The iRobot Roomba 980 is one of the four vacuum robots that we have tested for security and privacy as part of our vacuum robot test. iRobot has been on the market with vacuum robots since 2002 and could be described as the “top dog” in the field. The following test report will show whether this pioneering effect is also important in terms of security and privacy.
The iRobot can be set up quickly and easily via a WiFi that can be activated manually. The WiFi provided by the iRobot is not encrypted. However, no unencrypted communication between the vacuum robot and the app could be detected. Furthermore, the WiFi was deactivated again after a few moments and Roomba was connected to the laboratory WiFi. During and after the setup, all local communication was TLS1.2 encrypted.
App & online communication
Version 3.2.0 of the iRobot App has been put to the test. It is widely obfuscated, making reverse engineering of the source code more difficult for attackers. It has several third-party modules, but we were not able to identify any noteworthy vulnerabilities through static and dynamic analysis.
Identical to the Roomba 980, it always communicates TLS1.2 encrypted and is therefore protected against simple man-in-the-middle attacks. The implementation of Certificate Pinning, extended certificate validation in the app, is strongly recommended to counteract extended attacks. Unencrypted connections could not be detected during the test.
The fact that the word “anonymous” does not appear in the long document is not surprising, especially with regard to the announced cooperation with Google. All recorded data is transferred to the USA within the framework of the EU-US Privacy Shield and processed there.
The iRobot Roomba 980 provides the user with a secure solution for both local network and cloud communication. The manufacturer also provides more than detailed information in the area of privacy, even if doubts may arise about the necessity of data recording.