Your Robot Vacuum Is Mapping Your Home. And Sharing It

The Machine That Knows Your Floor Plan

In 2024, hackers took control of Ecovacs robot vacuums across the US. They screamed racial slurs through the speakers, chased family pets, and watched through the cameras. [1]

That same year, a Roomba recorded a woman on the toilet. Screenshots ended up on Facebook. [2]

20.6 million robot vacuums shipped globally in 2024. [3] Every one maps your home in detail. Most send that data to the cloud. Some share it with third parties you've never heard of.

Your vacuum knows your home better than you do. The question is: who else knows?

The Hack That Proved the Danger

On May 24, 2024, Minnesota lawyer Daniel Swenson heard strange noises from his Ecovacs Deebot X2. He checked the app and found someone else accessing his vacuum's camera feed. [1]

He reset the password. Minutes later, it started again, this time yelling racist slurs loud enough for his family to hear.

Swenson wasn't alone. The same day, another Deebot X2 in Los Angeles chased a dog through the house while blasting obscenities. In El Paso, Texas, another owner endured the same abuse until they unplugged the machine. [4]

How It Happened

Security researchers Dennis Giese and Braelynn Luedtke had already warned Ecovacs about the vulnerability at DEF CON 32 in August 2024. [5] The flaw: anyone within 450 feet (130 meters) could connect to an Ecovacs robot via Bluetooth. From there, they could access Wi-Fi credentials and take full control. [6]

The researchers found: [7]

  • Static encryption keys: the same key works on all devices
  • No camera/microphone indicator: no light shows when someone's watching
  • Data persists after account deletion: even after you delete your account, your data stays on Ecovacs' servers
  • PIN stored in plaintext: the "security" PIN sits unencrypted on the device

Ecovacs initially dismissed the vulnerabilities as "extremely rare" and requiring "specialized hacking tools and physical access." [5] Two weeks later, they reversed course and promised fixes. [8]

As of late 2024, many issues remain unpatched. [6]

The Roomba Toilet Photo Scandal

In 2022, MIT Technology Review obtained 15 photos captured by development versions of iRobot's Roomba J7. The images had been posted to closed Facebook and Discord groups by data labelers in Venezuela. [2]

The most intimate: a young woman sitting on the toilet, her face clearly visible.

How Private Photos Became Training Data

iRobot had sent the images to Scale AI, a company that hires workers worldwide to label data for AI training. The photos came from "special development robots" given to "paid collectors and employees" who signed agreements allowing video capture. [2]

But here's the catch: many participants didn't know humans would view the images. Ten people who participated in iRobot's tests contacted MIT Technology Review after the story broke, disputing that they understood the consent terms. [9]

iRobot says 95% of its image training data comes from real homes. [2] After the leak, they terminated their Scale AI contract. But the damage was done, and the business model remains.

What Robot Vacuums Actually Collect

Visual Data

  • Detailed floor plans of every room
  • Furniture placement and size
  • Photos/video from onboard cameras
  • Object recognition (shoes, cables, pet waste)

Behavioral Data

  • Cleaning schedules (when you're home)
  • Room-by-room usage patterns
  • How often rooms are cleaned
  • Error logs and movement history

Network Data

  • Wi-Fi credentials
  • Connected device information
  • Your IP address
  • Linked accounts (voice assistants, smart home hubs)

The Map Is the Product

In 2017, iRobot's CEO Colin Angle told Reuters the company could share home maps with Apple, Amazon, or Google "for free." [10] Privacy advocates erupted. iRobot quickly backpedaled, claiming they'd never sell data without "clear consent."

Then Amazon tried to buy iRobot for $1.7 billion.

The Amazon Deal That Almost Was

In August 2022, Amazon announced plans to acquire iRobot. Privacy groups immediately raised alarms. [11]

About 20 organizations (including the Electronic Frontier Foundation, Fight for the Future, and Georgetown Law's Center on Privacy and Technology) urged regulators to block the deal. Their letter stated the acquisition "represents an urgent threat to consumer privacy and competition in the digital economy." [12]

The concern: Amazon already has Alexa recordings, Ring doorbell footage, and detailed shopping histories. Add Roomba's floor plans, and Amazon would know: [13]

  • The size of your home (wealth indicator)
  • How many rooms you have
  • Your furniture (shopping opportunities)
  • Your daily schedule (when you clean)
  • Family composition (number of occupants)

Evan Greer, director of Fight for the Future, put it bluntly: "People tend to think of Amazon as an online seller company, but really Amazon is a surveillance company. That is the core of its business model." [14]

The Deal Collapses

On January 31, 2024, Amazon and iRobot terminated the merger. [15] The FTC had investigated whether the deal would give Amazon an unfair competitive advantage and harm consumer privacy. The European Commission was expected to block it.

