From thermostats and lighting to televisions, we’ve welcomed smart devices into our homes—but unfortunately, they can be surprisingly easy to hack. Robot vacuum cleaners are no exception, as Minnesota lawyer Daniel Swenson found out earlier this year when his own Ecovacs Deebot X2 robovacuum started spewing filth.
According to ABC News, the robovacuum hissed to life repeatedly to bellow racist obscenities even after Swenson changed his Ecovacs account password. The tirade was only silenced when Swenson switched off the device, and he’s kept it isolated in his family’s garage ever since.
This is just one of many incidents catalogued by ABC News; an El Paso resident was stunned when their Ecovacs sprung to life in the middle of the night to unload a torrent of racial slurs, while one LA homeowner’s dog was similarly terrorised by a hacked Ecovacs Deebot X2 Omni.
Many of these incidents took place in May earlier this year, but security researchers first warned Ecovacs about a slew of security vulnerabilities they found across a number of their robovacuum models as early as December 2023. Despite this, many end users reportedly received no communication about these issues from Ecovacs itself.
The device’s Bluetooth connector is one inroad for hackers, as ABC News investigated itself, connecting to an Ecovacs device more than 100 metres away (and four floors up). However, needing to be physically close to the device suggests this was not the main exploit used in the widespread cyber attacks earlier this year—and when Mr Swenson repeatedly reached out to Ecovacs via US based support staff, he was eventually told his account was most likely subject to a “‘credential stuffing’ cyberattack.”
In a statement to TechCrunch, Ecovacs claimed: “Users can rest assured that they do not need to worry excessively about this,” as the highlighted security vulnerabilities are “extremely rare in typical user environments and require specialized [sic] hacking tools.”
Finally, Ecovacs responds to the researchers’ findings, saying it won’t fix the bugs.”Users can rest assured that they do not need to worry excessively about this,” Ecovacs said in a statement. (Including the whole statement here.)https://t.co/BvQLY00mQj pic.twitter.com/LE1BE4f9J9August 14, 2024
ABC News’ own investigation begs to differ, claiming that it was able to access the camera and microphone of an Ecovacs X2 Omni via the Bluetooth exploit with nothing fancier than a smartphone (plus a little help from one of the security researchers who originally found the exploit, Dennis Giese).
Ecovacs has given assurances that a security update for the X2 model will be made available this November—but, as it stands, I’m still taking the robot vacuum cleaner off of my wishlist. Maybe while I’m at it I’ll get some duct tape and cover up my laptop’s integrated webcam too…