A technology enthusiast from India has uncovered that his smart vacuum cleaner was quietly transmitting a detailed 3D map of his home back to its manufacturer, and appeared to be remotely disabled when he blocked the data flow.
Harishankar Narayanan, a computer programmer and electronics hobbyist, shared the discovery on his blog Small World. He had owned an iLife A11 robot vacuum for around a year before curiosity and a healthy dose of “good paranoia”, as he put it, prompted him to monitor its internet traffic.
Within minutes, Narayanan noticed a steady stream of data being sent to servers halfway across the world. His vacuum, he discovered, was communicating constantly with the manufacturer, transmitting logs and telemetry data without his consent.
The Day the Vacuum Died
Concerned about privacy, Narayanan decided to block the device’s telemetry server while allowing other functions, such as firmware updates, to continue. Days later, his vacuum refused to start.
A frustrating cycle followed. Each time he sent it for repair, the service centre returned it working briefly before it failed again. Eventually, the company refused further service, citing an expired warranty.
“Just like that, my $300 smart vacuum became a paperweight,” Narayanan wrote.
Cracking Open the “Smart” Device
With nothing left to lose, Narayanan took the vacuum apart. Inside, he found not just a household gadget but a small computer running a Linux-based operating system. Among the components were sophisticated sensors, including lidar, the same kind used in self-driving cars.
He soon discovered that the vacuum’s Android Debug Bridge (ADB), a tool used by developers, was left “wide open”, allowing anyone to gain full access without a password. From there, he found the device was running Google Cartographer, an open-source mapping system capable of constructing a detailed 3D model of his home.
A Mysterious “Kill Command”
Digging deeper, Narayanan found log files suggesting a remote “kill command” had been sent to his device, precisely matching the time it stopped functioning.
“They hadn’t merely incorporated a remote control feature,” he wrote. “They had used it to permanently disable my device.”
According to his analysis, the manufacturer retained the ability to issue commands and run software remotely using a pre-installed program, giving them near-total control. When Narayanan blocked the device from sending data, it apparently triggered the shutdown.
Privacy Concerns and Wider Implications
Narayanan’s findings raise troubling questions about the balance between smart home convenience and consumer privacy. He points out that the same sensor hardware appears in models from several other brands, including Xiaomi, Wyze and Proscenic.
That means dozens of popular smart vacuums could potentially transmit sensitive information, such as room layouts and Wi-Fi credentials, without clear user consent.
“Our homes are filled with cameras, microphones, and sensors connected to companies we barely know,” he warned, “all capable of being weaponised with a single line of code.”
Lessons from a “Smart” Appliance
Narayanan has since modified his vacuum to run completely offline, without cloud access. But his experience has left him sceptical of “smart” technology.
“Convenience often comes with hidden surveillance,” he reflected. “The next time you buy a connected device, ask yourself, who really owns it: you, or the company?”
The incident serves as a stark reminder that even the most mundane household gadgets can pose unexpected risks in the age of the Internet of Things.