The FTC stated: "The Commission's investigation revealed significant concerns about the transaction's potential competitive effects." [15]

iRobot laid off 31% of its workforce (350 employees) after the deal fell through. [16]

Chinese Brands Now Dominate

While Amazon's iRobot deal collapsed, Chinese manufacturers seized the market.

According to IDC, Chinese brands captured over 60% of global robot vacuum shipments in Q1 2024. [17] The top five companies now control 63.4% of the market. [18]

2024-2025 Market Leaders

  • Roborock: #1 globally, 16% market share, 20.7% year-over-year growth [3]
  • Dreame: 36.6% year-over-year growth, dominates Europe [19]
  • Ecovacs: Major player despite security scandals
  • iRobot: Still leads US/Canada/Japan, but global share dropped to 13.7% [3]

Other Chinese brands in the top 10: Xiaomi, Anker Innovations, ILIFE, Lefant, Narwal

What Does This Mean for Privacy?

Chinese manufacturers operate under different legal frameworks. China's national security laws can compel companies to share data with the government. Whether this affects robot vacuum data stored on Chinese servers is unclear, but it's a consideration.

Privacy policies vary widely:

  • Dreame: May share user data with "separate entities for storage or to carry out services" [20]
  • Roborock: Maps processed in the cloud; data handling policies are less transparent than iRobot
  • Ecovacs: Already demonstrated poor security practices

The LiDAR Eavesdropping Attack

Think a robot vacuum without a camera is safer? Think again.

Researchers from the University of Maryland and National University of Singapore demonstrated "LidarPhone": an attack that turns LiDAR sensors into makeshift microphones. [21]

How It Works

LiDAR bounces laser light off surfaces to create maps. The researchers discovered these lasers can detect tiny vibrations caused by sound waves, like a conversation vibrating a trash can or window. [22]

Using a compromised Xiaomi Roborock vacuum, they achieved:

  • 91% accuracy identifying spoken digits
  • 90% accuracy identifying music
  • Ability to determine speaker gender
  • Recognition of TV channels (CNN, Fox, PBS) from intro music [22]

The attack requires compromising the vacuum first, and audio quality is limited. But it proves that even "camera-free" robots can spy on you.

Who Gets Your Robot Vacuum Data?

The Official Story

iRobot says: [23]

  • Navigation images are NOT sent to the cloud
  • Maps are only uploaded if you enable them in the app
  • No data is sold to third parties
  • Offline mode works without internet connection

The Reality

Forensic analysis by researchers revealed undocumented APIs in Roomba's cloud infrastructure. Using a tool they built called "PyRoomba," they extracted complete mission histories and navigational data that isn't visible in the official app. [24]

When researchers made GDPR data requests to Samsung and LG smart TVs, the companies' responses didn't match the volume of data actually being transmitted. [25] Similar opacity likely exists across robot vacuum makers.

Mozilla's Privacy Not Included guide gives iRobot Roombas a "use with caution" warning, noting the company "can share data with third parties" for purposes including advertising. [26]

How to Protect Yourself

Before You Buy

  • Skip cameras if possible: LiDAR-only models can't record video (but see LidarPhone attack)
  • Check privacy policies: Look for local-only storage options
  • Avoid always-listening features: Voice control means microphones are active
  • Consider offline-capable models: Some work without cloud connection

If You Already Own One

iRobot Roomba

  1. Open the iRobot Home app
  2. Go to Settings → Privacy Settings
  3. Disable "Send Map to Cloud" if available
  4. Disable "Help Improve iRobot" (stops data sharing)
  5. Consider using offline mode (loses scheduling/app features)

Roborock

  1. Open the Roborock app
  2. Go to Device Settings → Privacy
  3. Review and disable any data sharing options
  4. Delete old maps you no longer need

Ecovacs

  1. Update firmware immediately: critical security patches released
  2. Open Ecovacs Home app → Settings → Privacy
  3. Disable remote video access if not needed
  4. Use a strong, unique password
  5. Consider network isolation (see below)

Network-Level Protection

  1. Isolate on separate network: Put robot vacuum on guest Wi-Fi or IoT VLAN
  2. Block cloud access: Use Pi-hole or router rules to block manufacturer domains
  3. Monitor traffic: Watch for unexpected data transmissions
  4. Disable UPnP: Prevents automatic port forwarding

The Nuclear Option

Don't connect it to Wi-Fi at all. Many robot vacuums work in "offline mode" using stored maps and physical buttons. You lose app control and scheduling, but gain privacy.

