Privacy on Smart Home? Sure — But Secure!

DJI robot vacuum hacked: 7,000 strangers' living rooms via a master key

Sun, 01 Mar 2026 00:00:00 +0100

A few days ago a press release turned up in my feed. I skim a lot of them every day – most I just scroll past. Not this one.

DJI. Robot vacuum. 7,000 strangers’ living rooms. A master key.

I read the article twice. And then I knew immediately: a follow-up video was needed.

The pattern that keeps repeating

If you’ve read my robot vacuum article, you might be nodding right now. Back then it was Ecovacs. Hacked robots remotely controlled in real time, chasing pets and shouting slurs through their speakers. I tried to explain back then why that wasn’t an absurd one-off incident, but a structural problem with this entire product category.

And now it’s happened again. Different manufacturer. Same category. Same fundamental vulnerability in principle.

This bothers me – not because I want to vilify robot vacuums, but because I believe most people who buy one simply don’t know what’s actually happening with their data. With the floor plan of their home. With camera footage, if the model has one. With the question of who, besides themselves, could theoretically access all of that.

What happened this time

It started innocuously. A French developer, a brand-new DJI robot vacuum, a free evening. The idea: control the robot around the apartment with a PS5 controller. Mario Kart in real life, but with dust bunnies.

To connect the controller, he needed the key from the app – nothing illegal, it was his own device. But when he used that key with the DJI server, the server didn’t just download his own data – it downloaded data from thousands of others. Over 7,000 robots across 24 countries. Battery levels, home floor plans, live camera feeds from strangers’ living rooms. The key wasn’t a normal key. It was a master key for the entire system.

DJI patched the vulnerability after it was reported. That’s good. But it doesn’t change the underlying picture.

Why I keep talking about this

After making this video I naturally asked myself whether I’m starting to get repetitive. Robot vacuums again. Privacy again. Same topic again.

But then I look at the comments under the old video. And I see how many people write that they simply hadn’t known how the technology behind it works. Not because they weren’t interested. But because hardly anyone explains it without immediately descending into panic or buzzwords.

That’s exactly what I want to do differently. No moralising, no fearmongering. Just: here are the facts. Here’s what they mean. And here are three concrete things you can do – if you want to. What you do with a camera-equipped robot vacuum in your home is your decision. I just want that decision to be an informed one.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

If you already have a view on this – or you have a robot vacuum at home and feel a quiet unease stirring – write it in the comments. I genuinely appreciate every perspective. And yes, every comment helps the video reach more people who are asking themselves exactly these questions for the first time.

Sources:

Home Assistant A-Z: K is for AI – Why Artificial Intelligence Does (Not) Belong in Smart Home

Sun, 07 Dec 2025 00:00:00 +0000

Welcome to the A-Z Series: K is for AI

In today’s episode of our Home Assistant A-Z Series, we tackle a controversial topic: Artificial Intelligence in your Smart Home! AI is everywhere right now – but does it really align with the core principles of Home Assistant? Today I give you 10 reasons why AI actually doesn’t belong in Home Assistant – and at the end I’ll still tell you where AI can make sense.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

The Uncomfortable Truth About AI in Smart Home

Artificial intelligence is the buzzword of the moment. Every manufacturer advertises it, every app wants to be “intelligent.” But let’s be honest: Does your Smart Home really need AI? Or is it just marketing?

Home Assistant was built with clear values: Local control, privacy, independence, and reliability. And this is exactly where the problem with AI models begins. In the video I show you why these two worlds actually don’t fit together – and why that’s actually a good thing!

Reason 1: Cloud Dependency vs. Local Control

The foundation of Home Assistant is local control. Your data stays with you, your system works even without internet. This is one of the main reasons many of us switched to Home Assistant in the first place!

AI models, on the other hand? They run almost always on external cloud servers. Why? Because they need enormous computing power. That’s the complete opposite of what makes Home Assistant special.

In the video I explain why this cloud dependency is not just a philosophical problem, but has real practical disadvantages.

Reason 2: Unpredictability – Smart Homes Need Determinism

Imagine: You come home and sometimes the lights turn on, sometimes not. Or the heating decides today that it’s not that cold after all. Sounds absurd? That’s exactly what happens when you let AI run unchecked in your Smart Home!

AI always works with probabilities. “With 87% probability the mail carrier is at the door” – fine for a notification. But for critical automations? Absolutely not!

When It’s Cold, the Heating Must Come On

A classic example from the video: When the temperature drops below 19 degrees, the heating should kick in. Period. No discussion.

You don’t want an AI model “thinking” about whether it currently makes sense to turn on the heating. You’re cold right now – there’s no time for probability calculations!

Watch the video to see where this difference between deterministic rules and AI probabilities really becomes critical!

