Dennis Giese didn’t set out to build a botnet of robot vacuums. The security researcher, well known in hardware hacking circles for his work on consumer IoT devices, stumbled onto something far more alarming than he anticipated when he discovered a vulnerability in Ecovacs robot vacuums that gave him the theoretical ability to commandeer approximately 7,000 devices across multiple countries. The finding underscores persistent and deeply troubling security shortcomings in the connected home device industry — and raises pointed questions about how manufacturers handle the data flowing through millions of households worldwide.
The story, first reported by Slashdot, traces back to Giese’s ongoing research into the firmware and cloud infrastructure of Ecovacs products. Giese, a PhD student at Northeastern University who has presented at conferences including DEF CON and Chaos Communication Congress, has spent years examining how robot vacuums communicate with their cloud servers, how they store data, and where their security models break down. What he found in this case was a flaw in the authentication and device-claiming process that, if exploited, could allow a remote attacker to take control of vacuums they do not own.
A Flaw in the Cloud: How the Vulnerability Works
The vulnerability centers on how Ecovacs devices register themselves with the company’s cloud infrastructure. When a robot vacuum is set up by a consumer, it establishes a connection to Ecovacs servers and is “claimed” by the user’s account. Giese discovered weaknesses in this claiming mechanism that could allow an unauthorized party to associate themselves with devices they have no physical access to. In practical terms, this means an attacker could send commands to the vacuums, access their cameras and microphones (on models equipped with them), and retrieve mapping data of users’ homes.
Giese has been transparent about the fact that he did not intentionally seek to control thousands of devices. During his testing and probing of the Ecovacs cloud API, he realized the scope of what was accessible was far larger than a single device or a handful of test units. The number — roughly 7,000 vacuums — represents a significant fleet of household robots, each one potentially serving as an unwitting surveillance tool inside someone’s home. The affected devices were reportedly spread across several countries, though exact geographic details have not been fully disclosed.
Not the First Time: Ecovacs’s Troubled Security Track Record
This is far from the first time Ecovacs has come under scrutiny for security lapses. In August 2024, researchers Dennis Giese and Braelynn Luedtke presented findings at DEF CON demonstrating that multiple Ecovacs models, including the popular Deebot X2 line, could be compromised to activate cameras and microphones without any indication to the device owner. As reported by TechCrunch at the time, the researchers found that the Bluetooth connection used during initial setup could be exploited from up to 450 feet away, and once access was gained, an attacker could connect to the device remotely over Wi-Fi from anywhere in the world.
Ecovacs initially responded to that disclosure with what critics described as inadequate fixes. The company told reporters it would address the issues in a future firmware update, but security researchers noted that fundamental architectural problems — such as the lack of proper encryption for local video storage and the transmission of authentication tokens over unencrypted channels — suggested the problems ran deeper than any single patch could resolve. In December 2024, ABC News Australia reported on incidents where hacked Ecovacs vacuums had captured intimate images of users, including a woman photographed on a toilet, with those images later surfacing on social media platforms. The company attributed some of these incidents to credential stuffing attacks, but researchers argued the underlying device security made such attacks far too easy to execute.
The Broader Problem: IoT Devices as Unintended Surveillance Infrastructure
Giese’s latest finding fits into a broader pattern that has alarmed privacy advocates and security professionals for years. Robot vacuums are no longer simple floor-cleaning machines. Modern models from Ecovacs, iRobot, Roborock, and others are equipped with LiDAR mapping systems, high-resolution cameras for obstacle avoidance, and microphones for voice commands. These sensors generate extraordinarily detailed maps of private living spaces and, in some cases, capture photographic or audio data from inside homes.
The risk is not merely theoretical. In 2022, MIT Technology Review published an investigation revealing that development images captured by iRobot Roomba devices — including photos of a person sitting on a toilet — had been shared with data labeling contractors and subsequently leaked online. The incident highlighted how even data collected for ostensibly benign purposes, such as training machine learning models for obstacle recognition, can become a privacy catastrophe when security and data governance practices are insufficient.
