Your robot vacuum cleaner decides that it’s tired of working and starts running after your pets while loudly pronouncing all kinds of insults and vulgarities. This is what has happened to a group of citizens in several cities in the United States, who experienced a curious version of the technological apocalypse in their homes last May.
A group of hackers managed to gain access to several Ecovacs brand robot vacuum cleaners, which are also sold in Spain, and control the machine as well as have access to the camera and microphone that these domestic robots incorporate.
They did this through a credential stuffing attack, and to the surprise of its owners, the hackers were able to speak into the device’s microphone, access which they used to swear and racially abuse, as well as control the robot’s movement at home and give it a scare some pet. “It sounded like a choppy radio signal or something like that,” “fragments of a voice could be heard,” says one of those affected.
Specifically, the affected devices were Ecovacs Deebot X2 models, robot vacuum cleaners similar to the Roomba, better known in Spain.
The security flaws that were used as vulnerabilities to access these devices have been known since 2023, when they were discussed in a presentation during the DEF CON cybersecurity conference. After this intervention, Ecovacs stated that they had already solved the problem.
However, as a recent ABC News report reveals, several Ecovacs models are still vulnerable, and can be hacked and their camera accessed, recording everything that happens in the home without emitting the camera activation warning sound. The fisheye format of their cameras also allows the hacker to record the faces of their owners.
Via Bluetooth
In this ABC News report, a researcher manages to exploit a vulnerability through Bluetooth, having to be at least within a 100-meter radius of the robot vacuum cleaner. That is, the cybercriminal must be physically nearby. Once gaining access to the machine, cybercriminals could obtain data from devices connected to the WiFi network, as well as access home maps stored on the robot.
From the Chinese vacuum cleaner manufacturer, they have indicated that they will release a firmware update no later than this November to solve the problem in the Ecovacs Deebot of clients. The Ecovacs X2 sell for over $2,000.
Although researchers Dennis Giese and Braelynn Luedtke tried to access robotic lawn mowers of the same brand last August, controlling these machines was more difficult because they restart every night. The models studied are: Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, Ecovacs Deebot N9/T9, Ecovacs Deebot N10/T10, Ecovacs Deebot X1, Ecovacs Deebot T20, Ecovacs Deebot X2, Ecovacs Goat G1, Ecovacs Spybot Airbot Z1, Ecovacs Airbot AVA, and the Ecovacs Airbot ANDY.