Reason 3: Explainability Is Completely Missing

With a classic automation you can precisely trace what happened:

You look at the traces
You see which conditions were met
You find the error and fix it

With AI you only get: “The model decided it was A.” Why? No idea. What can you change? Unclear.

Classic debugging as in software development is simply impossible. In the video I show you why this is a massive problem for the maintainability of your Smart Home.

Reason 4: Hallucinations Are Fatal in Smart Homes

You’ve surely heard of “hallucinations” in AI models – when the AI makes up things that don’t exist. This is an inherent property of AI and cannot be completely eliminated.

AI Cannot Say “I Don’t Know”

AI models have an extremely hard time admitting they don’t know something. Present them with a choice between A or B, and a decision will be made – even if the underlying data isn’t there at all.

In your Smart Home, this can have fatal consequences. In the video I give you concrete examples of where such hallucinations can become truly dangerous.

Reason 5: AI Is in Constant Flux

What works today with a particular AI model may be completely different tomorrow with the next version. AI models are in an extremely fast development cycle.

You’ve set up your automations perfectly, everything’s running? Then the next AI model update comes along and turns everything upside down. That’s the opposite of what a Smart Home should be – stable, reliable, low-maintenance.

In the video I explain why this constant change turns your Smart Home into a perpetual work-in-progress!

Reason 6: Computing Power – Local or Cloud?

If you want to run AI locally (which would actually be the only Home Assistant-compatible option), you need massive computing power.

Most of us run Home Assistant on a Raspberry Pi or similarly lightweight hardware. That’s enough for hundreds of automations – but not for compute-intensive AI models.

So back to the cloud? Then we’re back at Reason 1: cloud dependency. A vicious cycle!

Watch the video to see what hardware you’d really need for local AI – the numbers are sobering!

Reason 8: Privacy – Your Private Life

Yes, Reason 7 is missing from the transcript – probably a small mistake during recording! But Reason 8 is all the more important: Privacy!

Smart Home data is extremely private:

Camera images show your home and your family
Presence data reveals when you’re home and when you’re not
Sensor data shows your habits in the finest detail

Should this intimate information really end up in a cloud AI? Absolutely not!

In the video I explain why Smart Home data in particular is so sensitive and why you should be very careful about who you trust with this data.

Reason 9: Home Assistant Already Has Everything

Let’s be honest: Look at the list of integrations! Over 3,000 integrations, countless sensors, helpers, template functions – Home Assistant can already do just about everything.

What You Really Need

You can derive precise decisions from your sensors:

Motion sensors tell you if someone is home
Bluetooth beacons track your devices
Temperature sensors control the heating
Brightness sensors regulate the lighting

All of this deterministic, reliable, and with the precision you define in your automations.

In the video I show you that the real use cases for AI in Home Assistant can be counted on one hand!

Reason 10: AI Solves Problems You Can Solve Differently

The last reason is perhaps the most important: Do you really need AI for these problems?

Example 1: Presence Detection

Do you need AI to detect if someone is home? No!

Motion sensors in every room
Bluetooth beacons from smartphone or watch
Door sensors

All of this gives you deterministic, reliable presence detection – completely without AI!

Example 2: Heating Control

Do you need AI-powered heating control to squeeze out the last percent of optimization? Or would a simple day and night temperature be completely sufficient?

The answer is almost always: The simple solution is enough! In the video I give you more examples where AI seems complicated but the solution is actually simple.

But: AI Can Still Help!

After all the critical points, I promised: There are actually sensible use cases for AI in Home Assistant! Just not where most people expect them.

Use Case 1: Analyzing Log Files

Who doesn’t know this? Home Assistant floods you with log files, and you desperately ask yourself: “What’s actually going wrong here?”

AI models or language models are perfect for processing large amounts of text.

Simply copy the log files into ChatGPT or another language model and ask: “What’s the problem here?” Even if a direct solution doesn’t always come out, you at least get ideas for further research.

In the video I show you how this works in practice and which prompts work well!

Use Case 2: Debugging Jinja Templates

You’ve gotten tangled up in Jinja templates again and are completely at a loss as to why it’s not working?

Copy the template snippet into an AI and let it analyze it. The chances are good that you’ll get valuable tips on where the error lies.

This is, by the way, one of my personal main use cases for AI: understanding and debugging complex template syntax!

Use Case 3: Object Detection

The third sensible use case: Object detection in camera images.

“Is that the mail carrier at the door or the neighbor?” – this is actually a legitimate use case for AI (or more precisely: for machine learning).

Important distinction: Here we’re talking less about language models, but rather classical machine learning for image recognition. In the video I explain the difference and why it actually makes sense here.

