a regular push vacuum.