January 30, 2019 | Internet of Things
  • Share:

Robot vacuums undergo a security check: trustworthy helpers around the house or chatty cleaning appliances?

Robot vacuums are the winners of digital evolution. They autonomously tackle unpopular cleaning work and save lots of time. To do so, these practical helpers are full of sensors that collect information on their workspace and communicate via Wi-Fi, cloud services and apps. Do users pay for the use of such digital household helpers by divulging private data? AV-TEST's IoT experts reviewed the security and privacy of four of the latest premium devices, without sweeping anything under the carpet!

Saugroboter im Sicherheitscheck

zoom

One thing is clear: Very few people consider tidying up and cleaning to be their declared favorite activities. And whoever can afford it, likes to put this work in the hands of professional domestic help. That too, however, is also a matter of trust. Because anyone who scrubs a household down to the last corner is bound to learn a lot about the people who live there. Those who like to have a clean place, yet are suspicious by nature, can in fact delegate the monotonous work of vacuuming to a rapidly growing selection of robot vacuums. The risk that the cleaning robots will go rifling through cupboards and drawers is practically nil. However, nearly all premium vacuums have extensive online functions that require a constant Internet connection. This test clarifies whether the digital cleaning helpers spy on their owners or respect their privacy.

From nerd toy to smart helper

It wasn't very long ago that vacuum robots were ridiculed as luxury toys of techie bachelors and smart home nerds. But in the meantime, the devices have come into their own, delivering decent results, good running performance and many features. Thus, they have long since gone from being a gadget to becoming a reliable helper around the house, going about their job in more and more households. One in five vacuum cleaners sold worldwide through Amazon is now a robot, with a sharp upward trend. And not just online, the smart cleaning helpers are experiencing heavily increasing acceptance in retail as well. According to a recent study by the digital association Bitkom, 15 percent of German households are planning to purchase such a household robot this year; last year it was roughly half that figure (8%).

15 percent of all German households intend to buy a household robot in 2019. That's twice as many as last year.

In 2002, the first commercially successful "Robovac" swept across the red carpet with the Roomba model from iRobot. The US manufacturer, who has the bragging rights of having established robotic vacuum cleaners worldwide, still holds over 50 percent of the global market. However, especially in the higher price segment, even traditional vacuum cleaner producers are now also represented with technology developed in-house or often acquired as well. The IoT experts at the AV-TEST Institute examined the security of the internal Wi-Fi communication, the data traffic of connected cloud services, the security of the associated apps, as well as the privacy policies of the following four high-end vacuum cleaners:

Jam-packed with sensors

All the premium models included in the test offer comprehensive sensor systems. In contrast to significantly cheaper devices, this enables the high-end vacuum cleaners to conduct more thorough and more efficient cleaning routines. Ultrasonic, infrared and laser sensors, along with cameras, provide better orientation, enable targeted navigation and prevent scratches on furniture, for example, by putting on the brakes at the right time. However, the devices also collect significantly more details of the area of operation than cheaper devices, which according to the chaos principle, simply drive straight ahead until their touch sensor (bumper) forces them to change direction after a collision with a wall or an object. 

All the vacuums evaluated in the test create more or less detailed maps for navigation and make these available to their owners per app. Maps and other data are transferred via mobile applications on the smartphone to the manufacturer's own cloud. In some models, these applications are also used to set up the robot and control the device. To do so, the robots connect to their home Wi-Fi and can thus be launched remotely, for example. Status messages are also sent by the vacuum devices via this channel. 

Precise layout of the living quarters

Some of the cleaning maps created by the robots revealed very detailed maps of the workspace. In addition to the room layout, doors and windows were also visible. Combined with the reasonable assumption that users put their robots to work when they are not at home, this poses at least a theoretical risk, from which the need to protect this information can be derived. As the robots freshly create the maps for each cleaning job, adapting them as they move about, they also notice changes in the floor plan. For example, when suitcases in the hallway no longer stand in the way as obstacles.

In accordance with the plethora of information that robots send and receive through their sensors, the IoT experts from AV-TEST checked the communication security of the local data connections between robot and app (via Wi-Fi), as well as the external Internet connection between cloud service and app.

Cleaning maps of robot vacuums

Some of the cleaning maps of robot vacuums chart precise contours of their area of operation. They also provide information on whether the device is currently in use or not.

zoom ico
Highly sought-after information

Some manufacturers of robot vacuums divulge the floor plans – actually intended for navigation – to other manufacturers of smart home products.

zoom ico

1

Cleaning maps of robot vacuums

2

Highly sought-after information

Local communication not of critical concern

The least critical form of data exchange is local communication. Because this occurs between the app and the robot in a very limited space within the home Wi-Fi range. Attackers have to be physically located in the transmission range of the router or the robot vacuum, i.e. in the immediate vicinity. The Kobold VR300 from Vorwerk does not use local communication and is therefore invulnerable to this pathway. The communication channel between Roomba 980 and the app is protected by the TLS 1.2 encryption protocol. The initial setup of the iRobot is actually performed via a manually activated Wi-Fi connection, which is not password protected, however, here as well, communication is completely TLS 1.2 encrypted.

