Ecovacs Under Scrutiny: Privacy Concerns and Cybersecurity Flaws Shake Trust in Smart Vacuums

Written By TheDayAfterAI News

A leaked image showing a woman on the toilet by iRobot smart vacuum in 2022

Image Source: MIT Technology Review

As smart home devices become increasingly common, concerns around privacy and cybersecurity have grown sharper. Ecovacs, the Chinese home robotics company known for its Deebot robot vacuums, has recently faced heightened scrutiny due to confirmed data-collection practices and previously disclosed security vulnerabilities affecting some models.

Opaque Data Collection Through “Product Improvement Program”

Ecovacs robot vacuums have been found to collect photos, videos and voice recordings from inside users’ homes — data the company confirmed is used to train its AI models. According to Ecovacs, this applies only to customers who opt into the company’s Product Improvement Program through its mobile app.

However, independent researchers and media reports have criticised the lack of transparency in this opt-in process. While users are told the program helps improve “product functions and quality,” the app instructs them to click “above” for more details — yet no link or additional information is available, leaving users unaware of what data they are agreeing to share.

Broad Permissions in Privacy Policy

A review of Ecovacs’ privacy policy as of October 2024 shows wide-ranging permissions that allow the company to gather:

  • 2D and 3D maps of the user’s home

  • Voice recordings captured by the vacuum’s microphone

  • Photos and videos recorded by the device’s camera

The policy also states that deleted voice recordings, photos or videos may continue to be held and used by the company.

Ecovacs maintains that all information uploaded for research is anonymised at the machine level, and that it has implemented “strict access management protocols” to safeguard user data.

Critical Cybersecurity Flaws Revealed

Privacy concerns were compounded when cybersecurity researcher Dennis Giese identified a series of critical vulnerabilities in certain Ecovacs models in 2023. These vulnerabilities were serious enough to allow attackers to:

  • Connect to affected robots from up to 130 metres away using Bluetooth

  • Gain remote control of the robot over the internet

  • Potentially access the vacuum’s microphones, cameras and stored data

Giese described the issues as “basic errors” and raised concerns about the security of Ecovacs’ backend systems, including the potential for misuse by corporate or state-aligned actors.

Ecovacs, valued at US$4.6 billion, stated it was “proactively exploring more comprehensive testing methods” and committed to issuing fixes for the affected flagship model by November 2024. At the time of reporting, these fixes were still pending.

A Cautionary Parallel: iRobot’s 2022 Data Leak

The Ecovacs situation echoes the well-documented 2022 incident involving iRobot. During a controlled research program that participants had voluntarily joined, Roomba test units captured sensitive images, including a photo of a woman on a toilet. These images were later leaked on Facebook by overseas contractors working for Scale AI, the third-party company hired to annotate the footage.

The case highlighted the risks associated with outsourcing raw image analysis to external contractors, where mishandling of sensitive data can lead to unauthorised public exposure.

Emerging Privacy-Preserving Camera Technology

In response to the broader risks posed by smart-home imaging devices, researchers at the Australian Centre for Robotics have developed a prototype privacy-preserving camera. Instead of capturing clear images, the hardware scrambles visual information before digitisation, making the raw image unintelligible even if intercepted.

While the scrambled data is still usable for navigation and object avoidance, it prevents remote attackers, or internal staff, from viewing meaningful visuals. Researchers emphasise, however, that technology alone is insufficient; strong policy and user awareness remain essential.

Balancing Innovation With Accountability

The scrutiny surrounding Ecovacs underscores a fundamental tension in modern home robotics: companies rely on real-world data to improve machine intelligence, yet these same data streams can expose users to privacy and cybersecurity risks.

As smart home devices become more deeply embedded in everyday life, experts stress the need for:

  • Transparent data-collection disclosures

  • Stronger security-by-design approaches

  • Independent testing and verification

  • Better literacy for consumers on how their data is used

For users, awareness and careful review of opt-in settings are increasingly important. For companies, trust will depend on how effectively they communicate, minimise, and protect the data they collect.

Source: ABC News

TheDayAfterAI News

We are a leading AI-focused digital news platform, combining AI-generated reporting with human editorial oversight. By aggregating and synthesizing the latest developments in AI — spanning innovation, technology, ethics, policy and business — we deliver timely, accurate and thought-provoking content.

Previous

The Rise of AI-Generated Music: Revolutionizing Tunes or Threatening Musicians' Future?
Next

OpenAI Launches ChatGPT-4o with Canvas: A New Era of User Experience