Each of these is an Internet of Things (IoT) device — an everyday object equipped with sensors, software and a persistent internet connection that allows it to send and receive data. At its core, the smart-home proposition is convenience. Devices automate repetitive tasks, respond to remote commands and reduce friction in everyday life.
Yet behind that convenience lies a question many consumers rarely consider: where does all that data go?
Every smart camera recording a doorway, every robot vacuum mapping a room and every voice assistant responding to a command is continuously exchanging information with servers located far beyond the home.
Most of the time, this flow of data goes unnoticed. But when security controls fail, the same systems designed to make life easier can become gateways to privacy breaches, surveillance and cyberattacks.
Concerns about connected devices are growing. A Wall Street Journal report highlighted how millions of internet-connected devices are being exploited to support cybercriminal operations. Separately, researchers examining AI-powered toys have raised concerns about data exposure within homes.
The common thread is simple: behind the convenience of smart devices lies a growing risk of hidden vulnerabilities that can expose homes, personal data and even entire networks.
Your home is now a network
The smart home is no longer a futuristic concept reserved for technology enthusiasts. It has quietly become part of everyday life.
Over the past decade, internet-connected devices have evolved from niche gadgets into mainstream household products. Wi-Fi routers, smart TVs, connected speakers, security cameras, baby monitors, smart doorbells, streaming devices and robot vacuums now occupy spaces once filled by traditional appliances.
For many consumers, connectivity is no longer a premium feature. It is an expectation.
Falling data costs, improved internet connectivity and affordable hardware have accelerated adoption across urban households. Smart TVs are commonplace, app-connected security cameras are increasingly used in homes and small businesses, and voice assistants have become fixtures in living rooms and kitchens. Robot vacuums are also gaining popularity among upper-middle-class households.
The appeal is straightforward: convenience, automation and remote access.
What often goes unnoticed is that every smart device is effectively a small computer connected to the internet. Much of the data these devices collect is transmitted to cloud servers operated by manufacturers.
While consumers focus on the device sitting in their homes, cybersecurity experts argue that the greater risk often lies in the cloud infrastructure powering it.
The invisible language of smart devices
To understand how smart devices can be compromised, it helps to understand how they communicate.
Many IoT devices, including robot vacuums, smart cameras, thermostats and baby monitors, rely on a communication standard known as MQTT, short for Message Queuing Telemetry Transport.
Originally developed for industrial environments such as oil pipelines and satellite systems, MQTT has become widely used in consumer devices because it is lightweight, efficient and easy to implement.
Think of MQTT as a postal service for machines.
Devices do not communicate directly with one another. Instead, they send messages to a central server known as a broker. The broker organises these messages into labelled channels called topics.
A robot vacuum may publish information about its battery level, cleaning status and camera feed to a specific topic. A smartphone application subscribed to that topic then receives the data.
The system works efficiently, but it relies on one critical assumption: that the broker only allows authorised devices and users to access relevant information.
This is enforced through access-control rules that determine who can read or write data to specific topics. When those rules are configured correctly, the system functions as intended. When they are not, sensitive information can become exposed.
What exactly is a backdoor?
The term “backdoor” often evokes images of secret access mechanisms hidden inside devices. In reality, it refers to a broader range of security weaknesses.
One form is accidental. These vulnerabilities emerge through poor engineering rather than malicious intent. This is what happened in the case of DJI’s Romo robot vacuum.
A software engineer discovered he could access thousands of devices because access controls had not been configured correctly. Using a legitimate login token, he connected to DJI’s servers expecting to see only his own device. Instead, he was presented with data linked to thousands of others.
No sophisticated hacking was required. The system simply failed to verify whether he was authorised to access the information.
The second type of backdoor is more concerning: software intentionally embedded into devices.
Security researchers have documented cases involving inexpensive smart TVs, digital picture frames and streaming devices that contained software enabling third parties to use a homeowner’s internet connection without their knowledge.
Once connected to a home network, such software can establish links to external servers and quietly route internet traffic through the household connection.
The device continues performing its advertised function, but it may also be supporting activities the owner never authorised.
The DJI Romo robot vacuum case
The risks associated with connected devices became particularly visible earlier this year through an incident involving DJI’s Romo robot vacuum.
Software engineer Sammy Azdoufal was attempting to control his vacuum using a PlayStation 5 controller. To achieve this, he examined how the device communicated with DJI’s cloud infrastructure through MQTT.
