One of the handiest functions of smart home devices is the ability to check in on them remotely when you’re not at home. But remote access can create a significant security vulnerability, as demonstrated by a recent spate of hacks of a popular robot vacuum.
Over the space of a week in May, ABC News Australia reports, at least three Ecovacs Deebot X2 vacuums were hacked with reports of compromised robots in Minnesota, Texas and California. In each case, hackers were taking advantage of the onboard speaker, remote controls and camera to cause mischief.
One of the victims, Minnesota lawyer Daniel Swenson, was innocently watching TV when his vacuum sprung to life, according to the report. “It sounded like a broken-up radio signal or something,” he explained. “You could hear snippets of maybe a voice.”
After logging into the app, Swenson observed that a stranger was using the live camera feed and remote control feature. He changed the password and rebooted the robot, but this didn’t solve the problem for long. The robot began moving again, with a voice shouting racial slurs from the speaker in front of the family gathered on the couch.
Swenson speculates it was a teenager pranking devices remotely. “Maybe they were just jumping from device to device messing with families.”
Either way, he turned the robot off and relegated it to the garage — alarmed at the possibilities available to bad actors, if the hackers hadn’t noisily announced their presence, with the robot previously living on the same floor as the master bedroom.
"Our youngest kids take showers in there," he said. "I just thought of it catching my kids or even me, you know, not dressed."
On the same day Swenson moved his Ecovacs robot to the garage, ABC reports that another Deebot X2 was also behaving in a distressing manner — in this case, chasing a dog around an LA home while hackers shouted abusive comments over the built-in speakers. And then five days after that, another Ecovacs robot in El Paso started parroting racial slurs at the owners until it was unplugged.
ABC says it’s “unclear” how many Ecovacs devices have been hacked in total. The site had previously experimented with a Bluetooth hack of the company’s robot, successfully taking control of a nearby device, but given the wide geographical gap between the reported attacks, this appears to be a different vulnerability.
One known issue, exposed at a hacking conference back in 2023, was that the four-digit PIN protecting remote control and video was only checked by the app, rather than the robot itself or the server.
In a statement to ABC News [PDF], Ecovacs stated that this specific issue had been “resolved” and that another OTA firmware update will arrive “in the second week of November 2024” to “further enhance security.”
The company added that while there was “no evidence to suggest that any usernames and passwords were obtained by unauthorized third parties as a result of any breach of Ecovacs’ systems,” it had noticed “significantly more attempts to log-in than the average daily amount, by a factor of 90:1”. As these all came from the same “unusual” device and location, the attached IP address was “immediately blocked.”
“Ecovacs has always prioritised product and data security, as well as the protection of consumer privacy,” the company concludes. “We assure customers that our existing products offer a high level of security in daily life, and that consumers can confidently use Ecovacs products.”
