ECJ EUROPEAN Cleaning Journal

Recent reports of household vacuum robots being hacked have sounded alarm bells in the cleaning industry. So, how susceptible are today’s professional cleaning robots to hacking and data breaches? And what are industry players doing to address the issue of security? ECJ asks the question.

IT WAS LIKE SOMETHING straight out of a science fiction film. People were safely ensconced in their homes, watching TV or going about their business when their robot vacuum cleaners suddenly appeared to turn on them.

Some machines started uttering random obscenities while other issued racial slurs. One robot in Los Angeles even went rogue and proceeded to chase the family dog around the house.

It emerged that criminals had hacked into various Ecovacs robots in multiple US states over the space of a few months last year and had managed to take control of these machines. Security flaws were later identified with the model in question including a Bluetooth connector glitch that allowed third parties to access the machine from more than 100 metres away.

The incident highlighted the fact that today’s increasingly sophisticated high-tech cleaning equipment is not without its risks. And this danger has the potential to become greater still when automated solutions are used in commercial and industrial environments.

So, how secure are professional cleaning robots? And how do we prevent other people from gaining access to the machines we operate?

Robot cleaners are like any other connected device - they carry an inherent risk of being accessed remotely by a third party, says Kärcher’s robotics product manager Alina Seitter. “The level of risk will vary depending on the robot’s design, software and the security measures implemented,” she said.

“While many manufacturers prioritise security it is true vulnerabilities can still exist. It is crucial to understand that robot security is an evolving area and continuous updates and improvements are necessary.”

Several factors can make cleaning robots more vulnerable to hackers, according to Seitter. “If they are connected to the internet for remote monitoring, software updates or for control purposes they will be inherently more exposed to cyber threats,” she said. “Models equipped with cameras or other sensors for navigation and mapping can also be exploited for surveillance. And like any software, robot operating systems and apps may contain vulnerabilities that hackers could exploit.”

Inadequate protection

She says inadequate password protection and poor authentication protocols could allow for unauthorised access, adding that hacking could lead to a range of issues.

“For example, cameras and microphones could be used to spy on commercial premises or private homes, while sensitive data collected by the robot - such as mapping information or user credentials - could be stolen,” said Seitter.

“Hackers could also potentially control the robot’s movements or functions, causing damage or disruption. And audio equipment could be used to listen in on conversations.”

Greater problems could occur if an entire fleet of cleaning robots were to be accessed by hackers, she said. “The fleet could then be used to carry out a targeted attack on other servers.”

Publicly-reported incidents of hacking linked with cleaning robots are relatively uncommon compared with other IoT devices, according to Seitter. “However, the general trend of increasing numbers of cyberattacks on connected devices is a concern, particularly due to the high numbers of connected devices around,” she said.

“It is a risk that must be mitigated.”Kärcher actively monitors industry trends and security advisories, says Seitter. “Data security has been one of the most important factors we have considered from the beginning of the development of our Kärcher Autonomous Robotics Application series,” she said.

The risk of hacking can be reduced with the aid of strong encryption processes, secure authentication and regular software updates, she says. “Providing timely security updates to patch vulnerabilities is crucial.”The amount of data collected and stored by the robot should also be kept to a minimum while sensitive data such as mapping information should be automatically deleted after use, according to Seitter. “All images should be pixelated or masked, and network security measures should be implemented to isolate the robot from other devices.”

Kärcher’s KIRA cleaning robots are repeatedly tested and subjected to hacker attacks by IT experts to check for vulnerabilities, says Seitter. And the company uses a law firm specialising in data protection to ensure sufficient measures are taken to guard customers’ trade secrets.

Potential to be hacked

Like many smart devices, cleaning robots have the potential to be hacked, says Cleanology marketing director Kate Lovell. “They may be vulnerable to abuse due to their reliance on wi-fi networks and cloud-based services  - particularly if those networks are not secured with strong passwords or encryption,” she said. “Also, many devices feature cameras and audio equipment which can lead to physical security risks.”

