The Machine That Knows Your Floor Plan
In 2024, hackers took control of Ecovacs robot vacuums across the US. They screamed racial slurs through the speakers, chased family pets, and watched through the cameras. [1]
That same year, a Roomba recorded a woman on the toilet. Screenshots ended up on Facebook. [2]
20.6 million robot vacuums shipped globally in 2024. [3] Every one maps your home in detail. Most send that data to the cloud. Some share it with third parties you've never heard of.
Your vacuum knows your home better than you do. The question is: who else knows?
The Hack That Proved the Danger
On May 24, 2024, Minnesota lawyer Daniel Swenson heard strange noises from his Ecovacs Deebot X2. He checked the app and found someone else accessing his vacuum's camera feed. [1]
He reset the password. Minutes later, it started again, this time yelling racist slurs loud enough for his family to hear.
Swenson wasn't alone. The same day, another Deebot X2 in Los Angeles chased a dog through the house while blasting obscenities. In El Paso, Texas, another owner endured the same abuse until they unplugged the machine. [4]
How It Happened
Security researchers Dennis Giese and Braelynn Luedtke had already warned Ecovacs about the vulnerability at DEF CON 32 in August 2024. [5] The flaw: anyone within 450 feet (130 meters) could connect to an Ecovacs robot via Bluetooth. From there, they could access Wi-Fi credentials and take full control. [6]
The researchers found: [7]
- Static encryption keys: the same key works on all devices
- No camera/microphone indicator: no light shows when someone's watching
- Data persists after account deletion: even after you delete your account, your data stays on Ecovacs' servers
- PIN stored in plaintext: the "security" PIN sits unencrypted on the device
Ecovacs initially dismissed the vulnerabilities as "extremely rare" and requiring "specialized hacking tools and physical access." [5] Two weeks later, they reversed course and promised fixes. [8]
As of late 2024, many issues remain unpatched. [6]
The Roomba Toilet Photo Scandal
In 2022, MIT Technology Review obtained 15 photos captured by development versions of iRobot's Roomba J7. The images had been posted to closed Facebook and Discord groups by data labelers in Venezuela. [2]
The most intimate: a young woman sitting on the toilet, her face clearly visible.
How Private Photos Became Training Data
iRobot had sent the images to Scale AI, a company that hires workers worldwide to label data for AI training. The photos came from "special development robots" given to "paid collectors and employees" who signed agreements allowing video capture. [2]
But here's the catch: many participants didn't know humans would view the images. Ten people who participated in iRobot's tests contacted MIT Technology Review after the story broke, disputing that they understood the consent terms. [9]
iRobot says 95% of its image training data comes from real homes. [2] After the leak, they terminated their Scale AI contract. But the damage was done, and the business model remains.
What Robot Vacuums Actually Collect
Visual Data
- Detailed floor plans of every room
- Furniture placement and size
- Photos/video from onboard cameras
- Object recognition (shoes, cables, pet waste)
Behavioral Data
- Cleaning schedules (when you're home)
- Room-by-room usage patterns
- How often rooms are cleaned
- Error logs and movement history
Network Data
- Wi-Fi credentials
- Connected device information
- Your IP address
- Linked accounts (voice assistants, smart home hubs)
The Map Is the Product
In 2017, iRobot's CEO Colin Angle told Reuters the company could share home maps with Apple, Amazon, or Google "for free." [10] Privacy advocates erupted. iRobot quickly backpedaled, claiming they'd never sell data without "clear consent."
Then Amazon tried to buy iRobot for $1.7 billion.
The Amazon Deal That Almost Was
In August 2022, Amazon announced plans to acquire iRobot. Privacy groups immediately raised alarms. [11]
About 20 organizations (including the Electronic Frontier Foundation, Fight for the Future, and Georgetown Law's Center on Privacy and Technology) urged regulators to block the deal. Their letter stated the acquisition "represents an urgent threat to consumer privacy and competition in the digital economy." [12]
The concern: Amazon already has Alexa recordings, Ring doorbell footage, and detailed shopping histories. Add Roomba's floor plans, and Amazon would know: [13]
- The size of your home (wealth indicator)
- How many rooms you have
- Your furniture (shopping opportunities)
- Your daily schedule (when you clean)
- Family composition (number of occupants)
Evan Greer, director of Fight for the Future, put it bluntly: "People tend to think of Amazon as an online seller company, but really Amazon is a surveillance company. That is the core of its business model." [14]
The Deal Collapses
On January 31, 2024, Amazon and iRobot terminated the merger. [15] The FTC had investigated whether the deal would give Amazon an unfair competitive advantage and harm consumer privacy. The European Commission was expected to block it.
