Connected vacuum cleaners: privacy risks and how to protect yourself

The most serious was a flaw in the Bluetooth connector, which allowed full access to the Ecovacs X2 from over 100 metres away. The pin code system protecting the robot's video power supply - and remote control function - was also known to be faulty. Ecovacs ignored the warnings, leading to disaster. Yet these security problems could explain how the attackers managed to control multiple robots in different locations and how they were able to silently surveil the victims.

In the end, Ecovacs admitted the problem: some robot access accounts had been hacked; their credentials stolen. At the same time, experts showed that it was easy to crack the pin code that gives access to various functions.

The case may be reminiscent of the one in 2020 when some Venezuelan contractors working on the iRobot Roomba J7 leaked images of a woman on the toilet onto the internet. Not a hacker attack, in that case, but a privacy breach yes: revealing the risks associated with these smart devices, which are also fuelled by the complexity of their supply chain.

Similarly, baby monitors have often been the target of hackers, intent on accessing the devices' cameras and speakers. This has resulted in very disturbing situations for families. In some cases, they have spoken directly to the children through the monitor, scaring both them and their parents. For example, in one known incident, a hacker managed to take control of a baby monitor and shout offensive phrases and insults at a child in the middle of the night.

Other times, hackers were able to control the movements of the baby monitor's camera, moving it to observe various rooms in the house, without the parents being aware of it. These attacks were mainly made possible by weak or default passwords, as well as the lack of regular security updates on the devices.

Probably the most serious case dates back to 2015, when VTech, a manufacturer of internet-connected toys and baby monitors, suffered a serious cyber attack that compromised the data of more than 5 million users. Hackers stole personal information, including dates of birth, names of children and parents, passwords and even thousands of intimate photos.

Then there are several cases of hacked smart fridges. One of the most notorious incidents was reported in 2014, when a smart fridge was used in a spam attack, along with 100,000 other devices, for a botnet used to send spam. There is also a theoretical risk that criminals could steal personal information: smart fridges often require connections to services such as Google Calendar or email.

The Cyber Resilience Act addresses the root of the problem. Manufacturers will be obliged to remove default passwords, which are often vulnerable to attack, and to ensure continuous software updates to fix security holes. Companies will also have to be more transparent about the security measures of their products and clearly communicate to consumers how long devices will be supported with updates.

But it will still take many months to come into force.

In the meantime, here is what experts advise: always update the default passwords on devices with long sequences of words, numbers, symbols; keep the firmware and software of the devices up-to-date.

Turn off unused functions: do we really need cameras and microphones in dolls and vacuum cleaners? We also pay attention to how much personal data you put into smart devices, especially when it comes to children. Let's not share unnecessary sensitive information such as names, birthdays, domicile.

We strengthen the security of home Wi-Fi by using WPA3 encryption, changing the router's password and disabling remote access functions if not needed.

Last point: the smarter the device, the more we must be able to trust its manufacturer. We avoid unfamiliar brands or those with a low reputation. Saving money exposes us to risks - and insults - that we may not even imagine at the time of purchase.