In rare cases, compromised robots could be exploited by hackers for surveillance purposes, she says. “This could include spying on commercial premises, listening in on private conversations or gaining remote access to the robot to control or manipulate its functions,” said Lovell.

The hacking of cleaning robots is relatively rare, she adds. “However, isolated incidents – such as the hacking of Ecovacs robots in the US - underscore the potential vulnerabilities in robotic equipment.”

Several precautions can be taken to make these automated systems more secure, according to Lovell. “It is important to use strong, unique passwords for your wi-fi network and for the robot’s app,” she said. “Users should also disable internet connectivity on their devices when not in use and the robot’s firmware should be regularly updated. And customers should be aware of the data-sharing policies of the robot’s manufacturer.”

Security framework

Cleaning robots rely on a comprehensive security framework to ensure their safety, says ICE chief marketing officer Julie Kitchener. ”The robots deployed by ICE have information security at the core of their design and are certified under global compliance standards,” she said. “Both
the robot and its cloud platform are engineered to avoid collecting personal data which eliminates privacy risks. And our robot systems undergo rigorous testing and follow Secure Development Lifecycle practices.

”Robots supplied by ICE are not equipped with microphones and their camera data is neither uploaded to the cloud nor stored, she says. “Optional pixelation processing ensures compliance with GDPR privacy standards, protecting user privacy.”

She adds the robots’ motion control system uses non-IP protocols and an emergency stop button to directly cut power so that the device cannot be remotely manipulated. “These measures ensure that the robots cannot be exploited for improper purposes while also preserving the integrity of customer operations and data,” she said.

Navigation data is updated and overwritten in real time producing no storage of historical path information, she added. And secure account and password policies are implemented to prevent unauthorised access, while on-premises and private deployment options give customers full control over their data and systems.

Pudu’s cleaning robots operate offline for routine tasks and only connect to the internet for activation purposes or map updates, says brand manager Jessie Zhang. “An Air-Gapped Update mechanism tightly restricts remote access, while all device communication relies on mutual certificate authentication to maintain security even in unencrypted wi-fi environments,” she said.

The company’s suppliers are required to pass rigorous information security evaluations under the company’s Supplier Management Control Programme, according to Zhang. “This ensures end-to-end security across hardware and software components,” she said.

Pudu’s cleaning robots have no microphones and the camera data is neither uploaded to the cloud nor stored, said Zhang. “Image data is retained only in runtime memory and is deleted immediately after processing. And cameras are disabled by default, requiring administrator authorisation to activate them and offering optional face-blurring algorithms to further safeguard privacy.”

Pudu’s cleaning robots include the CC1 with four-in-one functionality and the AI-powered MT1 sweeping robot. “Our commercial cleaning robots have maintained a 100 per cent safety record since their market introduction,” claims Zhang.

Nexaro’s cleaning robots are also designed without microphones or cameras which means no audio or video data is collected, says the company’s general manager Dr Henning Hayn. “Furthermore, the 2D floor maps generated by the machines are anonymised and encrypted to maintain security,” he said.

Personal data is processed exclusively within the Nexaro Hub, according to Hayn. “Users retain full control over their data with the option to securely delete it at any time,” he says. The company’s Nexaro NR 1500 is designed for cleaning hotel rooms and smaller office spaces while the Nexaro NR 1700 has been developed for larger, more complex spaces.

Latest protocols

According to Hayn, the company’s multi-tenant architecture guarantees the secure separation of data between different users to prevent any data being mixed. “Regular security checks and continuous updates are also carried out to ensure that our products are always kept up to date with the latest security protocols,” he said.

Nexaro robot vacuum cleaners are safeguarded against remote access by third parties through encrypted mobile-only communication which eliminates the need for wi-fi, says Hayn. “We also employ secure authentication offering two-factor authentication and passkeys as additional layers of protection,” he said.

“Secure firmware updates are regularly implemented and we undergo frequent assessments by specialised security firms to identify and address any potential vulnerabilities. There have been no known cases of Nexaro products being hacked to date.”