The popularity of smart home devices continues to rise, offering enhanced efficiency and convenience for everyday life. But what happens when these connected gadgets fall victim to hackers?
At the Defcon hacking conference, security experts demonstrated how hackers could exploit Ecovacs smart vacuums and mowers, turning them into surveillance tools by accessing their microphones and cameras.
The Insecurity of Ecovacs Smart Robots
In their research, Dennis Giese and Braelynn examined several Ecovacs products and discovered multiple vulnerabilities that could allow remote hacking via Bluetooth, enabling the unauthorized activation of the robots’ microphones and cameras.
The primary issue stems from the fact that Ecovacs robots are designed to allow any smartphone to connect. This flaw could enable hackers to take control from up to 425 feet (130 meters) away. Once connected, the hackers could maintain access from even greater distances, as the robots also connect to the internet via Wi-Fi.
Giese bluntly described the security as “really, really, really, really bad,” noting that hackers could easily obtain Wi-Fi login information, room maps, and even access the microphones and cameras using the robot’s Linux operating system.
Vulnerabilities in Robot Mowers vs. Robot Vacuums
The researchers highlighted that robotic lawn mowers are more susceptible to hacking than their vacuum counterparts because their Bluetooth connections remain constantly active. In contrast, robotic vacuums only enable Bluetooth when they first power on and during a 20-minute period of automatic restart each day.
Moreover, these devices do not have any visual or audio indicators to show when their cameras or microphones are in use, making it difficult for users to detect unauthorized access.
While some models include a feature that plays an audio file every five minutes to indicate an active camera, hackers can easily disable this warning by deleting or replacing the audio file. “The warnings are therefore no longer played if you access the camera remotely,” said Giese.
Additional Security Concerns with Ecovacs Products
The researchers also found several other significant security concerns.
For instance, even after a user deletes their account, data stored on Ecovacs’ cloud servers, including the authentication token, remains. This means that if a user sells their robot vacuum, the previous owner could potentially spy on the new owner.
Additionally, the anti-theft feature, which requires a PIN when the robot is lifted, is flawed, as the PIN is stored in plain text, making it easily accessible to hackers.
Furthermore, once one Ecovacs robot is compromised, other Ecovacs devices within range can also be hacked.
The security researchers analyzed the following devices:
- Ecovacs Deebot 900 series
- Ecovacs Deebot N8/T8
- Ecovacs Deebot N9/T9
- Ecovacs Deebot N10/T10
- Ecovacs Deebot X1
- Ecovacs Deebot T20
- Ecovacs Deebot X2
- Ecovacs Goat G1
- Ecovacs Spybot Airbot Z1
- Ecovacs Airbot AVA
- Ecovacs Airbot ANDY
Despite contacting Ecovacs about these vulnerabilities, the researchers have not received a response.