Hackers hijack Ecovacs robot vacuums to shout racial slurs and chase pets — what you need to know
Robot vacuums were chasing pets and yelling obscenities
One of the handiest functions of smart home devices is the ability to check in on them remotely when you’re not at home. But remote access can create a significant security vulnerability, as demonstrated by a recent spate of hacks of a popular robot vacuum.
Over the space of a week in May, ABC News Australia reports, at least three Ecovacs Deebot X2 vacuums were hacked with reports of compromised robots in Minnesota, Texas and California. In each case, hackers were taking advantage of the onboard speaker, remote controls and camera to cause mischief.
One of the victims, Minnesota lawyer Daniel Swenson, was innocently watching TV when his vacuum sprung to life, according to the report. “It sounded like a broken-up radio signal or something,” he explained. “You could hear snippets of maybe a voice.”
After logging into the app, Swenson observed that a stranger was using the live camera feed and remote control feature. He changed the password and rebooted the robot, but this didn’t solve the problem for long. The robot began moving again, with a voice shouting racial slurs from the speaker in front of the family gathered on the couch.
Swenson speculates it was a teenager pranking devices remotely. “Maybe they were just jumping from device to device messing with families.”
Either way, he turned the robot off and relegated it to the garage — alarmed at the possibilities available to bad actors, if the hackers hadn’t noisily announced their presence, with the robot previously living on the same floor as the master bedroom.
"Our youngest kids take showers in there," he said. "I just thought of it catching my kids or even me, you know, not dressed."
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
On the same day Swenson moved his Ecovacs robot to the garage, ABC reports that another Deebot X2 was also behaving in a distressing manner — in this case, chasing a dog around an LA home while hackers shouted abusive comments over the built-in speakers. And then five days after that, another Ecovacs robot in El Paso started parroting racial slurs at the owners until it was unplugged.
ABC says it’s “unclear” how many Ecovacs devices have been hacked in total. The site had previously experimented with a Bluetooth hack of the company’s robot, successfully taking control of a nearby device, but given the wide geographical gap between the reported attacks, this appears to be a different vulnerability.
One known issue, exposed at a hacking conference back in 2023, was that the four-digit PIN protecting remote control and video was only checked by the app, rather than the robot itself or the server.
In a statement to ABC News [PDF], Ecovacs stated that this specific issue had been “resolved” and that another OTA firmware update will arrive “in the second week of November 2024” to “further enhance security.”
The company added that while there was “no evidence to suggest that any usernames and passwords were obtained by unauthorized third parties as a result of any breach of Ecovacs’ systems,” it had noticed “significantly more attempts to log-in than the average daily amount, by a factor of 90:1”. As these all came from the same “unusual” device and location, the attached IP address was “immediately blocked.”
“Ecovacs has always prioritised product and data security, as well as the protection of consumer privacy,” the company concludes. “We assure customers that our existing products offer a high level of security in daily life, and that consumers can confidently use Ecovacs products.”
Freelance contributor Alan has been writing about tech for over a decade, covering phones, drones and everything in between. Previously Deputy Editor of tech site Alphr, his words are found all over the web and in the occasional magazine too. When not weighing up the pros and cons of the latest smartwatch, you'll probably find him tackling his ever-growing games backlog. Or, more likely, playing Spelunky for the millionth time.