Robot & data security at iRobot
At iRobot, we take the security of our products very seriously. If you’re an iRobot customer, and you use our connected products, here is all the information you need to know about iRobot’s product-security principles.
Frequently asked questions about iRobot data security
We do everything in our control to make sure that the data we have in our system is used for one purpose: making your life easier with iRobot products. Below are some answers to commonly asked questions regarding the security of the data we have at iRobot:
How do we secure our connected products?
At iRobot, we take a defence-in-depth approach to security, adding multiple layers of protection around our robots, cloud and apps from start to finish. We ensure that the development of our products follows industry-standard security best practices, and we are using technology-leading tools to assist our development and security teams during this process. When deployed to market, we work with our suppliers and partners to ensure that our products and our suppliers’ and partners’ supporting infrastructure (including physical infrastructure, cloud and mobile apps) are properly configured, monitored and continuous security improvement processes are in place.
How do we handle your data?
How is data secure while in transit?
All iRobot connected products communicate with the iRobot cloud service using robust encryption. Currently, we use AES 256-bit encryption and Transport Layer Security (TLS v1.2). Data encryption is augmented through strong identity management. All iRobot connected products have identities when they come out of the factory and those identities are validated upon each new cloud connection.
How is data stored at rest?
Within iRobot’s cloud (built on top of AWS), customer data is stored encrypted. Customer data has multiple encryption keys which are rotated on a regular basis to reduce the risk of the data being compromised even in the event of a key exposure.
Within the mobile application, data storage follows the platform’s standards for application-secure data; any sensitive data that is used by the application is not stored on the mobile device, but is instead securely transported to iRobot’s cloud for storage.
How do we keep our products up-to-date and secure?
In conjunction with our security-minded development processes, iRobot ensures that we monitor and adhere to all supplier and industry alerts regarding security patches to systems and components used in our products. Additionally, we actively promote and sponsor private bug bounty programmes and hacking events to collaborate with the broad security research community to assist iRobot to responsibly address any vulnerabilities that may be discovered in our products.
How are the robots securely updated in the home?
When a robot requires an update, the robots are notified of the available update when they interact with the cloud and connect to a secure location to download a software update. The connection is authenticated to ensure that it is the official iRobot location. Each download is cryptographically signed to assure it is an official iRobot update.
How do we secure the iRobot Home App?
The mobile iRobot Home application is built to the security standards as specified by the manufacturers of the operating systems and devices (Apple iOS, Android, Samsung etc.), and include advanced obfuscation tools to limit reverse-engineering by malicious users. The mobile apps are sold only through qualified application stores from these same manufacturers, and users should only install the app from these sites.
How do we secure maps and map data?
iRobot considers maps of the home to be your sensitive, confidential information. Maps are protected following the industry standard guidelines to ensure the security of this data just like any other personal data. In addition to the standards mentioned above for encryption at-rest and in-flight, access to this data is tightly controlled, monitored and regularly audited. iRobot machines accessing this data have data-leak prevention software installed to ensure that the data is tracked as it is accessed for use in customer support and robot improvement processes.
How secure is using an app not provided by iRobot?
iRobot embraces innovation and lets third-party software interact with our products when that software presents the correct credentials. As a result, independent developers are able to create tools and accessories that may create an enhanced user experience for you. While the security of your data produced by your robot and stored in the iRobot cloud remain safe, iRobot recommends that you verify the third-party documents on how your data is handled.
How long will you continue the support of the security of your product?
We will notify customers at least 6 months before the end of software security support for a particular connected product.
Do you support running your mobile app on non-standard (jailbroken or rooted or otherwise compromised) mobile devices?
The iRobot Home App utilises security controls provided by the device manufacturer, and as such we cannot safeguard the security and privacy of data stored on the iRobot Home App when it is running on a jailbroken or rooted device that compromises the device’s security controls in any way.
Future products and security
The landscape of security threats is ever evolving, as is the security at iRobot. iRobot continuously trains, researches and exercises processes that improve the maturity of the company’s overall ability to identify, react to, isolate and resolve security issues within our company and our products as quickly as possible.
If you have any additional questions, please email us.
Vulnerability Disclosure Policy
If you are a security researcher and believe that you have found a bug in one of our connected products, we’d like to hear from you! Please visit our Bug Bounty programme for the programme’s rules and to submit your research for consideration. For any additional security issues or to submit vulnerabilities directly to iRobot, please email us. We’ll reply within 3 business days and then keep in touch as we strive to mitigate security issues or vulnerabilities within 90 days.