Robot vacuums in multiple US cities were hacked in the space of a few
days, with the attacker physically controlling them and yelling
obscenities through their onboard speakers.
The affected robots were all Chinese-made Ecovacs Deebot .
Minnesota lawyer Daniel Swenson was watching TV when his robot started
to malfunction.
"It sounded like a broken-up radio signal or something," he
told the ABC. "You could hear snippets of maybe a voice."
Through the Ecovacs app, he saw that a stranger was accessing its live
camera feed and remote control feature.
Dismissing it as some kind of glitch, Mr Swenson reset his password,
rebooted the robot and sat back down on the couch beside his wife and
13-year-old son.
Almost straight away, it started to move again.
This time, there was no ambiguity about what was coming out of the
speaker. A voice was yelling racist obscenities, loud and clear, right
in front of Mr Swenson's son.
"F*** n******s," screamed the voice, over and over again.
"I got the impression it was a kid, maybe a teenager
[speaking]," said Swenson. "Maybe they were just jumping
from device to device messing with families."
The second time around, he turned it off.
It could have been worse
Mr Swenson kept his robot vacuum on the same floor as the family's
master bathroom.
"Our youngest kids take showers in there," he said. "I
just thought of it catching my kids or even me, you know, not
dressed."
Despite the slurs, Mr Swenson was glad that the hackers had announced
their presence so loudly.
It would have been much worse, he said, if they had decided to quietly
observe his family inside their home.
They could've peered through his robot's camera, and listened through
the microphone, without him having the slightest clue.
"It was shock," he said. "And then it was like almost
fear, disgust."
While his son didn't quite grasp the "creepiness" of the
encounter, Mr Swenson was taking no chances.
He took the device to the garage, and never switched it on again.
Robots hacked in multiple cities
Multiple people, all based in the US, have reported similar hacking
incidents within days of each other.
On May 24, the same day that Mr Swenson's device was hacked, a Deebot
X2 went rogue, and chased its owner's dog around their Los Angeles
home.
The robot was being steered from afar, with abusive comments coming
through the speakers.
Five days later, another device was infiltrated.
Late at night, an Ecovacs robot in El Paso started spewing racial
slurs at its owner until he unplugged it.
It is unclear how many of the company's devices were hacked in total.
Six months earlier, security researchers had attempted to notify
Ecovacs of significant security flaws in its robot vacuums and the app
that controls them.
The most severe was a flaw in the Bluetooth connector, which allowed
complete access to the Ecovacs Deebot from over 100 metres away.
Given the distributed nature of the attacks, this vulnerability is
unlikely to have been exploited in this case.
The PIN code system protecting the robot's video feed and remote
control feature was also known to be faulty, and the warning sound
that is meant to play when the camera is being watched was able to be
disabled from afar.
These security issues could explain how attackers took control of
multiple robots in separate locations, and how they could've silently
surveilled their victims once they'd gotten in.
In the days following the incidents with his Ecovacs robot vacuum,
Daniel Swenson made a complaint to the company.
After some back and forwards with support staff, he received a call
from a senior Ecovacs employee based in the US.
"He must've said three or four times that I should have a video
of what happened.
"Each time I told him: 'yeah, that would be great, but I was more
focused on the fact that a hacked robot was in the middle of my living
room watching us and possibly recording us'."
The employee seemed to disbelieve what he was saying, Mr Swenson says,
despite multiple other owners having reported similar attacks around
the same time.
"Was this an effort to discourage me from pursuing my
complaints?" he asks.
Following this call, he was informed that a "security
investigation" had been conducted.
"Your Ecovacs account and its password have been acquired by an
unauthorised person," a company representative told him via
email.
They also said the company's technical team had identified the
culprit's IP address, and disabled it to prevent further access.
In a later email, they told him there was "a high possibility
that your Ecovacs account was affected by a 'credential stuffing'
cyberattack."
This is when someone re-uses the same username and password on
multiple websites, and the combination is stolen in a separate cyber
attack.
The company told the ABC it "found no evidence" that the
accounts were hacked through "any breach of Ecovacs'
systems".
Even if Mr Swenson had used the same username and password on other
sites, and if those credentials had been leaked online, that still
should not have been enough to access the video feed or to control the
robot remotely.
These features are supposed to be protected by a four-digit PIN.
However, a pair of cybersecurity researchers had revealed that it
could be bypassed at a hacking conference back in December 2023.
Dennis Giese and Braelynn Luedtke said on stage that it was based on
an "honour system".
The PIN code was only checked by the app, rather than by the server or
robot. Which means that anyone with the technical know-how could
bypass the check completely.
They had warned Ecovacs about the problem ahead of going public with
the exploit.
An Ecovacs spokesperson said this flaw has now been fixed, however Mr
Giese told the ABC that the company's fix was insufficient to plug the
security hole.
The spokesperson also said the company "sent a prompt email"
instructing customers to change their passwords following the
incident.
Ecovacs said it would issue a security upgrade for owners of its
Deebot vacuum in November.
Mr Swenson said that he was not informed of the PIN code issue in any
of his communications with Ecovacs.
"I asked them if this was a known thing," he said. "If
it had happened to other people."
"They just act shocked like it hadn't happened."
Ecovacs statement to ABC News
11 October 2024
Ecovacs does not provide public comment on individual consumer
situations out of respect to the privacy of our consumers.
Ecovacs conducted a thorough internal investigation at the end of May
2024 and found no evidence to suggest that any usernames and passwords
were obtained by unauthorised third parties as a result of any breach
of Ecovacs systems. This investigation also identified a credential
stuffing event, in which a third party attempted to use email
addresses and passwords to try to gain access to Ecovacs customer
accounts. There were significantly more attempts to log-in than the
average daily amount, by a factor of 90:1. These all from the same IP
address, which was identified as coming from both an unusual device,
and an unusual location. This IP address was immediately blocked.
To keep consumers fully updated and stress the importance of changing
their security protocols, Ecovacs sent a prompt email to customers on
May 31-June 1 to change their account passwords.
Ecovacs takes its responsibility around security and data extremely
seriously, it is a process undertaken with both internal and external
industry experts, and we have implemented significant measures in this
area, including in recent months, and will continue to do so on an
ongoing basis. This includes improving the Remote Live Video PIN
bypass issue, which is now resolved. To further enhance security, an
Over-the-air (OTA) firmware update will be made available in the
second week of November 2024 specifically for the X2 series. No other
models in Australia are affected.
ECOVACS has always prioritised product and data security, as well as
the protection of consumer privacy. We assure customers that our
existing products offer a high level of security in daily life, and
that consumers can confidently use ECOVACS products.
It is also important for consumers to implement their own steps to
improve their level of personal online security, including strong
passwords, unique passwords not used for multiple purposes, and to
strengthen their Wi-Fi security.
More guidance can be found here:
https://www.ecovacs.com/au/blog/robot-vacuum-privacy-concerns Strengthen Wi-Fi Security
Set Strong Passwords
Regular Software Updates Suspicious Activity Notifications Factory
Reset
Below is a PDF that show exactly detailed information how the Ecovacs
Deebot robot vacuums are being accessed
View the attachments for this post at:
http://www.jlaforums.com/viewtopic.php?p=675840953#675840953
Ecovacs robot vacuums are being hacked - accessing video and microphone