The 360 Eye handles the data exchange with the app via the MQTT open messaging protocol for machine-to-machine communication. TLS encryption is also available for this client-server protocol; Dyson, however, does not currently use it for the local communication of its flagship model, thus creating at least a theoretically exploitable vulnerability for an attacker in a local Wi-Fi network. The testers witnessed similar weaknesses in the data transmission of the Chinese premium vacuum cleaner, Roborock S55. This machine sends its data unencrypted via the UDP network protocol and also reveals an open flank to local attackers.


Mostly well protected external communication

In external communication, which is much more relevant for attacks, three out of four test candidates in the test lab demonstrated decent defensive behavior. Not only Dyson and iRobot but also the Kobold from Vorwerk rely on TLS encryption for communication in its secure version 1.2 with connected cloud services and for data exchange between cloud and app. On the Roborock, however, the testers encountered partially unencrypted wireless transmission. That is because the Xiaomi vacuum cleaner also uses partially unencrypted UDP connections for external communication. This traffic can be intercepted and manipulated, e.g. within the scope of a man-in-the-middle attack. In addition, there were potential vulnerabilities in TLS-encrypted connections. Due to insufficient verification of certificates on encrypted connections, the testers were able to manipulate data streams and read their contents. 

It should be noted that Roborock, like all other Xiaomi smart home products, is controlled from a central app. This means that attackers may not only gain access to the robot vacuum but also to more critical smart home components from the manufacturer. These may include smoke detectors, window/door contacts or IP cameras. For example, this would open up the potential to sabotage the fire alarm in an apartment, spy on residents by a camera or shut down the burglar alarm. Controlling all smart home components from one app is indeed extremely convenient, yet this applies not only to users but also to attackers. The Chinese smart home giant should therefore endeavor to eliminate the existing security gaps in data communications, especially because it is expected that another heavyweight in the smart home market will open its rapidly growing product range for the Xiaomi network: At the AIoT Developer Conference in Beijing in November 2018, Ikea announced within the scope of a partnership with Xiaomi, that effective immediately, the company is opening up interfaces to Xiaomi's IoT platform for its own products. In initial tests, Ikea's Tradfri lighting series demonstrated favorable security results. However, at the time the tests were conducted, there was still no possibility of controlling the lights outside the home's own Wi-Fi. That is why AV-TEST will test Tradfri products with online access again.
 

Access via one app

Actually quite smart: All smart home components from Xiaomi can be controlled via the same app. 

zoom ico
Vulnerability of many modules

The app in the test, however, proved vulnerable to Internet attacks that could enable access not only to the robot vacuum but also to cameras and other critical smart home products.

zoom ico

1

Access via one app

2

Vulnerability of many modules

App security: Is Xiaomi spying on me?

Also in terms of the Xiaomi app, the testers encountered critical safety deficiencies. On the one hand, the manufacturer demands a vast number of user rights for its app on the smartphone, for which the necessity for the use of smart home products is not always readily apparent. These include, for example, access to security-critical system settings of the smartphone. On the other hand, the Xiaomi app is not only extremely inquisitive, it also contains a large number of third-party modules. Thus, for example, the app is allowed to send recorded usage data to Facebook, Alibaba, the associated financial services provider Alipay, the Airbnb rental platform, the Chinese retail giant Tencent and other online services. The test also indicated that the app does not sufficiently protect sensitive information. Thus, the testers were able to read out sensitive information from the app folder of rooted smartphones.

Interfaces to other services and privacy policy

Not only Xiaomi and Ikea will be exchanging data on smart home products in the future. At the end of October 2018, iRobot also announced a similar partnership with Google. According to the press release, customer setup and use of smart devices is intended to be facilitated by the evaluation of the cleaning maps created by the robots. Via Google Assistant voice command, for example, the vacuum cleaners can be instructed to clean only certain rooms. And users are intended to be able to control networked lighting systems and other smart home components for individual living areas. It appears doubtful whether customers share the enthusiasm of the manufacturers for exchanging data. In an interview with The Verge, Senior Director of Google's smart home ecosystem Michele Chambers Turner promptly promised that the iRobot maps would not be aggregated with other data collected by Google. 

