Associated Incidents
Robot vacuum owners in multiple US cities have reported their devices being hacked. Strangers are accessing live camera feeds and remote control features, yelling slurs through the onboard speakers. Some robots went rogue, chasing dogs around the home, according to an investigation by ABC.
All the affected models were Chinese-made Ecovacs Deebot X2s, which currently retail at around $900. The company confirmed the vulnerability affecting some of its products.
According to the ABC report, the hacking spree spanned a few days in multiple US cities. Some users told ABC that their robots sounded like broken-up radio signals, and the Ecovacs app revealed that an attacker was accessing the live camera feed and remote control feature.
Despite resetting the password and rebooting the robot, the erratic behavior soon started again. The owners were shocked to find out that the robot could be used to silently spy on them for days.
Security researchers had previously notified Ecovacs of significant security flaws. One affected the Bluetooth connector, allowing complete access to the X2 model from over 100 meters away. Another faulty system was the PIN code protecting the robot's video feed and remote control feature.
Hackers managed to disable the warning sound that should play when the camera is being used.
Ecovacs told ABC it found no evidence that any owner accounts were hacked and no signs of any breach of Ecovacs' systems. However, Cybersecurity researchers previously demonstrated how the four-digit PIN protecting the device could be bypassed, as it was only checked by the app rather than by the server or the robot.
Ecovacs issued a patch for this flaw. However, ABC sources said it was insufficient.
At the end of May 2024, Ecovacs identified a credential stuffing event when multiple login attempts came from the same IP address, which was immediately blocked.
The company plans to further enhance the security of the X2 series by issuing an over-the-air firmware update in November. Ecovacs noted that users should also implement their own steps to improve their personal online safety, such as strong and unique passwords and strengthening WiFi security.