So not only was the robot vacuum sending data without his permission, the moment he stopped that data from being sent to the company, the company remote bricked his device.

Seemingly more curious than ever, Narayanan now had no reason not to tear the thing apart looking for answers, which is exactly what he did. After reverse engineering the vacuum, a painstaking process which included reprinting the devices’ circuit boards and testing its sensors, he found something horrifying: Android Debug Bridge, a program for installing and debugging apps on devices, was “wide open” to the world.

“In seconds, I had full root access. No hacks, no exploits. Just plug and play,” Narayanan said.

Through a process of trial and error, he was eventually able to connect to the vacuum’s system from his computer. That’s when he discovered a “bigger surprise.” The device was running Google Cartographer, an open-source program designed to create a 3D map of his home, data which the gadget was transmitting back to its parent company.

In addition, Narayanan says he uncovered a suspicious line of code broadcasted from the company to the vacuum, timestamped to the exact moment it stopped working. “Someone — or something — had remotely issued a kill command,” he wrote.

“I reversed the script change and rebooted the device,” he wrote. “It came back to life instantly. They hadn’t merely incorporated a remote control feature. They had used it to permanently disable my device.”

In short, he said, the company that made the device had “the power to remotely disable devices, and used it against me for blocking their data collection… Whether it was intentional punishment or automated enforcement of ‘compliance,’ the result was the same: a consumer device had turned on its owner.”