The iRobot Roomba 980 is one of the four vacuum robots that we have tested for security and privacy as part of our vacuum robot test. iRobot has been on the market with vacuum robots since 2002 and could be described as the “top dog” in the field. The following test report will show whether this pioneering effect is also important in terms of security and privacy.
Local communication
The iRobot can be set up quickly and easily via a WiFi that can be activated manually. The WiFi provided by the iRobot is not encrypted. However, no unencrypted communication between the vacuum robot and the app could be detected. Furthermore, the WiFi was deactivated again after a few moments and Roomba was connected to the laboratory WiFi. During and after the setup, all local communication was TLS1.2 encrypted.
App & online communication
Version 3.2.0 of the iRobot App has been put to the test. It is widely obfuscated, making reverse engineering of the source code more difficult for attackers. It has several third-party modules, but we were not able to identify any noteworthy vulnerabilities through static and dynamic analysis.
Identical to the Roomba 980, it always communicates TLS1.2 encrypted and is therefore protected against simple man-in-the-middle attacks. The implementation of Certificate Pinning, extended certificate validation in the app, is strongly recommended to counteract extended attacks. Unencrypted connections could not be detected during the test.
Privacy
The iRobot privacy policy is very detailed with eleven pages and almost 7000 words and informs the user in all respects about the privacy practices in connection with the vacuum robots. In contrast to other manufacturers, such as Dyson, iRobot does not provide a simplified version that is broken down to the most important points. This effectively prevents end customers from reading a document of this size, let alone from identifying any critical points.
The fact that the word “anonymous” does not appear in the long document is not surprising, especially with regard to the announced cooperation with Google. All recorded data is transferred to the USA within the framework of the EU-US Privacy Shield and processed there.
Finally, a quote from the privacy policy for an example of recorded data, translated from the version in German language: “Demographic and lifestyle information, such as your age, date of birth, gender, salary or other income, leisure and other interests, number of children and number of pets, information about your living environment.
Conclusion
The iRobot Roomba 980 provides the user with a secure solution for both local network and cloud communication. The manufacturer also provides more than detailed information in the area of privacy, even if doubts may arise about the necessity of data recording.