The FTC stated: "The Commission's investigation revealed significant concerns about the transaction's potential competitive effects." [15]
iRobot laid off 31% of its workforce (350 employees) after the deal fell through. [16]
Chinese Brands Now Dominate
While Amazon's iRobot deal collapsed, Chinese manufacturers seized the market.
According to IDC, Chinese brands captured over 60% of global robot vacuum shipments in Q1 2024. [17] The top five companies now control 63.4% of the market. [18]
2024-2025 Market Leaders
- Roborock: #1 globally, 16% market share, 20.7% year-over-year growth [3]
- Dreame: 36.6% year-over-year growth, dominates Europe [19]
- Ecovacs: Major player despite security scandals
- iRobot: Still leads US/Canada/Japan, but global share dropped to 13.7% [3]
Other Chinese brands in the top 10: Xiaomi, Anker Innovations, ILIFE, Lefant, Narwal
What Does This Mean for Privacy?
Chinese manufacturers operate under different legal frameworks. China's national security laws can compel companies to share data with the government. Whether this affects robot vacuum data stored on Chinese servers is unclear, but it's a consideration.
Privacy policies vary widely:
- Dreame: May share user data with "separate entities for storage or to carry out services" [20]
- Roborock: Maps processed in the cloud; data handling policies are less transparent than iRobot
- Ecovacs: Already demonstrated poor security practices
The LiDAR Eavesdropping Attack
Think a robot vacuum without a camera is safer? Think again.
Researchers from the University of Maryland and National University of Singapore demonstrated "LidarPhone": an attack that turns LiDAR sensors into makeshift microphones. [21]
How It Works
LiDAR bounces laser light off surfaces to create maps. The researchers discovered these lasers can detect tiny vibrations caused by sound waves, like a conversation vibrating a trash can or window. [22]
Using a compromised Xiaomi Roborock vacuum, they achieved:
- 91% accuracy identifying spoken digits
- 90% accuracy identifying music
- Ability to determine speaker gender
- Recognition of TV channels (CNN, Fox, PBS) from intro music [22]
The attack requires compromising the vacuum first, and audio quality is limited. But it proves that even "camera-free" robots can spy on you.
Who Gets Your Robot Vacuum Data?
The Official Story
iRobot says: [23]
- Navigation images are NOT sent to the cloud
- Maps are only uploaded if you enable them in the app
- No data is sold to third parties
- Offline mode works without internet connection
The Reality
Forensic analysis by researchers revealed undocumented APIs in Roomba's cloud infrastructure. Using a tool they built called "PyRoomba," they extracted complete mission histories and navigational data that isn't visible in the official app. [24]
When researchers made GDPR data requests to Samsung and LG smart TVs, the companies' responses didn't match the volume of data actually being transmitted. [25] Similar opacity likely exists across robot vacuum makers.
Mozilla's Privacy Not Included guide gives iRobot Roombas a "use with caution" warning, noting the company "can share data with third parties" for purposes including advertising. [26]
How to Protect Yourself
Before You Buy
- Skip cameras if possible: LiDAR-only models can't record video (but see LidarPhone attack)
- Check privacy policies: Look for local-only storage options
- Avoid always-listening features: Voice control means microphones are active
- Consider offline-capable models: Some work without cloud connection
If You Already Own One
iRobot Roomba
- Open the iRobot Home app
- Go to Settings → Privacy Settings
- Disable "Send Map to Cloud" if available
- Disable "Help Improve iRobot" (stops data sharing)
- Consider using offline mode (loses scheduling/app features)
Roborock
- Open the Roborock app
- Go to Device Settings → Privacy
- Review and disable any data sharing options
- Delete old maps you no longer need
Ecovacs
- Update firmware immediately: critical security patches released
- Open Ecovacs Home app → Settings → Privacy
- Disable remote video access if not needed
- Use a strong, unique password
- Consider network isolation (see below)
Network-Level Protection
- Isolate on separate network: Put robot vacuum on guest Wi-Fi or IoT VLAN
- Block cloud access: Use Pi-hole or router rules to block manufacturer domains
- Monitor traffic: Watch for unexpected data transmissions
- Disable UPnP: Prevents automatic port forwarding
The Nuclear Option
Don't connect it to Wi-Fi at all. Many robot vacuums work in "offline mode" using stored maps and physical buttons. You lose app control and scheduling, but gain privacy.
