Investigating the Privacy Risk of Using Robot Vacuum Cleaners in Smart Environments

TL;DR

This paper examines privacy risks associated with robot vacuum cleaners in smart environments, revealing that network metadata can expose private user information despite encryption measures.

Contribution

It demonstrates that passive network eavesdropping on vacuum cleaners can reveal private events through metadata analysis, highlighting privacy vulnerabilities.

Findings

Metadata can be used to identify cleaning events

End-to-end encryption does not prevent metadata analysis

Passive eavesdropping poses privacy risks

Abstract

Robot vacuum cleaners have become increasingly popular and are widely used in various smart environments. To improve user convenience, manufacturers also introduced smartphone applications that enable users to customize cleaning settings or access information about their robot vacuum cleaners. While this integration enhances the interaction between users and their robot vacuum cleaners, it results in potential privacy concerns because users' personal information may be exposed. To address these concerns, end-to-end encryption is implemented between the application, cloud service, and robot vacuum cleaners to secure the exchanged information. Nevertheless, network header metadata remains unencrypted and it is still vulnerable to network eavesdropping. In this paper, we investigate the potential risk of private information exposure through such metadata. A popular robot vacuum cleaner was deployed in a real smart environment where passive network eavesdropping was conducted during several selected cleaning events. Our extensive analysis, based on Association Rule Learning, demonstrates that it is feasible to identify certain events using only the captured Internet traffic metadata, thereby potentially exposing private user information and raising privacy concerns.