This sucks: dev finds backdoor in his robot vacuum, potentially giving full control to spies

Published: 30 October 2025
Last updated: 31 October 2025
backdoor in robot vacuum

This software engineer was a happy user of an iLife A11 vacuum cleaner for nearly a year, until he discovered a constant stream of data being beamed to China. But that wasn’t the worst of it.

Harishankar Narayanan, a software engineer who also likes to tinker with hardware, only wanted to limit the $300 device from sending excessive telemetry data. However, once he blocked the telemetry IP address in the firewall, peculiar things started to happen.

The vacuum seemed to work fine for a few days, but one morning it suddenly died. It no longer powered on.

ADVERTISEMENT

“I sent it for repair. The service center assured me, ‘It works perfectly here, sir.’ They sent it back, and – miraculously – it worked again for a few days. Then, it died once more,” Narayanan said in his blog, “Small World.”

This vicious cycle persisted, leading the developer to question whether he was losing his mind. Ultimately, the device’s warranty expired, and Narayanan was left with a dead smart vacuum robot.

“All I did was block its data logging IP address – just the logs, not firmware updates or OTA channels. Simple enough, I thought.”

With nothing left to lose, the engineer picked up a screwdriver and started dissecting the robot himself.

“If I couldn’t revive it, I would at least understand why it had died.”

The revelations are quite shocking.

Powerful backdoor utilized as a kill switch

The engineer disassembled the entire device, traced all the components, and even built his own new control system to understand how it works.

ADVERTISEMENT

He discovered an open Android Debug Bridge with no authentication. The device was running Linux – basically, a full computer with a camera and other sensors. Narayanan obtained root access after using a few hacks to bypass the vendor’s protections.

robot-vacuum-investigation

“I found logs, configurations, and even the unencrypted WiFi credentials that the device had sent to the manufacturer’s servers,” he said.

The device was also running Google Cartographer – a powerful library for real-time simultaneous localization and mapping (SLAM). While it creates detailed maps for efficient cleaning, it could also be misused to track a home’s layout and occupancy patterns in fine detail.

The darkest discovery was one simple log entry, revealing that someone had deliberately connected to the device and disabled it remotely. Someone changed the script that initializes the robot to prevent the device’s main application from launching.

“The timestamp matched precisely with when it had stopped working, even though I hadn’t touched the app.”

The inexpensive vacuum, which utilized top-tier robotics software, also contained the “rtty” software package, enabling complete remote control. It’s basically a backdoor planted by the vendor, capable of altering files, transferring data, and executing commands.

“They didn’t merely create a backdoor; they utilized it. All I sought was to prevent my vacuum from calling home. However, I discovered that it was never truly mine to begin with,” the developer said.

“This small piece of software allows remote root access to the device, enabling the manufacturer to run any command or install any script remotely without the customer’s knowledge.”

ADVERTISEMENT

This explained why the device stopped working – it was some sort of vendor “retaliation” against the user who tried to limit their data connection.

“At the service center, they flashed the device and connected it to an open network. It reconnected to the mothership and was remotely ‘revived.’ However, when it returned to my firewall, it got bricked again. This wasn’t a coincidence; it was control,” the blog post reads.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Dozens of other brands potentially contain the same software

The developer told Cybernews that multiple other popular brands likely contain the same software package and remote control capabilities.

The OEM (original equipment manufacturer) 3irobotix provided the hardware platform CRL-200S used in this specific model. The same hardware and likely software power many other rebranded devices from Xiaomi, Wyze, Viomi, Proscenic, and others.

Some similar models include Viomi V2, Cecotec Conga 3290, and Proscenic M6 pro.

The Cybernews community is talking about this. Be a part of the conversation.

“The app is connecting to 3irobotix servers for everything. No trace of iLife servers anywhere in the device,” Narayanan confirmed to Cybernews.

ADVERTISEMENT

“Based on my analysis of firmware, I think all firmware is directly provided by OEM, and no changes are made by iLife or other vendors as well.”

vacuum-on-amazon

This means that potentially millions of households could unknowingly harbor a spy with cameras, microphones, sensors, and access to the network, which can potentially be weaponized with a single line of code.

“iLife refused to give any service as my warranty expired. And they suggested an expensive replacement of the motherboard, which made no sense to me,” the developer told Cybernews.

We have reached out to iLife for comment and will include its response.

The work continues

The programmer told Cybernews that he is continuing to investigate by further decompiling the robot software to find more concrete evidence and potential other activities, such as whether WiFI credentials or any other sensitive data are sent to a remote server, and who sent the kill command.

The ongoing investigation is updated in Narayanan’s repository on GitHub.

Cybersecurity researcher: robot vacuums can be especially dangerous when compromised

According to Aras Nazarovas, an information security researcher at Cybernews, remote management software like “rtty” is uncommon in consumer smart devices. However, the prevalence of backdoors is growing in less prominent Chinese brands.

ADVERTISEMENT

“Finding such software on your smart device is troubling, and warrants further investigation on how it was used by the manufacturer: what commands did they send, was it used to exfiltrate data?” Nazarovas said.

The expert also noted that similar kill switch functionality could be accomplished in a much simpler way, just by hardcoding conditions such as the inability to send telemetry or update servers. Manufacturers intentionally disabling devices already raises concerns about trust.

It’s unclear if the backdoor was implanted deliberately. Vendors often implement various backdoors for testing purposes during development, which later get forgotten and remain in production builds. In both cases, this leaves the device much less secure and susceptible to unauthorized access.

Has my data been leaked?
Check Now

“Robot vacuums can be especially dangerous when compromised, allowing malicious actors to access a 3D map of your home, monitor camera, microphone, and speaker feeds in real time, and in some cases remotely control the device,” Nazarovas said.

“Backdoors in your robot vacuum can be exploited to connect to your computer or smartphone,” Nazarovas warns.

This situation highlights the importance of separating smart devices from the main home network. This can be achieved using VLANs, DMZ zones, or a separate router just for IoT devices.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT