In our vacuum robot test, we put four vacuum robots through their paces. Vorwerk vacuum cleaners have been sold under the “Kobold” brand since 1930. Vacuum robots have also been included in the product family since 2014. In the following test report, we have taken a closer look at the current VR300 model with regard to security and privacy.

App

Version 2.0.0 of the Kobold App has been put to the test. It is heavily obfuscated, which makes it difficult for potential attackers to understand the internal functions of the app.

It also contains a password-protected root certificate for *.ksecosys.com, for which Certificate Pinning is implemented. The app always communicated TLS1.2 encrypted in the test, a local communication could not be detected.

Map created by the vaccuum robot

Our testers were also positively surprised that there is no Facebook program code in the app. This was always the case with the other vacuum robots under test, enabling the social media company to gain insight into users’ lifestyles and purchasing behavior, as well as tracking their advertising ID across apps.

Online communication

The Internet communication of the Kobold VR300 is always encrypted, but the TLS1.0 encryption protocol used should be brought up to the state of the art in a timely manner.

TLS1.0 traffic of the robot

The communication of the vacuum robot is protected against simple attacks by the protocol used. The communication of the app is always TLS1.2 encrypted and thanks to implemented certificate pinning, extended certificate validation, also protected against advanced attacks.

TLS1.2 traffic of the app

Privacy

The “Privacy Policy for the Kobold Robot App” was last amended in October 2018 and informs interested parties and customers in clearly understandable words which data is collected for which purpose. Only as little data as necessary is collected, and it is only used in anonymous form for statistics, evaluation purposes, product improvement or similar purposes. The data is processed both in Germany and Switzerland at Vorwerk sites. Also in the USA, but according to EU data protection standards. The latter processing site can probably be traced back to Vorwerk’s acquisition of the US Neato Group in the fall of 2017.

Conclusion

With the Kobold VR300, Vorwerk offers a secure vacuum robot that has clear privacy advantages as well as always encrypted communication. For this reason, we rate the vacuum robot with three out of three stars.