In the near future, what I think is scarier is the possibility of executing the same attack through self-driving cars LIDARs. Perhaps this would allow attackers to spy on conversations in cars that are driving beside you or stationary next to you at traffic lights.
The difficulty with masking this attack is that you need audio playing at a comparable volume near to the legitimate speech sources, which might be pretty disruptive. In the case of background white noise generators, for legitimate audio playing at around 70 dB SPL, we don't lose much accuracy until the background white noise exceeds 75 dB SPL.
Seems like quite a number of things including WiFi SSID and lat/long info are sent.
Some feasible ways to stealthily perform the attack when the LIDAR is not rotating could be: a) attack when docked at the charging station, or b) hiding under furniture.
Jokes aside, which Robot Vacuum Cleaner is equiped with a LIDAR? So far the only ones that I've seen barely have a proximity sensor, fall sensor and IR sensors . It could be that I've only bought and seen the cheapest versions though.
Ate 2 charging cables tho
The lidar is impressive though. Cleans way faster since it's taking efficient paths.
Reason why I got a Roomba was because I trust iRobot more
For newer versions you can however extract the API token from the app, and use it to control the vacuum without internet access and block its external internet access, since the vacuum uses a known protocol. 
I use a Wireguard VPN to access the Vacuum's web UI to control it; it has no internet access at all.
Roomba isn’t even a close competitor in terms of cleaning performance, especially for the price.
Neato, all versions.
Far from perfect, but it makes cleaning the house once a week far easier, as the robot does a 90% or even 95% job every single day.
I think Tesla made one
iPhone "Evil Maid" => GPS, Mic, Camera, Digital User Impersonation [post social network messages, iMessage, etc.]
HomePod "Evil Butler" => Control HomeKit, Mic, Playback Arbitrary Recordings [freeze, this is the police, etc., impersonate a significant other]
Roomba "Evil Maid" => Lidar (mm-resolution depth-camera?!?), Virtual Mic, Push/Close Doors, Push/Move Objects [tip over a table w/ candle]
WiFi Cams "Evil Maid" => Camera, sometimes speakers, sometimes motion control
...if this is how the robot uprising begins, we're a long way from Terminators / SkyNet, but easy to see entire classes of vulnerabilities which are pretty obvious in retrospect.
If you haven't seen "Enemy of the State" or "Conspiracy Theory", they're great movies with a similar premise: "What if 'the system' turned against you?"
It's interesting work. It's a kinda like finding a really weak seemingly impossible to use buffer overflow and now someone has to weaponize it and put it into easy to use metasploit to become just one of 1000s of things to have available.
Personally I'm surprised all these robots don't have microphones yet. Not being able to talk to robots makes them pretty lame.
I was also surprised that they don't have microphones. I guess the developers would prefer to have that on the companion app instead.
You work with what you have. Ideally you'd have a microphone, but maybe that robot vacuum cleaner of your target doesn't have one. And maybe you also don't have access to other devices which have one.
But, TBH, I wouldn't be surprised if today's vacuum cleaners have a microphone in them. "For voice commands", you know?
Recently I bought another TP-Link HS110 Wifi Plug, and while working on reading it automatically every couple of seconds with a Python script, I noticed that a response contained a field labeled "mic_type":"IOT.SMARTPLUGSWITCH". "mic_type"?
Some time ago the German router producer "AVM" had to explain why their DECT smart-plugs had a microphone in them.
But a clever hacker would probably drive the vacuum cleaner to a better location and then make the "low battery" led blink and leave it there ;)
Most people didn't realize that the :visited selector represented a danger until someone figured out how to get your browsing history by abusing it.