Buying a robotic vacuum cleaner probably sounds like a great idea. Who the hell likes to vacuum? But if it was marketed as an internet-connected device with a microphone and camera that wanders your house at all hours of the day, you should probably skip out.
Researchers at Positive Technologies discovered a pair of vulnerabilities discovered in one robotic vacuum, which they believe may affect others, could allow a malicious hacker to hijack the device and use it to eavesdrop on its owners—or record them using its onboard camera, which comes conveniently equipped with night vision.
Thankfully, the exploits require the attacker to have either already infiltrated the robot’s network or gain physical access to the vacuum, according to the researchers. In other words, someone would have to be targeting your vacuum specifically.
Still, the problem is but one of numerous examples of why using Internet of Things devices with cameras and microphones in your home poses a considerable risk to your privacy. Potentially being recorded in what you believe is the security of your own home—where you might feel free to say and do things that may not be acceptable to, you know, the rest of society—may be too high a price to pay just so you don’t have to bother cleaning up after yourself.
The specific vacuum in question is the Diqee model that comes equipped with a camera, also called “360,” which is produced in Dongguan, China. As stated, one of the discovered exploits allows for remote execution and can be used to the turn the vacuum into a “microphone on wheels,” according to Positive Technologies. The second, which requires physical access, can be accomplished by inserting a microSD card into the device’s update port, the researchers said.
Apparently, there’s no security to hurdle once you access the device physically. The vacuum’s firmware could, according to Positive Technologies’ findings, easily be updated to include a script enabling it to basically intercept other types of traffic on the owner’s home network. At that point, you have to ask yourself what’s worse: Being recorded on camera or having your browser history captured? (No judgments here.)
Positive Technologies tells Gizmodo that it followed standard notification procedure and alerted Diqee about the problem. It is not currently aware, however, if the vulnerabilities have been patched, or if affected robot owners have been alerted.
Diquee did not immediately respond to a request for comment.
If you do happen to be concerned about this type of threat, you might consider finding a robot to do your bidding that doesn’t come equipped with wifi. Or, you know, just buy a plain ol’ vacuum.