Or just buy a regular vacuum. They've worked for a century without knowing your floor plan.

What's Coming Next

Robot vacuums are getting smarter, and collecting more:

  • Dreame X50 Ultra (2025): Has legs to climb over obstacles. More mobility = more surveillance capability. [27]
  • AI object recognition: Identifying specific items (toys, shoes, cables) means identifying your possessions
  • Integration with smart home hubs: Your vacuum talks to your Alexa, Ring, and thermostat, creating a complete surveillance picture
  • Subscription models: Companies monetizing ongoing access to your home data

The global robot vacuum market is projected to hit $19.87 billion by 2032, growing nearly 14% annually. [28] That's a lot of homes being mapped.

The Bottom Line

Your robot vacuum knows the layout of your home, when you're there, and what's on your floors.

Ecovacs vacuums were hacked to scream slurs at families. Roomba photos ended up on Facebook. Researchers can turn LiDAR into microphones. And every major manufacturer sends data to the cloud by default.

The Amazon-iRobot deal failed, but the surveillance business model didn't. Chinese brands now dominate the market with even less transparency about data handling.

If you want a clean floor without the surveillance, your options are:

  1. Use offline mode and sacrifice convenience
  2. Block cloud access at the network level
  3. Buy a "dumb" vacuum that just cleans

The robot that cleans your home shouldn't also be mapping it for corporations. But right now, that's exactly what it does.

References

  1. Vice - Robot Vacuums Hacked to Shout Slurs at Their Owners (October 2024)
  2. MIT Technology Review - A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook? (December 2022)
  3. PR Newswire - Roborock Remains #1 Top Selling Robot Vacuum Cleaner Brand Globally in 2024
  4. Malwarebytes - Robot vacuum cleaners hacked to spy on, insult owners (October 2024)
  5. TechCrunch - Ecovacs home robots can be hacked to spy on their owners, researchers say (August 2024)
  6. Kaspersky - How vulnerable Ecovacs robot vacuums are being hacked
  7. Vacuum Wars - Ecovacs Robot Vacuum Security Vulnerabilities Uncovered
  8. TechCrunch - Ecovacs says it will fix bugs that can be abused to spy on robot owners (August 2024)
  9. MIT Technology Review - How Roomba tester's private images ended up on Facebook (January 2023)
  10. MIT Technology Review - Your Roomba Is Also Gathering Data about the Layout of Your Home (July 2017)
  11. The Conversation - iRobot's Roomba will soon be owned by Amazon, which raises privacy questions
  12. TechTarget - Amazon's iRobot acquisition raises concerns
  13. Cybernews - Amazon to take over iRobot: more eyes to spy on you?
  14. Vacuum Wars - Are Robot Vacuums Spying on You? A Deep Dive into Privacy & Security Risks
  15. FTC - Statement Regarding the Termination of Amazon's Proposed Acquisition of iRobot (January 2024)
  16. Computing - Privacy and antitrust experts voice concerns over Amazon's Roomba acquisition
  17. IDC - Global Smart Vacuum Shipments Dominated by Chinese Brands with Over 60% Share in 1Q24
  18. IDC - Global Smart Vacuum Market Grows 20.5% Year-over-Year in Q2 2025
  19. The Ambient - Roborock takes top spot for the first time
  20. WeLiveSecurity - Gathering dust and data: How robotic vacuums can spy on you
  21. University of Maryland - Spying with Your Robot Vacuum Cleaner: Eavesdropping via Lidar Sensors (PDF)
  22. Threatpost - Robot Vacuums Suck Up Sensitive Audio in 'LidarPhone' Hack
  23. iRobot - Privacy and Data Sharing Common Questions
  24. ScienceDirect - Cloud forensic analysis of the Amazon iRobot Roomba vacuum
  25. SecurityWeek - Smart TV Surveillance: How Samsung and LG's ACR Technology Tracks What You Watch
  26. Mozilla Foundation - iRobot Roombas Privacy & Security Guide
  27. Market.us - Vacuum Cleaner Statistics and Facts (2025)
  28. Mordor Intelligence - Robotic Vacuum Cleaner Market Size, Growth Report 2030