The other test candidates also feature comprehensive functions that require the integration of other platforms, e.g. control by Amazon's language assistant, Alexa. The extent to which iRobot and its new partner, Google, not to mention the other providers, keep their promises, remains to be seen and is difficult to prognosticate for users.

When in operation, the robot vacuum cleaners collect not only data on their surroundings or information about their users. The devices also check the condition of their own sensors and wear parts that have to be replaced regularly, for example, including air filters, side and main brushes. After a certain number of vacuuming runs, the units inform the user of necessary changes. This is actually considered a useful feature to maintain the performance of the device. However, manufacturers can also use it to validate whether users are using the robots in compliance with the warranty conditions. If variances are discovered and communicated to the manufacturer, the latter could possibly exclude a warranty, depending on the legal situation in the country of sale. What's more, users may also have to get used to the fact that their vacuum cleaner will request new air filters via chat messages or take it upon itself to order a new main brush from an online shop.

Vulnerability of many modules

Robot vacuums also record whether filters, brushes and sensors are in proper condition, as with a Xiaomi vacuum in this case.

zoom ico
Monitoring by manufacturers

Depending upon the point of sale and legal status, manufacturers may limit the warranty for their equipment in the event of improper use.

zoom ico

1

Vulnerability of many modules

2

Monitoring by manufacturers

Privacy policy: Dyson and Vorwerk cleaned up

Whatever manufacturers intend to do with information from the robot vacuums and on their owners, they are required to make it transparent in their privacy statements. Accordingly, AV-TEST precisely examined the data usage rights granted to Dyson, iRobot, Vorwerk and Xiaomi. 

Vorwerk was exemplary in this regard: In the privacy policy of the Kobold VR300, the German manufacturer promises only to collect data that is necessary for the operation of the robot. Vorwerk seeks to utilize this storehouse of data, used for statistics and product improvement, only in an anonymized form. The manufacturer processes this type of data at its main locations in Germany and Switzerland, as well as in the United States, where the vacuum cleaner is produced under license by the US manufacturer Neato. In its privacy policy, however, Vorwerk guarantees compliance with EU data protection standards for all locations. Similarly commendable was the privacy statement from Dyson. In an easy-to-understand summary, the manufacturer lists the most important points and also provides detailed information on each point. In addition, Dyson promises reduction to necessary data and anonymized use.

The privacy policy of iRobot is somewhat ambiguous, very long and very detailed: The testers had to struggle through eleven small-print pages with a total of almost 7,000 words. The text is couched in legalese and difficult to understand, and any reference to anonymized data use is conspicuously absent. The manufacturer does reference cooperation with other companies such as Google, however. In addition, iRobot allows itself data usage rights that are likely to be unnecessary for the use of a robot vacuum. A quote from the privacy policy on the collection of personal data: "Demographic and lifestyle information, such as your age, date of birth, gender, salary or other income, leisure and other interests, number of children and number of pets, information about your home environment”. Statements of this nature hardly promote confidence.

For the Roborock, Xiaomi does not provide its own privacy policy in the Google Play Store. Instead, reference is made to the provisions of the manufacturer's website. After installing the app, however, customers receive information about the use of data generated by the Roborock. They learn that customer information collected is used for marketing purposes throughout the Xiaomi Group. In addition to the constant flow of data to third-party providers during the vacuuming runs conducted in the test, the manufacturer's privacy policy does not offer much prospect of protecting privacy. Information on data exchange with partners such as Ikea, who could use apartment layouts recorded by Roborock, for example, to promote their furniture range, is also not included in the privacy policy.

4 premium robot vacuums

Put to the security test

zoom ico
4 premium robot vacuums

Put to the security test

zoom ico

1

4 premium robot vacuums

2

4 premium robot vacuums

Conclusion

Two premium vacuum cleaners stood out thanks to their secure data transfer and well-protected apps: iRobot and Vorwerk. The privacy policies from Vorwerk and Dyson fulfilled all the information standards of the testers. Although in its policy, iRobot allows itself data collection that is extensive and surely not necessary for operating the device, customers still have the opportunity to be informed about it at an early stage. All in all, iRobot’s Roomba 980 and Vorwerk’s Kobold VR300 earned the highest score of three out of three stars in the quick test. Dyson's 360 Eye received only two out of three possible stars due to partially unencrypted local communication. It should be easy for the manufacturer to eliminate this vulnerability, however. Due partly to gross security deficiencies in data transmission, the transfer of data to third parties, the app's unexplainable thirst for data, as well as a clear need for improvement in the statement on the handling of customer data, the Roborock S55 only receives one of three possible stars. Considering data security and with respect to privacy protection, the AV-Test Institute cannot recommend this robot vacuum.

Social Media

We want to stay in touch with you! Now there is an easy way to receive regular updates on the latest news and test releases.