Critical vulnerabilities in Ecovacs robot vacuums enable hackers to exploit these devices for surveillance and harassment.
The findings, presented at the DEF CON 32 hacking conference by researchers Dennis Giese and Braelynn Luedtke, highlight severe security flaws in Ecovacs’ popular Deebot models and other IoT devices, raising alarms about privacy risks in smart homes.
How Hackers Gain Access
The vulnerabilities primarily involve Bluetooth connectivity and PIN authentication systems. Hackers can remotely connect to the robot vacuums via Bluetooth from distances of up to 450 feet (about 130 meters).
Once connected, they can bypass weak PIN protections to gain full control of the devices.
This includes activating onboard cameras and microphones without the owner’s knowledge, effectively turning the vacuums into surveillance tools.
Additionally, researchers demonstrated that attackers could disable camera warning sounds by tampering with localized sound files stored on the devices.
This allows hackers to spy on users without triggering any alerts. The compromised devices can stream live video and audio feeds through cloud services like AWS Kinesis, making it possible for hackers to monitor users from anywhere in the world.
Several high-profile incidents have already highlighted the dangers of these vulnerabilities:
– In Minnesota, a lawyer reported that his Deebot X2 vacuum began broadcasting racial slurs through its speakers after being hacked. The attacker also accessed the vacuum’s live camera feed, forcing the family to unplug the device permanently.
– In Los Angeles, a hacked vacuum chased a pet dog while spewing offensive language. Similarly, another device in El Paso harassed its owner until it disconnected.
– In Australia, a demonstration by ABC News showed how a reporter remotely hacked into an Ecovacs vacuum from a park across the street. The reporter controlled the device’s camera and microphone to spy on a user making coffee in his office kitchen.
The statement highlights a concerning reality about the security vulnerabilities of modern robot vacuums. As these devices have evolved into sophisticated Linux-based computers, they have become potential targets for cybercriminals, presenting a new frontier for malware propagation.
Today’s robot vacuums are full-fledged Linux-based computers with advanced features like cameras, microphones, and network connectivity. The interconnected nature of these devices creates an environment where a single compromised vacuum could potentially be used as a launchpad to infect other nearby devices.
Theoretically, hackers could develop a network worm designed to target and infect robot vacuums. Such a worm could exploit common vulnerabilities across different models or brands, allowing it to spread rapidly and autonomously.
This scenario is similar to past large-scale IoT-based attacks, such as the Mirai botnet in 2016, which leveraged thousands of compromised IoT devices to launch devastating DDoS attacks.
Devices Affected
The vulnerabilities affect multiple Ecovacs models, including but not limited to:
- Deebot 900 Series
- Deebot X1/X2
- Deebot N8/T8 and N9/T9
- Goat G1 lawnmower robots
- Spybot Airbot Z1 and other Airbot models
The compromised devices often feature advanced hardware such as cameras, microphones, LiDAR sensors, and AI-powered navigation systems.
These components, intended for convenience and functionality, have become tools for malicious exploitation.
Despite being informed of these vulnerabilities as early as December 2023, Ecovacs has been criticized for its inadequate response.
Researchers claim that many issues remain unresolved despite some firmware updates. The company initially downplayed the risks, attributing incidents to “credential stuffing” attacks rather than systemic flaws in their devices.
Ecovacs has since promised security upgrades for affected models but has yet to implement comprehensive fixes.
Meanwhile, experts recommend that users take immediate precautions, such as disabling internet connectivity on their devices when not in use and applying firmware updates as they become available.
The revelations about Ecovacs’ security flaws highlight broader concerns about IoT device vulnerabilities. As smart home technology becomes more prevalent, ensuring robust security measures is crucial to protect user privacy.
Researchers emphasize that manufacturers must prioritize encryption, secure authentication protocols, and regular vulnerability assessments.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free