Robot Vacuum on Smart Home? Sure — But Secure!

DJI robot vacuum hacked: 7,000 strangers' living rooms via a master key

Sun, 01 Mar 2026 00:00:00 +0100

A few days ago a press release turned up in my feed. I skim a lot of them every day – most I just scroll past. Not this one.

DJI. Robot vacuum. 7,000 strangers’ living rooms. A master key.

I read the article twice. And then I knew immediately: a follow-up video was needed.

The pattern that keeps repeating

If you’ve read my robot vacuum article, you might be nodding right now. Back then it was Ecovacs. Hacked robots remotely controlled in real time, chasing pets and shouting slurs through their speakers. I tried to explain back then why that wasn’t an absurd one-off incident, but a structural problem with this entire product category.

And now it’s happened again. Different manufacturer. Same category. Same fundamental vulnerability in principle.

This bothers me – not because I want to vilify robot vacuums, but because I believe most people who buy one simply don’t know what’s actually happening with their data. With the floor plan of their home. With camera footage, if the model has one. With the question of who, besides themselves, could theoretically access all of that.

What happened this time

It started innocuously. A French developer, a brand-new DJI robot vacuum, a free evening. The idea: control the robot around the apartment with a PS5 controller. Mario Kart in real life, but with dust bunnies.

To connect the controller, he needed the key from the app – nothing illegal, it was his own device. But when he used that key with the DJI server, the server didn’t just download his own data – it downloaded data from thousands of others. Over 7,000 robots across 24 countries. Battery levels, home floor plans, live camera feeds from strangers’ living rooms. The key wasn’t a normal key. It was a master key for the entire system.

DJI patched the vulnerability after it was reported. That’s good. But it doesn’t change the underlying picture.

Why I keep talking about this

After making this video I naturally asked myself whether I’m starting to get repetitive. Robot vacuums again. Privacy again. Same topic again.

But then I look at the comments under the old video. And I see how many people write that they simply hadn’t known how the technology behind it works. Not because they weren’t interested. But because hardly anyone explains it without immediately descending into panic or buzzwords.

That’s exactly what I want to do differently. No moralising, no fearmongering. Just: here are the facts. Here’s what they mean. And here are three concrete things you can do – if you want to. What you do with a camera-equipped robot vacuum in your home is your decision. I just want that decision to be an informed one.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

If you already have a view on this – or you have a robot vacuum at home and feel a quiet unease stirring – write it in the comments. I genuinely appreciate every perspective. And yes, every comment helps the video reach more people who are asking themselves exactly these questions for the first time.

Sources:

3 Smart Home fails: devices I would NOT buy today!

Sun, 25 Jan 2026 00:00:00 +0200

Imagine: you get up in the morning, want to raise the blind – and nothing happens. Try the app? Nothing. Try the physical switch directly? Dead. And here’s the kicker: the fault is buried deep inside a wall-mounted junction box.

That was the moment I realised: my smart home had just turned into a nightmare. And I’m not alone with experiences like this.

Today I’m showing you three devices that made it very clear to me where smart home can really go wrong. Not theoretical problems – but real fails that cost me time, money and nerves. We’re talking about 14 actuators all failing. A robot vacuum that became useless overnight. And false alarms waking me up in the middle of the night.

Watch the video – I demonstrate the problems live and show you what you can learn from them.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

Fail #1: Shelly 2.5 – When 14 actuators died at the same time

The slow death inside the wall

This is a Shelly 2.5 – an actuator for roller shutters and blinds. I have 14 of them installed. Fourteen! Nearly all in junction boxes, permanently wired behind wallpaper and plaster. My expectation was pretty clear: install once, close up, forget it. Set and forget.

On the software side I was happy for a long time: locally controllable, great Home Assistant integration, no cloud dependency. Exactly what you want.

And then the drama began.

The same defect – 14 times

In all – yes, literally all – of these Shelly 2.5 actuators, one component failed after some time, one by one. All fourteen, always the same defect. Morning routine, raise the blind? Nothing. App? Nothing. Physical switch? Dead.

Now here’s the real nightmare: these things are of course sitting in junction boxes. That means: open the wall, pull out the actuator, desolder the capacitor, solder in a new one, reinstall, close the wall. Per actuator. Fourteen times.

