Hacked robo-vacuums chase owners, yell slurs
- Multiple customers reported hacked Ecovacs Deebot X2 robots
- Security experts researched cybersecurity flaws prior to incidents
- Upgrade incoming to machines, but some think it's too late
(NewsNation) — Robot vacuums manufactured by Ecovacs have gone rogue, with some customers reporting the tiny tech tools chased them around their homes and barraged them with profanities after being hacked.
Minnesota lawyer Daniel Swenson is one of those people. He told Australia Broadcast Network about an experience in May with his Deebot X2. the uniquely problematic model from the Chinese manufacturer.
“It sounded like a broken-up radio signal or something,” he told the outlet. “You could hear snippets of maybe a voice.”
Swenson checked the vacuum’s corresponding app, finding that someone other than him was accessing his robot’s remote control and live camera.
But resetting the password and rebooting the robot didn’t stop the intrusion. A voice, which Swenson said was “a kid, maybe a teenager,” started yelling out racial slurs and obscenities.
Swenson isn’t alone in this experience.
According to the ABC, the same model of robo-vacuum was commandeered remotely just days later, chasing a dog around its Los Angeles home and spewing profanities along the way. In El Paso, Texas, a vacuum yelled obscenities late into the night around the same timeframe.
A pair of security researchers have previously released a report on Ecovacs, dissecting the company’s security flaws and presenting their findings at a hacking conference in December 2023.
“Their security was really, really, really, really bad,” researcher Dennis Giese told TechCrunch in an interview.
According to the researchers, the main issue with the robot is its Bluetooth connectivity. Anyone with a phone that connects to the robot via Bluetooth can take over the tech from as far away as 450 feet. Once a connection is made, hackers can use the robot’s Wi-Fi connection to stay dialed into the machine.
“You send a payload that takes a second, and then it connects back to our machine. So this can, for example, connect back to a server on the internet. And from there, we can control the robot remotely,” said researcher Dennis Giese.
“We can read out to Wi-Fi credentials, we can read out all the [saved room] maps. We can, because we’re sitting on the operation of the robot’s Linux operating system, we can access cameras, microphones, whatever,” he added.
Another flaw in the security is the use of pins to protect passwords and IDs, as Geise’s research revealed that the four-digit codes were only verified by the app, not the server or robot itself.
It’s a major flaw, and one that Ecovacs seems unwilling to own up, according to customer testimonies.
When Swenson reached out about his experience, a spokesperson seemed doubtful of his experience.
Ecovacs told the ABC it would issue a security upgrade for owners of its X2 series in November.