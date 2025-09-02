Robot vacuum vulnerabilities could expose images from inside owners' homes, probe finds
Published: 02 Sep. 2025, 17:23
Security flaws in several popular robot vacuum cleaners could expose images from inside users’ homes, according to a government investigation released Tuesday. Most of the vulnerable devices were made by Chinese companies.
The Korea Internet & Security Agency (KISA) announced Tuesday that, in a joint investigation with the Korea Consumer Agency, it discovered security issues in several robot vacuums currently on the market that could result in personal data leaks or privacy violations.
Robot vacuums are Internet of Things (IoT) devices that communicate with external servers using built-in cameras and sensors. Cameras are used to avoid obstacles and map cleaning routes, and they often take photos to show objects in the way.
Although the convenience of these devices has increased their popularity, weak security can lead to the exposure of personal information, warranting special caution.
The two agencies assessed six robot vacuum models across 40 security-related criteria grouped into three categories: mobile app security, including app controls and settings; policy management, such as manufacturers’ updates and privacy policies; and device-level security, covering hardware, networks and firmware.
In the mobile app security assessment, two models — the Narwal Freo Z Ultra (YJCC017) and Ecovacs Deebot X8 Pro Omni (DEX56) — were found to have inadequate user authentication, creating the potential for unauthorized access and manipulation.
One particularly serious vulnerability involved the leaking of photos taken inside homes or the remote activation of a device’s camera. Dreame's X50 Ultra (RLX85CE) had a flaw that allowed outsiders to view the user's camera feed in real time and access the photo and video gallery.
Narwal, Dreame and Ecovacs are all Chinese robot vacuum manufacturers.
In the policy management category, the Dreame vacuum was found to have a vulnerability that could potentially expose users’ names and contact details.
While the agencies noted that the likelihood of abuse under normal usage conditions was low, they warned that the vulnerabilities could be exploited by hackers with advanced skills. Manufacturers were instructed to address the issues immediately, and fixes have since been made, according to KISA.
Device-level security assessments showed that Dreame and Ecovacs devices had relatively weak hardware protections. Firmware settings were also generally inadequate across all tested devices, creating the risk that internal security structures could be exposed externally.
Among the six models tested, those from Samsung Electronics and LG Electronics earned higher overall ratings for better protection. Their devices included robust access permissions, safeguards against unauthorized manipulation, secure password policies and reliable update systems.
KISA and the Korea Consumer Agency recommended that all six manufacturers enhance their security by improving mobile app authentication, hardware protection and firmware security.
“Consumers should set strong passwords and regularly apply security updates to their robot vacuums to maintain basic protection,” said a Korea Consumer Agency official.