Or just buy a regular vacuum. They've worked for a century without knowing your floor plan.
What's Coming Next
Robot vacuums are getting smarter, and collecting more:
- Dreame X50 Ultra (2025): Has legs to climb over obstacles. More mobility = more surveillance capability. [27]
- AI object recognition: Identifying specific items (toys, shoes, cables) means identifying your possessions
- Integration with smart home hubs: Your vacuum talks to your Alexa, Ring, and thermostat, creating a complete surveillance picture
- Subscription models: Companies monetizing ongoing access to your home data
The global robot vacuum market is projected to hit $19.87 billion by 2032, growing nearly 14% annually. [28] That's a lot of homes being mapped.
The Bottom Line
Your robot vacuum knows the layout of your home, when you're there, and what's on your floors.
Ecovacs vacuums were hacked to scream slurs at families. Roomba photos ended up on Facebook. Researchers can turn LiDAR into microphones. And every major manufacturer sends data to the cloud by default.
The Amazon-iRobot deal failed, but the surveillance business model didn't. Chinese brands now dominate the market with even less transparency about data handling.
If you want a clean floor without the surveillance, your options are:
- Use offline mode and sacrifice convenience
- Block cloud access at the network level
- Buy a "dumb" vacuum that just cleans
The robot that cleans your home shouldn't also be mapping it for corporations. But right now, that's exactly what it does.
References
- Vice - Robot Vacuums Hacked to Shout Slurs at Their Owners (October 2024)
- MIT Technology Review - A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook? (December 2022)
- PR Newswire - Roborock Remains #1 Top Selling Robot Vacuum Cleaner Brand Globally in 2024
- Malwarebytes - Robot vacuum cleaners hacked to spy on, insult owners (October 2024)
- TechCrunch - Ecovacs home robots can be hacked to spy on their owners, researchers say (August 2024)
- Kaspersky - How vulnerable Ecovacs robot vacuums are being hacked
- Vacuum Wars - Ecovacs Robot Vacuum Security Vulnerabilities Uncovered
- TechCrunch - Ecovacs says it will fix bugs that can be abused to spy on robot owners (August 2024)
- MIT Technology Review - How Roomba tester's private images ended up on Facebook (January 2023)
- MIT Technology Review - Your Roomba Is Also Gathering Data about the Layout of Your Home (July 2017)
- The Conversation - iRobot's Roomba will soon be owned by Amazon, which raises privacy questions
- TechTarget - Amazon's iRobot acquisition raises concerns
- Cybernews - Amazon to take over iRobot: more eyes to spy on you?
- Vacuum Wars - Are Robot Vacuums Spying on You? A Deep Dive into Privacy & Security Risks
- FTC - Statement Regarding the Termination of Amazon's Proposed Acquisition of iRobot (January 2024)
- Computing - Privacy and antitrust experts voice concerns over Amazon's Roomba acquisition
- IDC - Global Smart Vacuum Shipments Dominated by Chinese Brands with Over 60% Share in 1Q24
- IDC - Global Smart Vacuum Market Grows 20.5% Year-over-Year in Q2 2025
- The Ambient - Roborock takes top spot for the first time
- WeLiveSecurity - Gathering dust and data: How robotic vacuums can spy on you
- University of Maryland - Spying with Your Robot Vacuum Cleaner: Eavesdropping via Lidar Sensors (PDF)
- Threatpost - Robot Vacuums Suck Up Sensitive Audio in 'LidarPhone' Hack
- iRobot - Privacy and Data Sharing Common Questions
- ScienceDirect - Cloud forensic analysis of the Amazon iRobot Roomba vacuum
- SecurityWeek - Smart TV Surveillance: How Samsung and LG's ACR Technology Tracks What You Watch
- Mozilla Foundation - iRobot Roombas Privacy & Security Guide
- Market.us - Vacuum Cleaner Statistics and Facts (2025)
- Mordor Intelligence - Robotic Vacuum Cleaner Market Size, Growth Report 2030