A software developer named Chris discovered his Neato Botvac Connected, a popular smart vacuum, was transmitting a detailed map of his home over the internet. The discovery was made after he decided to monitor his home network’s traffic to see what his various Internet of Things (IoT) devices were communicating.

Using network analysis tools, Chris observed the robot vacuum sending data to a server hosted on Amazon Web Services (AWS). This data, he found, contained a precise floor plan of his residence, generated by the vacuum’s laser navigation system. This event highlighted a significant privacy concern for smart home device owners.

Unencrypted Data Transmission Exposed

The central security issue identified was the method of transmission. The vacuum sent the home map data over an unencrypted HTTP connection. This meant the information was not scrambled and could be intercepted and viewed by anyone with access to the same local network. The data packet included a unique serial number for the device, linking the map directly to that specific vacuum cleaner.

Chris documented his findings and posted them on the Neato Robotics developer network forum to alert the company and other users of the potential vulnerability. The unencrypted nature of the data transfer represented a clear privacy risk, as sensitive information about a person’s living space was being broadcast in a readable format.

The Company’s Response and Firmware Update

Neato Robotics responded to the public disclosure by confirming the data transmission. The company stated that the map data was sent to its servers for customer support and diagnostic purposes. They also clarified that this specific functionality was part of a beta program that the user had voluntarily joined.

Following the report, Neato took action to address the security flaw. The company issued a firmware update for the Botvac Connected model. The update changed the data transmission protocol from unencrypted HTTP to secure HTTPS, effectively encrypting the map data to prevent it from being easily intercepted during transit. This resolved the specific vulnerability that the user had discovered.