Instead of accessing only his own device, he discovered that DJI’s servers were exposing information linked to thousands of other vacuums worldwide. The issue was not caused by sophisticated hacking. Azdoufal was using a valid authentication token associated with his account. However, the company’s MQTT broker lacked adequate access controls.
Reports suggested that information from approximately 7,000 devices across more than 20 countries was potentially exposed. The data reportedly included floor maps, camera feeds, audio streams and other device information. Importantly, the vulnerability was not caused by a weakness in MQTT itself or by encryption failures. The problem lay in server-side authorisation.
Encryption protects data while it is being transmitted. Authorisation determines who is permitted to access that data. In this case, the authorisation controls failed.
DJI later acknowledged the issue and implemented server-side fixes. Because the flaw existed within the company’s cloud infrastructure rather than the devices themselves, users did not need to install software updates.
The incident highlighted an important reality: in connected homes, the greatest security risks may reside not within the device itself, but within the cloud systems managing it.
The device you bought may be working for someone else
To understand how hidden software can operate inside connected devices, Wall Street Journal reporter Jack Gillum conducted a simple experiment. He purchased five inexpensive internet-connected devices, including digital picture frames and streaming boxes, from major retailers. Soon after connecting them to a test network, unusual internet traffic began flowing through the connection.
Activity linked to gambling websites, cryptocurrency services and attempts to access online accounts appeared to be routed through the network, despite no one in the household initiating it.
Researchers later found that the devices contained residential proxy software. This software effectively turns a consumer’s internet connection into part of a commercial proxy network, allowing paying customers to route their traffic through genuine residential IP addresses.
In practice, the homeowner unknowingly becomes an intermediary for someone else’s online activity.
Experts cited in the report suggested that some manufacturers may be paid to include such software before devices are sold, while other infections spread through malicious applications. Either way, the outcome is the same: a device purchased for convenience becomes part of a hidden digital infrastructure.
Researchers found evidence that some devices were being used in distributed denial-of-service (DDoS) attacks, while others were receiving repeated login attempts from external actors. Law-enforcement officials cited in the report linked residential proxy networks to activities including fraud, ticket scalping and cyberattacks.
When the toy is listening
The issue becomes even more concerning when the device belongs to a child. AI-powered toys and interactive companions capable of holding conversations with children are becoming increasingly popular.
In June 2026, Cybernews researchers analysed Android applications associated with popular AI toys, including Miko, Loona, Dash & Dot and Sphero. Their findings raised several concerns. Nearly half of all permissions requested by the applications were classified as “dangerous” under Android’s security framework. All 10 applications requested precise location access. Six requested microphone access and five requested camera access.
One application, Loona, also requested background-location access, allowing it to track a user’s location even when the application was not actively being used. Researchers also identified tracking software embedded within many of the applications.
Trackers were found in seven of the 10 apps examined. While some were used for analytics and crash reporting, others were designed for advertising and profiling.
The Miko application stood out, requesting nine dangerous permissions and containing eight embedded trackers.
Researchers noted that data minimisation is particularly important for children’s applications because young users are less likely to understand what information is being collected and how it may be used.
Convenience comes with a cost
The common thread running through these incidents is not necessarily a flaw in a single product. Rather, they reflect a broader issue within the connected-device ecosystem. As manufacturers race to add features and connectivity, security has often lagged behind.
Consumers tend to focus on the physical device sitting in their homes, but much of the activity takes place in cloud systems that store data, process commands and enable remote access. When those systems are not secured properly, vulnerabilities can emerge at scale.
Encryption remains important, but it is only one layer of protection. Equally important are the controls that determine who can view, modify or interact with data once it reaches the cloud. Modern smart devices increasingly contain cameras, microphones, location services and mapping technologies capable of collecting highly sensitive information.
Security researchers have repeatedly demonstrated how weak authentication systems, misconfigured servers and excessive permissions can expose that information to unauthorised parties. The reality of connected living is that the greatest risk may not be the gadget sitting on a shelf but the invisible network of servers supporting it.
Every smart device requires consumers to place trust in manufacturers — trust that their infrastructure is secure, access is restricted appropriately and personal information is protected. The convenience offered by connected devices is undeniable. But recent incidents serve as a reminder that convenience often comes with an unseen trade-off.
As smart homes become more common, the challenge for both consumers and manufacturers will be ensuring that connectivity does not come at the expense of privacy and security.