That was a genuine maintenance disaster for me. And I’m not alone. There are masses of reports about this Shelly generation online.

In the video I show you exactly what went wrong and how I carried out the repair. The detailed repair guide is in this separate article.

Small consolation: repair is possible

With a soldering iron you can swap the faulty component for a few cents in parts. But honestly: do you really want to open 14 wall boxes and replace capacitors?

Important note: this problem affects specifically the Shelly 2.5. The successors Shelly Plus 2PM and the Gen 3 and Gen 4 are ones I use heavily myself and have had zero failures with so far. So this isn’t about bashing the manufacturer across the board.

The key lesson

Wait for long-term community experience before buying new products. First generation? Let others be the testers. Second generation with solid reviews over a year? Then go ahead.

Fail #2: Shark robot vacuum – When the cloud kills your integration

From smart home star to useless appliance

The second device frustrated me in a completely different way. It’s about my Shark robot vacuum. And upfront: the hardware is perfectly fine. It vacuums well, navigates decently, does its job.

For months I had it deeply integrated into my smart home. Built automations along the lines of: “When nobody’s home, start cleaning.” The Home Assistant integration ran perfectly. This wasn’t a toy – it was a solid, reliable part of my daily routine.

Watch in the video how well the system worked – before everything fell apart.

One app update. One dead integration.

And then, one morning: automation triggers – nothing happens. Home Assistant shows: connection lost. Maybe a bug? Open the app – it works. Robot starts via app. But the Home Assistant integration? Dead. Still dead weeks later. Permanently.

What happened? The Shark app had updated itself automatically – as apps do. Completely normal, in the background. Without me actively deciding anything or consciously triggering it.

But with this update, something had changed in the cloud interface. The result: the Home Assistant integration was broken. No workaround, no fallback, no local API.

The moment of realisation

That was the moment I understood: I didn’t buy a device I’m in control of. I bought a device whose capabilities can change at any time via a server update. Without my consent. Without warning. And I can do nothing about it.

In the video I explain in depth why this is a fundamental problem with many cloud-dependent devices.

Imagine buying a car – and a year later the manufacturer says: “Sorry, the radio only works with our app now.” That’s exactly what happened here. Except that the “radio” in my case was the entire smart home integration.

The lesson: an exit strategy is mandatory

Cloud is convenient – but you always need an exit strategy.

Is there a local API?
Can I flash alternative firmware?
Does the device work without internet?

Bose recently handed us a similar case. If that interests you, here’s the article about Bose SoundTouch.

Fail #3: Sonoff Zigbee motion sensor – The night-time false alarms

Bought cheap, paid dearly

The third device looks harmless at first glance: a Sonoff Zigbee motion sensor. Cheap, bought 10 of them, quickly integrated, classic use case for lighting automations.

And at first I thought: okay, maybe a bit sensitive. Adjust the calibration, reduce the range, tried everything.

But then reality hit:

The night-time horror

Middle of the night – light comes on. I wake up, fall back asleep. Half an hour later: again. Three, four times per night. After two weeks I was nearly going mad.

I first thought: a bug in my automation. Checked all the logs. But no: the sensor is genuinely reporting motion. Where there isn’t any.

Same during the day. Light comes on when nobody’s in the room. Shadow from outside? Reflection? An insect on the sensor? No idea. But it doesn’t matter – because the result is the same: the system isn’t reliable.

In the video I demonstrate what these false triggers feel like and what impact they have on your trust in the system.

Unreliability is the death of any automation

In my view, this is the death of any automation. Because sooner or later you start disabling automations. Deactivating sensors. You lose trust in the system.

I replaced these sensors consistently with Aqara motion sensors. More discreet, significantly more reliable – and suddenly the system works. No more false triggers. No more waking up at night. Just: it works.

Not a brand problem, but a product problem

Important: this isn’t a general Sonoff problem. I use plenty of other Sonoff devices myself – Sonoff Basic or S20 plug switches for example – flashed with Tasmota. Local, no cloud, rock-solid for years. Except once, a capacitor issue there too – but that stayed a one-off.

The motion sensor is therefore a specific product problem, not a brand problem.

The lesson: test first, then scale up

Test sensors in everyday use before buying ten of them. One sensor for €10 is cheap – but ten faulty sensors are €100 of e-waste.

