A major Chinese robot vacuum maker's smartphone app has a critical security flaw, leaving it susceptible to leaking user data and credentials if targeted by hackers.
When the Dreame smartphone app is used on a public wi-fi network, like in a hotel or airport, any information sent over the internet can be read by the network administrator.
This could include login details, personal information and data about the house where the user's devices are located.
Dreame's range of robot vacuum cleaners come equipped with cameras, microphones and connections to the internet, and are sold at more than a dozen Australian retailers, many of them well-known.
The vulnerability is the second one to hit a major home robotics company in as many years, increasing the scrutiny on Australia's plans to launch a cybersecurity rating scheme for smart devices.
Security researcher Dennis Giese — who discovered a separate vulnerability in Ecovacs robot vacuums last year – attempted to establish a contact at Dreame as early as 2021.
"I tried to get a security contact for the last four years," says Giese.
"But they effectively ghosted me."
After failing to establish a reliable contact with Dreame, the researcher reported the vulnerability to US cybersecurity agency CISA.
CISA reproduced the exploit, and assigned it a "low attack complexity" level in an alert it published last week. This means that the hack is not difficult to pull off for a sophisticated attacker.
The security flaw — a misconfigured check for security certificates in the app — allows network administrators to pretend to be Dreame's own servers, and intercept user data.
"Captured communications may include user credentials and sensitive session tokens," reads the CISA advisory note.
"Dreame Technology did not respond to CISA's request for coordination."
The ABC has also verified the exploit by connecting a smartphone to a wi-fi network that Giese had set up.
The access point worked as expected. The phone was able to access the internet as usual when connected.
However, when we logged into the Dreame app, the researcher was able to intercept our password.
Dreame said it had forwarded the ABC's questions on to "the relevant teams for review", but did not respond in time for publication.
"A formal statement addressing your questions will be provided to you once our assessment is complete," the company said in an email.
Certified secure by multinational testing company
Dreame has its products certified as secure by a third-party.
Multinational testing company TÜV SÜD wrote in a 2022 press release that it had "performed professional security tests and document reviews" on one of Dreame's robot vacuum cleaners.
It has continued to do so for newer models, one of which was completed as recently as August 2025.
It is unclear whether the app itself was tested as part of this certification process.
TÜV SÜD did not respond to the ABC's questions.
Ecovacs' robots, which suffered from a separate security vulnerability, were certified to the same standard (called ETSI EN 303 645) by another testing company.
This certification is mandatory for smart home products to be sold in Europe.
It is intended to catch basic security flaws, yet several have been missed and later caught by external researchers after the products were released to the public.
Lim Yong Zhi, a former cybersecurity tester at TÜV SÜD, told the ABC in 2024 that these certification standards may provide a "false sense of security" to consumers.
He said the testing process is largely "left open for interpretation" by those doing the testing.
While the standard specifies that common security features must be present, said Lim, there is no explicit requirement that they are implemented correctly.
Australia to implement smart labelling scheme
The repeated failures of international cybersecurity certifications come as Australia prepares to implement its own scheme, planned to launch in 2027.
In July, the government announced a voluntary labelling scheme where companies can have their devices rated in terms of their cybersecurity protections.
The intention is to allow Australians to make more informed decisions about the security of the devices they are buying.
"Australians need to be able to trust that the devices they bring into their homes won't compromise their safety," said Tony Burke, Australia's minister for cyber security.
"Whether it's a smart speaker or robot vacuum cleaner, consumers will know how safe a product is before they buy it."
In recent weeks, the Department of Home Affairs has been consulting with Australian cybersecurity testing labs on the design of the scheme.
One of the industry leaders who has been providing input is Viden Labs CEO Anthony Barnes.
He says that the current rules and even proposed extensions to align with the ETSI EN 303 645 standard won't guarantee that devices being sold in Australia are secure.
"Companies in today's economy win by being first to market, not necessarily by building the most secure product."
"The current security standards only cover three of the 13 of the baseline security controls under the standard, which is not effective in identifying security vulnerabilities."
Barnes is recommending that extra requirements are placed on how devices are tested, including "robust vulnerability testing and disclosure".
'No such thing as secure'
Home Affairs is partnering with industry group IOT Alliance Australia (IOTA) in designing the scheme.
Frank Zeichner, CEO of IOTA, says it is "pretty clear" what needs to be tested by labs under the ETSI EN 303 645 standard.
"There is enough [international] momentum with the ETSI standard that it's heading in the right direction," he says.
"We can't do anything unique because no one will listen to it. The manufacturers will just ignore it."
A spokesperson for the Department of Home Affairs said "the co-design process will consider standards and labelling regimes in other jurisdictions."
Zeichner added that the scheme may only cover the devices themselves, not the apps that they connect to – which means the Dreame vulnerability would not have been caught.
"There's no such thing as secure," he said. "There is only more secure."
