Robot Vacuums made by Ecovacs, one of the largest home robotics companies in the world, have reportedly been roving around people’s homes yelling slurs at their owners through the onboard speakers.
A critical vulnerability in the company’s software left the robots susceptible to being hacked from afar, allowing attackers to take control of the devices remotely. One of the victims reported that the hackers had gained physical control of the vacuum, accessed its live camera, and used the onboard speakers to yell racial slurs. Multiple people, all based in the US, reported similar incidents within days of each other. It is unclear how many of the company’s devices were hacked in total.
The issue, which exists specifically in Ecovacs’ Deebot X2 model, is extremely easy to exploit and arises from a bad Bluetooth connector and faulty PIN system being used to safeguard the video feed.
Security researcher Dennis Giese, a subject matter expert on hacking smart home appliances, released a report earlier this year detailing multiple exploitable flaws in a long list of Ecovacs products. The most critical of the flaws found by Giese, and likely the one exploited in this case, appears in the robot vacuums and can help an attacker gain unfettered access to vulnerable devices from hundreds of meters away via Bluetooth. Once the attacker gains access, they need not be anywhere close to the device to monitor the video feed delivered by the onboard camera and can move outside of Bluetooth range. Dennis revealed these findings publicly at a conference after being ignored when he revealed them to Ecovacs.
“It could have been worse.”, said one of the victims. Luckily for these people, the hackers responsible were impulsive and immature and loudly made their presence known, causing the victims to take action. A more mature, nefarious attacker would have silently kept spying on the victims and their families through their devices without them ever having the slightest clue.
This alarming incident highlights the critical importance of robust cybersecurity practices for smart home device manufacturers. Ecovacs’ failure to secure its Deebot X2 and other models highlights how poorly implemented security measures, such as weak Bluetooth protocols and inadequate authentication, can lead to severe privacy invasions and potential harm to users. With increasingly interconnected homes, these vulnerabilities expose not only devices but also the lives of their owners to remote exploitation by malicious actors. As a result, it is imperative for companies to prioritize secure design and regular vulnerability assessments, promptly addressing any identified flaws. Without such proactive measures, smart home technology will remain a ripe target for cybercriminals, potentially leading to more severe breaches of privacy and safety.
Leave a Reply