The surge in smart home technology shows no signs of slowing down, with a plethora of internet-connected devices designed to make life at home more efficient and convenient. However, this convenience comes with a downside: what happens if these smart gadgets are hacked?
During a presentation at the Defcon hacking conference, security researchers revealed the unsettling possibility of malicious actors exploiting Ecovacs smart vacuums and mowers to gain unauthorized access to their microphones and cameras, turning these devices into tools for spying.
Ecovacs Smart Robots: Alarmingly Vulnerable
After conducting a detailed analysis of several Ecovacs products, security experts Dennis Giese and Braelynn uncovered multiple vulnerabilities that could be exploited to remotely hack these robots via Bluetooth, enabling the clandestine activation of their microphones and cameras.
The core issue, according to the researchers, lies in the fact that Ecovacs robots allow any smartphone owner to connect to them. This flaw could enable hackers to take control of the devices from as far as 425 feet (130 meters) away. Once connected, the hackers could potentially maintain control from even greater distances, as the robots are connected to the internet via Wi-Fi.
“Their security was really, really, really, really bad,” Giese remarked, emphasizing the ease with which hackers could access sensitive data such as Wi-Fi credentials and stored room maps, and even control the microphones and cameras, all through the robot’s Linux-based operating system.
Robot Mowers: More Exposed than Robot Vacuums
The researchers pointed out that robotic lawn mowers are particularly vulnerable because their Bluetooth connections remain active at all times, unlike robotic vacuums, which only activate Bluetooth upon startup and once daily for a brief 20-minute period during automatic restarts.
These devices also lack any hardware indicator, such as a light or signal, to show when their cameras or microphones are active, making it difficult for users to detect if they’re being spied on.
Although some models are programmed to play an audio file every five minutes to signal an active camera, this feature can be easily disabled by knowledgeable hackers. “You can basically just delete the file or overwrite it with an empty file. The warnings are therefore no longer played if you access the camera remotely,” explained Giese.
Additional Security Flaws in Ecovacs Robots
Beyond the immediate risks, the researchers identified further vulnerabilities in Ecovacs robots.
For instance, data stored on Ecovacs’ cloud servers remains even after a user deletes their account, including the authentication token. This means someone could sell their robot vacuum after deleting their account and still have the ability to spy on the new owner.
Another flaw is found in the anti-theft mechanism, which requires the user to enter a PIN whenever the robot is lifted. Unfortunately, this feature is poorly implemented, as the PIN is stored in plain text, making it easily accessible to hackers.
Moreover, once an Ecovacs robot is compromised, other Ecovacs devices within range can also be hacked.
The following devices were analyzed by the security researchers:
- Ecovacs Deebot 900 series
- Ecovacs Deebot N8/T8
- Ecovacs Deebot N9/T9
- Ecovacs Deebot N10/T10
- Ecovacs Deebot X1
- Ecovacs Deebot T20
- Ecovacs Deebot X2
- Ecovacs Goat G1
- Ecovacs Spybot Airbot Z1
- Ecovacs Airbot AVA
- Ecovacs Airbot ANDY
The researchers reported these vulnerabilities to Ecovacs but have yet to receive a response from the company.