Conclusion: AI Doesn’t Replace Logic

After all these arguments, the conclusion can be stated very clearly:

AI doesn’t replace logic in Home Assistant. At best, it can help build it better.

Home Assistant thrives on:

Deterministic rules
Local control
Privacy
Reliability

And these are exactly the values you should not sacrifice for the AI buzzword. Use AI where it truly adds value – in debugging, in development, in specific recognition tasks. But build your Smart Home on solid, transparent automations.

Make sure to watch the complete video – I go even deeper into each argument and show you practical examples!

What’s your take on AI in your Smart Home?

Write in the comments:

Are you already using AI features in Home Assistant?
Did I convince you, or do you see other sensible use cases?
Where would you like AI support?

Robot Vacuums in the Smart Home - The Underestimated Data Hog

Thu, 15 May 2025 00:00:00 +0000

Introduction

Imagine your robot vacuum knows more about you than your closest friends — even though it’s only supposed to clean the floor. It drives through your home, scans your rooms, listens to your conversations, and you think it’s really just vacuuming? Sounds like a horror movie, but that’s exactly reality.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

The Ecovacs Incident of 2024

In October 2024, hacked Ecovacs robot vacuums in the US turned into full-blown stalkers ¹. They chased pets and hurled racist insults at their owners, terrorizing entire households ². But how did it get to this point? The attackers exploited a glaring security vulnerability in the robots’ software. The security PIN that was supposed to prevent unauthorized access was only verified in the app, not on the device itself — a fatal flaw that hackers knew how to exploit ³.

What makes this case particularly alarming: common security measures like strong passwords or two-factor authentication would not have helped here. The manufacturer had made such a fundamental programming error that even best-practice security measures were rendered useless.

The Underestimated Problem of Profiling

But even if your robot vacuum isn’t hacked, there is another massive problem: profiling. Many people might think, what could a robot vacuum really know about me? The answer is: frighteningly much.

To understand how powerful data analysis can be, here is a real-world example from the US: In 2012, a teenager suddenly started receiving ads for baby products from the retail chain Target. Her outraged father complained to Target about the alleged harassment of his daughter — only to find out a few days later that his daughter was actually pregnant. The algorithm had detected subtle changes in purchasing behavior and drawn the right conclusions before the family even knew ⁴.

What Does This Mean for Robot Vacuums?

Your robot vacuum links movement patterns, camera images, and sounds. It knows:

When you sleep
When you come home
Whether your routines change
Which rooms are used and how often
What conversations take place in your home

Why This Matters

“Why would anyone spy on me? I’m not important at all.” This thought is understandable, but it misses the core of the problem. It’s not about targeted surveillance of individuals — it’s about mass data collection:

Companies don’t specifically target your data
They simply collect everything, because storage is cheap
What seems harmless today can become highly sensitive tomorrow through AI analysis
The value lies not in any single household, but in the sheer volume of data

This data can feed algorithms that make decisions about:

Health insurance eligibility
Credit scoring
Personalized advertising

Concrete Recommendations

What can you actually do to protect yourself?

Basic security measures:
- Use strong passwords
- Install updates regularly
- Put devices on a guest network
Consider before buying:
- Think twice before getting devices with cameras or microphones
- Be especially critical of cloud-based data processing
Alternative solutions:
- The Valetudo project offers open-source firmware for some robot vacuum models
- This lets you keep control over your own data

Conclusion

Even large, seemingly trustworthy brands are not immune to data breaches — as the Volkswagen incident of 2024 illustrates, where data from over 400,000 electric vehicles ended up unprotected on the internet ⁵.

Making a genuinely reliable purchase recommendation for a “secure” robot vacuum is nearly impossible. The most pragmatic approach seems to be avoiding models with cameras and microphones and accepting the reduced feature set. An alternative for tech-savvy users is the Valetudo project ⁶, which provides an open-source alternative to the manufacturer’s firmware. Because in the end, protecting your privacy matters more than the supposed convenience of extra features.

Remote Access with Cloudflare – Done Right!

Fri, 18 Apr 2025 00:00:00 +0000

Many people set up a Cloudflare Tunnel, see that Home Assistant is reachable from anywhere — and stop right there. The problem: the tunnel is encrypted, but anyone can access it. No login, no access control, nothing. It’s like locking your apartment door while the building’s front door is wide open.

I’ll show you how to do this properly: set up the tunnel, secure access — and at the end, make an honest assessment of what you’re trusting Cloudflare with.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

The False Sense of Security Through HTTPS

Many people think: “If I use HTTPS, I’m safe.” But that’s a misconception. SSL encrypts the connection — it does not prevent your Home Assistant from being visible and vulnerable on the internet. That’s exactly what happens when you only set up a tunnel and do nothing else.

Today we go one crucial step further: Cloudflare Tunnel plus access control. If you’ve already set up the tunnel, you can skip ahead to the next section.

