Ecovacs says your data is protected by encryption, but security researchers found the encryption keys are predictable and can be guessed from your device serial number. This means the lock on your data is essentially broken — anyone with basic technical knowledge could read your home camera footage and audio recordings. Ecovacs says you can delete your photos and recordings from their servers. But buried in the same policy, they say deleted data "may continue to be held and used." In other words, pressing delete might not actually delete anything — they can keep your home photos and voice recordings forever.
What they claim: Ecovacs markets the front-facing camera as an "AI obstacle avoidance" feature for cleaning, and the YIKO voice assistant as a convenience feature for voice commands
What we found: DEF CON 2024 research (Dennis Giese, Braelynn Luedtke) demonstrated the camera and microphone can be remotely activated without owner knowledge via Bluetooth hijacking from 130+ metres away. The PIN system meant to protect camera/microphone access can be bypassed. Real-world hacking incidents in May 2024 confirmed attackers accessed live camera feeds in homes across the US
What they claim: Ecovacs describes the app as a cleaning control interface — the privacy blog emphasizes they only collect data needed for device operation
What we found: Exodus Privacy report shows the ECOVACS HOME app (v3.11.0) requests 49+ permissions including CAMERA, RECORD_AUDIO, ACCESS_FINE_LOCATION, WRITE_SETTINGS, SYSTEM_ALERT_WINDOW, GET_TASKS, and SMARTCARD. It embeds 4 trackers including JiGuang Aurora Mobile JPush (Chinese push notification service) and Sensors Analytics (Chinese analytics). The app also uses AD_ID for advertising tracking. A cleaning robot app does not need camera access, audio recording, or advertising identifiers
What they claim: The Deebot X2 Omni base station should provide secure firmware updates to maintain device integrity
What we found: CVE-2025-30199 (CVSS 8.6) reveals base stations do not validate firmware update integrity. Combined with CVE-2025-30198 (hard-coded WPA2-PSK keys derived from serial numbers), an attacker can inject malicious firmware into the base station, potentially turning the entire robot-base system into a persistent surveillance platform with camera, microphone, and network access
What they claim: The app includes Bluetooth permissions (BLUETOOTH_CONNECT, BLUETOOTH_SCAN, BLUETOOTH_ADVERTISE) for device setup and connectivity
What we found: DEF CON 2024 researchers demonstrated that the Bluetooth connection is the primary attack vector — connections can be hijacked from 130+ metres away. Once Bluetooth pairing is established, the device grants full access including camera and microphone activation with no additional authentication. The broad Bluetooth permissions in the app reflect an architecture where Bluetooth trust equals full device access
What they claim: The FCC filing certifies the Deebot X2 Omni for consumer use with standard radio emissions compliance
What we found: The FCC filing (2AZAT-DEX86) approved the device with dual-laser LiDAR, HD camera, RGBD depth sensor, microphone, and speaker — making it one of the most sensor-rich consumer devices ever certified. Yet the FCC process evaluates only radio emissions compliance, not the security of these sensors. Within a year of FCC approval, the device was involved in real-world hacking incidents where cameras and microphones were remotely activated in US homes
What they claim: Ecovacs markets the Deebot X2 Omni as a premium cleaning robot with AI-powered features for better cleaning performance
What we found: The device contains: front-facing HD camera, RGBD depth sensor, dual-laser LiDAR, microphone (always listening for YIKO wake word), speaker, Wi-Fi, and Bluetooth — a sensor suite equivalent to a mobile surveillance platform. The marketing positions each sensor as a cleaning feature (camera for obstacle avoidance, LiDAR for mapping, microphone for voice commands) but collectively they create a comprehensive home surveillance capability that roams autonomously through every room
What they claim: Ecovacs claims data collection through the Product Improvement Program is opt-in and anonymised at the machine level
What we found: The AI training disclosure (Schneier, 2024-10-04) reveals Ecovacs collects 2D/3D home maps, voice recordings, and photos/videos from device cameras for AI training. A 2020 Ecovacs engineering blog post admitted the company needed ground-level perspective images that robot vacuums capture — suggesting the program was designed specifically to harvest customer home data to solve their training data shortage
What they claim: Ecovacs is headquartered in Suzhou, China, processing home maps, camera footage, and audio on Chinese servers
What we found: The privacy policy discloses data sharing with third parties for marketing and potential data sales. Firmware endpoints (portal-as.ecouser.net, api-app.dc-as.ww.ecouser.net) route data through Asian servers. Under Chinese law (National Security Law, Data Security Law, PIPL), authorities can compel access to data stored by Chinese companies. Users 3D home maps, camera footage, and voice recordings are subject to Chinese government data access requirements — undisclosed in marketing
What they claim: The ECOVACS HOME app includes MIPUSH_RECEIVE and JPUSH_MESSAGE permissions for push notifications
What we found: MIPUSH (Xiaomi Push) and JPUSH (JiGuang Aurora Mobile) are Chinese push notification services that route notification data through Chinese infrastructure. These are embedded alongside the Sensors Analytics Chinese analytics tracker. For a device that collects home maps, camera footage, and audio, routing notification metadata through Chinese servers creates additional data exposure pathways beyond the primary Ecovacs cloud connection
What they claim: Ecovacs privacy blog states they take privacy seriously and data is encrypted with AES-128, presenting the robot as privacy-respecting
What we found: CVE-2025-30200 reveals the AES encryption keys are hard-coded and predictable, derivable from device identifiers. The encryption Ecovacs touts as protecting user data is fundamentally broken — anyone who knows the serial number can decrypt camera feeds, audio, and map data
What they claim: Ecovacs Deebot X2 Omni promoted as an intelligent home cleaning robot
What we found: In 2024, multiple families across US cities reported their Ecovacs Deebot X2 Omni vacuums being hijacked by hackers who drove the robots around homes while shouting racial slurs through the speakers. A Minnesota lawyer reported his vacuum chasing his dog while screaming obscenities. Researchers traced the vulnerability to a Bluetooth connection flaw that allowed access from over 100 metres away.
What they claim: Ecovacs privacy blog states they comply with regulations and protect user data according to CCPA requirements
What we found: Mozilla Privacy Not Included review found Ecovacs fails minimum security standards, has no vulnerability management or bug reporting program, and may sell personal data unless users actively opt out. The app includes AD_ID for advertising tracking and Chinese analytics trackers (JiGuang JPush, Sensors Analytics). The CCPA disclosure reveals data is shared with third parties for marketing without opt-in consent
What they claim: Ecovacs privacy policy states deleted recordings and images can be erased from servers upon request
What we found: The same privacy policy contains the clause that deleted recordings and images "may continue to be held and used by Ecovacs." Bruce Schneier (2024-10-04) highlighted this contradiction — the company simultaneously promises deletion rights while reserving the right to keep and use the data indefinitely