Unreliable sensors cannot be “optimised”. No tuning, no configuration makes a bad sensor good. Replacing them decisively is the only solution.

Three golden rules for your smart home purchases

From these three fails I’ve developed three rules I explain in detail in the video:

Rule 1: Have an exit strategy

Ask yourself:

Is there a local API?
Can I flash alternative firmware?
Does the device work without internet?

If all the answers are “no” – think very carefully before buying.

Rule 2: Wait for community experience

Wait for long-term reviews. Read user reports. Only install critical actuators where you can reach them again if needed. So junction boxes only with absolutely proven hardware.

Rule 3: Test sensors thoroughly

Testing one sensor in real life for two weeks might cost you €10. Test first, then buy. Not the other way around.

The opposite: the best devices

If you want, in the next video I’ll do exactly the opposite: Three devices that have run absolutely reliably for years. That I would buy again immediately. That cost me zero maintenance.

Watch the video and write “YES” in the comments if that interests you!

Or do you have a smart home device you could throw against the wall? What was your biggest fail? I’m looking forward to your stories in the comments!

Robot Vacuums in the Smart Home - The Underestimated Data Hog

Thu, 15 May 2025 00:00:00 +0000

Introduction

Imagine your robot vacuum knows more about you than your closest friends — even though it’s only supposed to clean the floor. It drives through your home, scans your rooms, listens to your conversations, and you think it’s really just vacuuming? Sounds like a horror movie, but that’s exactly reality.

To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.

The Ecovacs Incident of 2024

In October 2024, hacked Ecovacs robot vacuums in the US turned into full-blown stalkers ¹. They chased pets and hurled racist insults at their owners, terrorizing entire households ². But how did it get to this point? The attackers exploited a glaring security vulnerability in the robots’ software. The security PIN that was supposed to prevent unauthorized access was only verified in the app, not on the device itself — a fatal flaw that hackers knew how to exploit ³.

What makes this case particularly alarming: common security measures like strong passwords or two-factor authentication would not have helped here. The manufacturer had made such a fundamental programming error that even best-practice security measures were rendered useless.

The Underestimated Problem of Profiling

But even if your robot vacuum isn’t hacked, there is another massive problem: profiling. Many people might think, what could a robot vacuum really know about me? The answer is: frighteningly much.

To understand how powerful data analysis can be, here is a real-world example from the US: In 2012, a teenager suddenly started receiving ads for baby products from the retail chain Target. Her outraged father complained to Target about the alleged harassment of his daughter — only to find out a few days later that his daughter was actually pregnant. The algorithm had detected subtle changes in purchasing behavior and drawn the right conclusions before the family even knew ⁴.

What Does This Mean for Robot Vacuums?

Your robot vacuum links movement patterns, camera images, and sounds. It knows:

When you sleep
When you come home
Whether your routines change
Which rooms are used and how often
What conversations take place in your home

Why This Matters

“Why would anyone spy on me? I’m not important at all.” This thought is understandable, but it misses the core of the problem. It’s not about targeted surveillance of individuals — it’s about mass data collection:

Companies don’t specifically target your data
They simply collect everything, because storage is cheap
What seems harmless today can become highly sensitive tomorrow through AI analysis
The value lies not in any single household, but in the sheer volume of data

This data can feed algorithms that make decisions about:

Health insurance eligibility
Credit scoring
Personalized advertising

Concrete Recommendations

What can you actually do to protect yourself?

Basic security measures:
- Use strong passwords
- Install updates regularly
- Put devices on a guest network
Consider before buying:
- Think twice before getting devices with cameras or microphones
- Be especially critical of cloud-based data processing
Alternative solutions:
- The Valetudo project offers open-source firmware for some robot vacuum models
- This lets you keep control over your own data

Conclusion

Even large, seemingly trustworthy brands are not immune to data breaches — as the Volkswagen incident of 2024 illustrates, where data from over 400,000 electric vehicles ended up unprotected on the internet ⁵.

Making a genuinely reliable purchase recommendation for a “secure” robot vacuum is nearly impossible. The most pragmatic approach seems to be avoiding models with cameras and microphones and accepting the reduced feature set. An alternative for tech-savvy users is the Valetudo project ⁶, which provides an open-source alternative to the manufacturer’s firmware. Because in the end, protecting your privacy matters more than the supposed convenience of extra features.