Info: The hands-on step-by-step walkthrough is in the video above. You’ll need your own domain to follow along. If you don’t have one yet, I recommend Netcup based in Karlsruhe:

Netcup is a German hosting provider I’ve been a customer of since 2011 — now with nine products (domains, web hosting, vServers and root servers). I’ve been consistently satisfied over all those years. I particularly want to highlight the reliable infrastructure, excellent support, and transparent pricing.

A real standout feature: special offers at Netcup are often permanent. That sets Netcup clearly apart from other providers where the price typically rises after the first year.

If you want to support me and my content, I’d be happy if you book through my referral link: 👉 https://www.netcup.com/de/?ref=21226

I also have vouchers for new customers for various Netcup products. Just reach out — I’m happy to help!

Thank you for your support! It helps me keep creating content for you.

― Joachim

The Weak Spot in Many Cloudflare Setups

Your smart home is now reachable from the internet — and many people stop there, satisfied. But there is one critical problem with this setup: while the tunnel connection is encrypted, anyone can access it.

It’s like locking your apartment door while the front door of the building stands wide open. Today we do better and add an additional layer of protection.

Info: The hands-on step-by-step walkthrough is in the video above.

How Trustworthy Is Cloudflare?

So now, to stay with the analogy, the front door is also securely locked and only someone with keys to both doors can get through. Right? Unfortunately, no. Because there’s one player you may not have on your radar — and that’s Cloudflare itself.

We’ve set up two layers of protection: the authentication in Home Assistant and Cloudflare Access. For a hacker to access your smart home now, they’d need to successfully bypass both security mechanisms — Cloudflare’s and Home Assistant’s. The odds of that are orders of magnitude lower than if the system were just sitting open on the internet. Sounds like a perfect setup? Almost — because there’s one small but important catch.

Cloudflare itself has unencrypted access to everything passing through the connection in this setup. And Cloudflare is a US company, which means it is not subject to the strict data protection regulations that apply here in Europe. You therefore have to place a certain degree of trust in the company behind Cloudflare. If that makes you uncomfortable — what are the alternatives? You could set up your own VPN access with WireGuard or Tailscale — technically a bit more demanding, but privacy-friendly. Or you use Home Assistant Cloud — it’s a paid service, but offers a straightforward and secure solution with considerably more concrete privacy rules than Cloudflare. However, you still have to extend some trust here too, because Nabu Casa — the company behind Home Assistant Cloud — is also a US company and is not bound by EU rules. That said, they do advertise that they don’t log user activity or analyze it for advertising purposes. That may matter to some of you.

My Take

If you use Cloudflare correctly — with Tunnel and Access — you have a free, highly secure solution for remote access to Home Assistant, without opening a single port.

Cloudflare is, however, a US company with unencrypted access to your connection. If that’s not acceptable to you, consider WireGuard, Tailscale, or Home Assistant Cloud instead. More on those coming soon here on “Smart Home? But Secure!”

Privacy on Smart Home? Sure — But Secure!

DJI robot vacuum hacked: 7,000 strangers' living rooms via a master key

The pattern that keeps repeating

What happened this time

Why I keep talking about this

Home Assistant A-Z: K is for AI – Why Artificial Intelligence Does (Not) Belong in Smart Home

Welcome to the A-Z Series: K is for AI

The Uncomfortable Truth About AI in Smart Home

Reason 1: Cloud Dependency vs. Local Control

Reason 2: Unpredictability – Smart Homes Need Determinism

When It’s Cold, the Heating Must Come On

Reason 3: Explainability Is Completely Missing

Reason 4: Hallucinations Are Fatal in Smart Homes

AI Cannot Say “I Don’t Know”

Reason 5: AI Is in Constant Flux

Reason 6: Computing Power – Local or Cloud?

Reason 8: Privacy – Your Private Life

Reason 9: Home Assistant Already Has Everything

What You Really Need

Reason 10: AI Solves Problems You Can Solve Differently

Example 1: Presence Detection

Example 2: Heating Control

But: AI Can Still Help!

Use Case 1: Analyzing Log Files

Use Case 2: Debugging Jinja Templates

Use Case 3: Object Detection

Conclusion: AI Doesn’t Replace Logic

Share Your Opinion!

Robot Vacuums in the Smart Home - The Underestimated Data Hog

Introduction

The Ecovacs Incident of 2024

The Underestimated Problem of Profiling

What Does This Mean for Robot Vacuums?

Why This Matters

Concrete Recommendations

Conclusion

Remote Access with Cloudflare – Done Right!

The False Sense of Security Through HTTPS

The Weak Spot in Many Cloudflare Setups

How Trustworthy Is Cloudflare?

My Take