Just before CES 2020, I predicted we would a rise in the number of robot vacuums with built-in cameras. While the notion has been around for a while, it’s only recently that cameras have been used for object recognition/avoidance and home security. The Roborock S6 MaxV, Trifo Lucy, and Deebot Ecovacs Deebot Ozmo T8 AIVI are perfect examples of that. Previously, cameras were used to map out rooms for improved cleaning efficiency, but they’re increasingly being used for much more.
More on robot vacuums
- Robot mops can’t sanitize your floors. Here’s why
- Here’s what you can do with robot vacuums that have cameras
- The best robot vacuums for 2020
Considering the privacy concerns around security cameras, their addition to robot vacuums should be a cause for concern. We’ve spoken to a security expert who shed light on why hackers hack security cameras, as well as how to safeguard them from hackers in the first place.
Are you worried that stationary indoor cameras are intrusive? Well, get ready for one that’s mobile.
The obvious risks
What’s the harm of putting a camera into a robot vacuum?
The fact that it’s a camera inside of your home already poses a threat to privacy. It’s another pair of eyes that will see what’s going on inside your home. And considering that it’s a camera strapped into a roving vacuum, more places in the home are exposed to intrusion.
No matter the security, its always possible for a camera to be hacked if an attacker is dedicated to doing so. Ring’s cameras are a perfect example. Its cameras experienced a series of intrusions by hackers last year, which led the company to make some dramatic security and privacy changes.
Unfortunately, there are few clues that might reveal a hacker when a camera is compromised, unless they purposefully do something to make their presence known.
Given this facts, the risk is obvious. It can also be mitigated, though only if the right safeguards are put in place.
What do robot vacs do to protect your privacy?
As we’ve seen, camera security companies have been receptive to the challenges. Now we’re dealing with robot vacuum companies entering new territory. Thankfully, some companies do have safeguards in place.
“All images that are captured for object recognition are processed on board the robot vacuum immediately, and are not sent out through the cloud to any servers,” said Richard Chang, CEO and Founder of Roborock.
So far, the vast majority of robot vacuums that leverage cameras use them largely for room mapping — with few also having object detection. This could be a privacy concern if that data was made available to third parties. The decision to process this data locally helps to address this concern.
What about robots that use cameras for surveillance and security, like the new Ecovacs Deebot Ozmo T8 AIVI? Ecovacs uses AES encryption for its video stream. We’ve explained the difficulty in cracking this, and there’s an option to password protect the stream through its app. Even if someone steals your phone and runs the app, they won’t be able to view the stream without the correct password.
Now we’re dealing with robot vacuum companies entering new territory.
It’s not uncommon for smart home gadgets to send and receive data to outside servers, like the tiny bits of data whenever a smart light bulb is activated via voice commands. TC Chang, U.S. go-to-market manager at Ecovacs Robotics said, “the stream is not shared or stored on the robot or any server in any way that is accessible to Ecovacs or thirrd parties.”
Ecovacs also offers a lens cover that can go over the camera — a last, surefire way to make sure no one is spying on you.
The Roborock S6 MaxV is powered by a Qualcomm APQ8053 processor chip, which provides some additional security precautions. “All firmware installation is protected by Qualcomm’s Silicon Secure feature, where unauthorized firmware cannot be modified or installed,” Chang said.
Adding to that is operating system protection in place with the S6 MaxV, which will only run a restricted program with a pre-digital signature from Roborock. Lastly, the Roborock app and devices use Transport Layer Security (TLS), an industry standard for network communication security.
There’s still a big privacy flaw
Although there are measures in place to protect your privacy, there’s a fundamental flaw in the approach taken by Roborock and Ecovas — neither offer two-factor authentication.
Ecovacs’ delivered a surprising response when I asked why it’s not offered. “Ecovacs is constantly monitoring the things that our customers are requesting through numerous feedback channels such as customer service, app ratings, and other social media channels.”
This sort of strategy is reminiscent of what security expert Gregory Hanis warned us about in an interview. He questioned why companies and manufacturers don’t place more emphasis on privacy protections in the development stages, instead of doing it later on — after some major hack forces them to take action.
“I’m 100% sure that when they go to develop these products and whatnot, they don’t do that. They don’t think about all the what-ifs,” Hanis said. “And that’s why we’re going to have these problems, and we’re still going to have these problems. Until there’s something that enforces that, or some accountability, it doesn’t matter.”
As for Roborock? The company tells it is currently looking into utilizing two-factor authentication, both email and text verification, but the details surrounding it aren’t finalized. While there are precautions in place right now, as we’ve explained, two-factor authentication would certainly alleviate many concerns.
Let’s hope they quickly learn from Ring’s past debacles, and offer it sooner than later.