What Control of 7,000 Vacuums Actually Means
To understand the gravity of Giese’s accidental discovery, consider what an attacker with control of 7,000 robot vacuums could do. Each device with a camera could be turned into a remote surveillance tool, streaming live video from inside homes. Devices with microphones could capture private conversations. Even without cameras or microphones, the detailed floor plans generated by LiDAR mapping could reveal the layout of a home — information potentially valuable for burglary or other criminal purposes. Aggregated across thousands of devices, this data could be used for large-scale intelligence gathering.
Giese has emphasized that his intent was purely research-oriented and that he responsibly disclosed his findings. However, the fact that a single researcher, working without malicious intent, could stumble into control of this many devices suggests that the barrier to exploitation is dangerously low. A motivated attacker — whether a criminal organization, a stalker, or a state-sponsored actor — could potentially exploit similar vulnerabilities at even greater scale.
Ecovacs Responds, but Questions Linger
Ecovacs has acknowledged receiving vulnerability reports from Giese and other researchers in the past. The company has stated publicly that it takes security seriously and works to address reported issues through firmware updates. However, the cadence and depth of these fixes have drawn skepticism. Security researchers have pointed out that some of the vulnerabilities disclosed at DEF CON in August 2024 took months to receive patches, and that certain fundamental design decisions — such as how devices authenticate with cloud servers — may require more substantial architectural changes than simple software updates can provide.
The company’s position in the market adds another dimension to the concern. Ecovacs is one of the world’s largest manufacturers of consumer robot vacuums, with millions of devices deployed globally. The company is headquartered in Suzhou, China, which has led some commentators to raise questions about data sovereignty and the potential for government access to device data under Chinese law. These concerns echo similar debates that have surrounded other Chinese technology companies, including Huawei and TikTok, though it should be noted that no public evidence has emerged linking Ecovacs to state-sponsored surveillance.
The Regulatory Vacuum Around Connected Home Devices
One of the most striking aspects of this story is the relative absence of regulatory frameworks that would compel manufacturers to meet minimum security standards for connected home devices. In the United States, the Federal Communications Commission launched its Cyber Trust Mark program in 2024, a voluntary labeling initiative designed to help consumers identify products that meet baseline cybersecurity criteria. However, the program is not mandatory, and its standards have been criticized by some security experts as insufficient to address the kinds of deep architectural vulnerabilities Giese has uncovered.
The European Union has moved further with its Cyber Resilience Act, which will impose mandatory cybersecurity requirements on products with digital elements sold in the EU market. The act, which is expected to take full effect by 2027, would require manufacturers to address known vulnerabilities within defined timescales and to provide security updates throughout a product’s expected lifetime. Whether such regulations will be sufficient to prevent incidents like the one Giese discovered remains to be seen, but they represent a significant step beyond the largely voluntary approach that prevails in most markets today.
What Consumers Can Do — and What They Shouldn’t Have To
For individual consumers, the options for protecting themselves are limited and unsatisfying. Security researchers generally recommend keeping device firmware updated, using strong and unique passwords for device accounts, segmenting IoT devices onto a separate network from computers and phones, and being cautious about which devices are granted camera and microphone access inside the home. Some users have gone further, using tools to block their devices from communicating with external servers entirely, though this typically disables cloud-based features that many consumers rely on.
But the fundamental problem, as Giese’s research makes clear, is that consumers are being asked to trust manufacturers with extraordinarily sensitive data — the physical layout of their homes, images from inside their bedrooms and bathrooms, audio from private conversations — without meaningful assurance that this data is being protected. The discovery that a single researcher could accidentally gain control of 7,000 devices is not just a technical curiosity. It is a warning that the current model of consumer IoT security is failing, and that the consequences of that failure are growing more severe with every new camera-equipped device that rolls off the assembly line and into someone’s living room.