Security researchers have discovered several alarming security vulnerabilities in Ecovacs smart vacuums and lawn mowers.
The smart home trend hasn’t let up as all kinds of internet-connected devices continue to make home life more efficient and convenient. But what happens when these smart gadgets are hacked?
In a presentation at the Defcon hacking conference, security researchers showed that it’s possible for malicious actors to exploit the smart vacuums and mowers by Ecovacs to secretly hack their microphones and cameras for spying, as TechCrunch reports.
Ecovacs smart robots are frighteningly easy to hack
After analyzing several Ecovacs products, security researchers Dennis Giese and Braelynn found a number of problems that could be abused to remotely hack the robots via Bluetooth and secretly switch on their microphones and cameras.
According to the researchers, the main vulnerability is that the Ecovacs robots allow any smartphone owner to connect. Hackers could theoretically take control of the robots from a distance of up to 425 feet (130 meters) — and once that’s done, the hackers could potentially connect to the robots from even greater distances, as the robots are also connected to the internet via Wi-Fi.
“Their security was really, really, really, really bad,” Giese said in an interview with TechCrunch before the talk. According to the security researchers, it’s also possible to read Wi-Fi login data and stored room maps as well as access microphones and cameras with little effort, all done directly via the robot’s Linux operating system.
Robot mowers are more vulnerable than robot vacuums
The security researchers clarified that the robotic lawn mowers are more vulnerable because their Bluetooth connections are always on, whereas the robotic vacuums are only Bluetooth-active when first switching on and when automatically restarting once per day for 20 minutes.
These smart devices have no hardware light or indicator to show that their cameras and/or microphones are on, which makes it hard to know if they’re spying.
Some models technically play an audio file every five minutes to indicate an active camera, but this can easily be disabled by hackers who know what they’re doing. “You can basically just delete the file or overwrite it with an empty file. The warnings are therefore no longer played if you access the camera remotely,” said Giese.
More security issues with Ecovacs robots
In addition to the above risks, the security researchers also identified other vulnerabilities.
For example, data stored on Ecovacs’ cloud servers is retained even after a user deletes their account — and that includes the authentication token, meaning someone could sell their robot vacuum after deleting their account and possibly spy on the next owner.
Another example is the anti-theft mechanism, which forces the user to enter a PIN whenever the robot is lifted. This feature has been programmed half-heartedly at best, as the PIN is stored in the device in plain text, making it extremely easy for hackers to read.
Incidentally, once an Ecovacs robot is compromised, other Ecovacs robots can be subsequently hacked if they’re within range.
The following devices were analyzed by the security researchers:
- Ecovacs Deebot 900 series
- Ecovacs Deebot N8/T8
- Ecovacs Deebot N9/T9
- Ecovacs Deebot N10/T10
- Ecovacs Deebot X1
- Ecovacs Deebot T20
- Ecovacs Deebot X2
- Ecovacs Goat G1
- Ecovacs Spybot Airbot Z1
- Ecovacs Airbot AVA
- Ecovacs Airbot ANDY
The researchers said they contacted Ecovacs to report the vulnerabilities but never received a response. The company also didn’t respond to an enquiry sent to them by TechCrunch.