Be Careful of Your Robot Vacuum – It Could Be Spying on You

We live in a great time with so many helpful devices. They help us in our daily lives to make things easier and faster and take care of mundane tasks for us. But sometimes they can also make things worse, like in the case of a robot vacuum that could be spying on you.

The Surveillance Vacuum

Researchers with Positive Technologies, an enterprise security company, have found vulnerabilities with the Dongguan Diqee 360 robotic vacuum cleaners.

The Chinese smart home manufacturer Diqee equips these vacuums with Wi-Fi and a 360-degree camera with a mode they refer to as “dynamic monitoring.” It turns your vacuum into a device that can spy on you. You just had some dirty floors, but now you have something all-new to worry about.

Because of CVE-2018-10987, the remote code vulnerability, an attacker can access the device’s MAC address system admin privileges. The vulnerability rests within the REQUEST_SET_WIFIPASSWD function. While it requires authentication, that can be done with the default username and password.

It might not just affect robotic vacuums, either, as researchers suggest it could also affect other products that use the same video module, such as surveillance cameras, smart doorbells, and DVRs. The company also sells other vacuums under a different brand name.


A second vulnerability, CVE-2018-10988, can affect this robotic vacuum as well, but it requires physical access through an SD card slot.

To help with the vulnerability, the vacuum does have a privacy protection cover for the camera that they claim “solves the privacy leakage from hardware.” Yet Positive Technologies still considers the vacuum to have a vulnerability.

Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners,” said Leigh-Anne Galloway, Positive Technologies Cybersecurity lead.

Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner and even use the vacuum as a ‘microphone on wheels’ for maximum surveillance potential.

Buyer Beware

As great as it is to have smart home products, many of them come with hazards in the way of liabilities. Many aren’t secure, and microphones and cameras only complicate it that much more.


The immediate question you need to ask yourself when buying a robotic vacuum is if you really need those “extras.” Do you need it to have a night vision webcam? How much vacuuming are you doing in the dark? Do you need to be able to navigate it with your smartphone?

It’s just not a surprising turn of events. Any time you welcome an IoT product into your home, you’re welcoming vulnerabilities, and the cameras, microphones, etc., just make it that much more dangerous, when all you’re trying to do is keep your house clean.

Cleaning Up

Make sure you know the hazards before you buy such a device. It just can’t be said enough. Whatever you would gain from having a camera on your vacuum cleaner most likely isn’t worth the loss of privacy.

Do you have a robotic vacuum? Does it have these vulnerabilities? Or would you never buy one specifically because of these vulnerabilities? Let us know what you think in the comments section.

Image Credit: TechCrunch

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.


  1. Oh, what Big Brother wouldn’t have given for IoT!

    ““Like any other IoT device, these robot vacuum cleaners could be marshaled into a botnet”
    We have all seen the movies which show an army of ants or rats or some other animals (or zombies) coming down the street though the night. Now we have to worry about an army of robot vacuum cleaners under evil control invading our neighborhoods. :-)

    “Do you have a robotic vacuum?”
    No, and I won’t. They can’t do steps.

    1. Thanks for the visual this morning, Dragonmouth. I now have a visual of being invaded by Roombas.

      And I don’t have a robotic vacuum for the same reason.

    2. Typo. Too early in the morning. I meant thanks for the laugh this morning for the visiual of being invaded by Roombas.

  2. Nice tease… So, how can one discover whether a vacuum has either of the “CVE-2018-…” issues????????

    1. Not a tease. The name brand of the robotic vacuum known to have these issues is mentioned in the article.

Comments are closed.