As part of our comparative test of robot vacuums, the AV-TEST IoT laboratory has selected four current representatives in order to subject them to the test process and thus realistically assess the security level in this product category. The 360 Eye from the renowned British manufacturer Dyson is the first to be put to the test.  As one of the devices equipped with a camera in addition to a large number of other sensors, the Dyson robot is, of course, particularly critical when it comes to security and privacy – a weak point in the security concept could make the robot vacuum the perfect spy for attackers!

The following report is intended to show whether these fears are justified in the case of the Dyson 360 Eye or whether the device passed all tests with typical British composure.

 

Application

The mobile applications for the Dyson 360 Eye made a thoroughly solid impression in the test: The source code of the Android app (com.dyson.mobile.android; v4.4.18460) is obfuscated to a high degree and the static analysis of the same did not reveal any obvious critical weaknesses. We found a Dyson root certificate in the application’s assets, but it was protected by a password, which was not openly hard-coded at any point in the source code.

There were also no other points of criticism for the Dyson applications. The implementation of security-relevant functionalities, such as login and data transfer, are without obvious weak points and up to date. In addition, the app does not store unencrypted logs or the like and thus offers no obvious starting points for vulnerabilities.

 

Local and online communication

For communication to the cloud, the Dyson robot uses only encrypted TLS connections in a sufficiently up-to-date version. These are also adequately protected against standard man-in-the-middle attacks, so that reading or manipulating data during transmission is practically impossible.

The Message Queuing Telemetry Transport Protocol (MQTT) is used for local communication between the app and the robot via WiFi. This protocol is unencrypted by default and so it was also possible in the test to read the commands to the robot and to execute robot functions via a replay. However, the attacker must be in the same local network as the robot in order to take advantage of this possibility. The danger potential is therefore quite limited. However, since this circumstance nevertheless theoretically allows some attack scenarios, we have to degrade the overall rating for the unsecured local communication at this point.

 

Unencrypted communication via MQTT (example: Start Full Clean)

 

Not directly a vulnerability, but nevertheless worth mentioning: The port scan of the robot detected an open UDP port, although we could not detect any traffic via this protocol during test operation.

Apart from that, there is nothing wrong with the communication behavior of the Dyson product including applications.

 

Data privacy

When it comes to data privacy, other manufacturers should take Dyson as an example. The interested customer is offered a simple, clear and complete data privacy statement. The simple short version informs in short sentences about the most important topics such as “What personal data do we collect?” or “How do we store your personal data?

The complete data privacy statement, available in several languages, mentions several times that only as little data as absolutely necessary is collected. In addition to product improvements, anonymised data is also used for statistics and for direct advertising with possibly interesting products of the manufacturer.

The only drawback is the point that in the tested app version the data privacy statement is only accessible AFTER account creation. However, this should be easy for Dyson to fix.

 

Conclusion

The 360 Eye from Dyson convinces in the test with a very solid presentation: application and device leave a very good impression on the testers with regard to their security. Especially in the area of data privacy, the product is exemplary due to a very restrained data collection and an exemplary data privacy statement.

For the unprotected and easily manipulated communication in the local network, we have to remove a star but that does not seriously cloud the overall positive impression. Overall a very solid performance by the British representative in this segment and a good 2 out of 3 stars.