Hack Can Turn Robotic Vacuum Into Creepy Rolling Surveillance Machine

Illustration for article titled Hack Can Turn Robotic Vacuum Into Creepy Rolling Surveillance Machine
Illustration: Dell Cameron (Gizmodo)

Buying a robotic vacuum cleaner probably sounds like a great idea. Who the hell likes to vacuum? But if it was marketed as an internet-connected device with a microphone and camera that wanders your house at all hours of the day, you should probably skip out.


Researchers at Positive Technologies discovered a pair of vulnerabilities discovered in one robotic vacuum, which they believe may affect others, could allow a malicious hacker to hijack the device and use it to eavesdrop on its owners—or record them using its onboard camera, which comes conveniently equipped with night vision.

Thankfully, the exploits require the attacker to have either already infiltrated the robot’s network or gain physical access to the vacuum, according to the researchers. In other words, someone would have to be targeting your vacuum specifically.

Still, the problem is but one of numerous examples of why using Internet of Things devices with cameras and microphones in your home poses a considerable risk to your privacy. Potentially being recorded in what you believe is the security of your own home—where you might feel free to say and do things that may not be acceptable to, you know, the rest of society—may be too high a price to pay just so you don’t have to bother cleaning up after yourself.

The specific vacuum in question is the Diqee model that comes equipped with a camera, also called “360,” which is produced in Dongguan, China. As stated, one of the discovered exploits allows for remote execution and can be used to the turn the vacuum into a “microphone on wheels,” according to Positive Technologies. The second, which requires physical access, can be accomplished by inserting a microSD card into the device’s update port, the researchers said.

Apparently, there’s no security to hurdle once you access the device physically. The vacuum’s firmware could, according to Positive Technologies’ findings, easily be updated to include a script enabling it to basically intercept other types of traffic on the owner’s home network. At that point, you have to ask yourself what’s worse: Being recorded on camera or having your browser history captured? (No judgments here.)

Positive Technologies tells Gizmodo that it followed standard notification procedure and alerted Diqee about the problem. It is not currently aware, however, if the vulnerabilities have been patched, or if affected robot owners have been alerted.


Diquee did not immediately respond to a request for comment.

If you do happen to be concerned about this type of threat, you might consider finding a robot to do your bidding that doesn’t come equipped with wifi. Or, you know, just buy a plain ol’ vacuum.


Senior Reporter, Privacy & Security


West Coast Secessionist

Other than being from a Chinese company, this doesn’t sound like much different than the phones we carry around. They also could also be hacked and used to spy on us. If you have anything like a cellphone in your house anyway it seems silly to be afraid of getting a vacuum on privacy grounds. It’s just another thing with the same risks as another device. In other words, this vulnerability could have easily happened on something more “mainstream” that you don’t think of as “IOT.

Also, the theoretical problems of things like this have little appeal to most people because frankly, most people know for a fact that no one is interested in looking at them undressed, or in listening to their boring conversations. Most people are ugly and boring!