Ecovacs, a popular manufacturer of vacuum and lawn mower robots, is facing a serious security threat. According to security researchers Dennis Giese and Braelynn, these robots can be hacked by malicious individuals, who can then use the devices’ cameras and microphones to spy on their owners. The researchers are scheduled to present their findings at the Def Con hacking conference.
Giese and Braelynn discovered several vulnerabilities in Ecovacs products that allow hackers to gain control of the robots remotely. The main issue lies in a vulnerability that enables anyone within a range of 450 feet to connect to and take over an Ecovacs robot via Bluetooth. Once control is established, the hackers can connect to the device remotely as the robots are connected to the internet via Wi-Fi. This grants them access to cameras, microphones, and other functionalities of the robot.
The researchers emphasize that Ecovacs’ security measures are incredibly weak. Despite reaching out to the company to report the vulnerabilities, they received no response and believe that the issues remain unresolved, leaving the robots susceptible to exploitation by hackers. Ecovacs has not provided any comment on the matter.
The potential implications of these vulnerabilities are concerning. Since most of the newer Ecovacs robots are equipped with cameras and microphones, hackers can turn them into covert surveillance devices. What’s even more alarming is that the robots lack any hardware lights or indicators to alert users that they are being watched or listened to. Although some models have an audio file that is supposed to play every five minutes to indicate that the camera is on, hackers can easily delete or overwrite this file, allowing them to operate undetected.
Furthermore, Giese and Braelynn discovered additional issues with Ecovacs devices. They found that even after a user deletes their account, the data stored on the robots remains on Ecovacs’ cloud servers. This means that someone could potentially access a robot vacuum and spy on the person who previously owned it, even if they had deleted their account. Additionally, the PIN required to operate the lawn mower robots is stored in plaintext, making it easy for hackers to retrieve and misuse.
Another concerning aspect is that once one Ecovacs robot is compromised, other nearby robots within range can also be hacked. This increases the potential for widespread security breaches and invasions of privacy.
In their research, Giese and Braelynn assessed several Ecovacs models, including the Deebot 900 Series, Deebot N8/T8, Deebot N9/T9, Deebot N10/T10, Deebot X1, Deebot T20, Deebot X2, Goat G1, Spybot Airbot Z1, Airbot AVA, and Airbot ANDY.
These findings highlight the importance of manufacturers prioritizing cybersecurity in their smart home devices. It is crucial for companies like Ecovacs to promptly address vulnerabilities and strengthen their security measures to protect their customers’ privacy and prevent potential misuse of their products. Users should exercise caution when using these devices and consider the potential risks associated with their connectivity features.
