Ecovacs home robots can be hacked to spy on their owners, researchers say

Date:

Share post:


Malicious hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones, new research has found.

Security researchers Dennis Giese and Braelynn are due to speak at the Def Con hacking conference on Saturday detailing their research into Ecovacs robots. When they analyzed several Ecovacs products, the two researchers found a number of issues that can be abused to hack the robots via Bluetooth and surreptitiously switch on microphones and cameras remotely. 

“Their security was really, really, really, really bad,” Giese told TechCrunch in an interview ahead of the talk.

The researchers said they reached out to Ecovacs to report the vulnerabilities but never heard back from the company, and believe the vulnerabilities are still not fixed and could be exploited by hackers. 

Ecovacs did not respond to requests for comment from TechCrunch. 

The main issue, according to the researchers, is that there is a vulnerability that allows anyone using a phone to connect to and take over an Ecovacs robot via Bluetooth from as far away as 450 feet (around 130 meters). And once the hackers take control of the device, they can connect to it remotely because the robots themselves are connected via Wi-Fi to the internet.

“You send a payload that takes a second, and then it connects back to our machine. So this can, for example, connect back to a server on the internet. And from there, we can control the robot remotely,” said Giese. “We can read out to Wi-Fi credentials, we can read out all the [saved room] maps. We can, because we’re sitting on the operation of the robot’s Linux operating system. We can access cameras, microphones, whatever.” 

A dog seen through a hacked Ecovacs device.
Image Credits: Dennis Giese and Braelynn

Giese said that the lawn mower robots have Bluetooth active at all times, while the vacuum robots have Bluetooth enabled for 20 minutes when they switch on, and once a day when they do their automatic reboot, which makes them a bit harder to hack.

Because most of the newer Ecovacs robots are equipped with at least one camera and a microphone, once the hackers have control of a compromised robot, the robots can be turned into spies. The robots have no hardware light or any other indicator that warns people nearby that their cameras and microphones are on, according to the researchers. 

On some models there is, in theory, an audio file that gets played every five minutes saying the camera is on but hackers could easily delete the file and stay stealthy, Giese said. 

“You can basically just delete or overwrite the file with the empty one. So the warnings are not playing anymore if you access the camera remotely,” said Giese.

Apart from the risk of hacking, Giese and Braelynn said they found other problems with Ecovacs devices.

Among the issues, they said: The data stored on the robots remains on Ecovacs’ cloud servers even after deleting the user’s account; the authentication token also remains on the cloud, allowing someone to access a robot vacuum after deleting their account and potentially allowing them to spy on the person who may have purchased the robot secondhand. Also, the lawn mower robots have an anti-theft mechanism that forces someone to enter a PIN if they pick up the robot, but the PIN is stored in plaintext inside the lawn mower so a hacker could easily find it and use it.  

The researchers said that once an Ecovacs robot is compromised, if the device is in range of other Ecovacs robots, those devices can be hacked, too. 

Giese and Braelynn said they analyzed the following devices: Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, Ecovacs Deebot N9/T9, Ecovacs Deebot N10/T10, Ecovacs Deebot X1, Ecovacs Deebot T20, Ecovacs Deebot X2, Ecovacs Goat G1, Ecovacs Spybot Airbot Z1, Ecovacs Airbot AVA, and the Ecovacs Airbot ANDY.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

OpenAI’s GPT-5 reportedly falling short of expectations

OpenAI’s efforts to develop its next major model, GPT-5, are running behind schedule, with results that don’t...

OpenAI announces new o3 model — but you can’t use it yet

Welcome back to Week in Review. This week, we’re looking at OpenAI’s last — and biggest —...

Google pushes back against DOJ’s ‘interventionist’ remedies in antitrust case

Google has offered up its own proposal in a recent antitrust case that saw the US Department...

If climate tech is dead, what comes next?

Humans have an innate desire to name things, but to be honest, we’re not always that good...

Hollywood angels: Here are the celebrities who are also star VCs

Becoming a venture capitalist has become the latest status symbol in Hollywood.  Everyone these days, from Olivia Wilde...

Meet Skyseed, a VC fund and incubator backing the Bluesky and AT Protocol ecosystem

On November 15, Peter Wang posted a message requesting ideas for a new incubator and fund to...

Sam Altman disputes Marc Andreessen’s description of AI meetings with Biden administration

Famed investor Marc Andreessen recently talked about meetings with Biden administration staff who gave him the impression...

EV startup Canoo places remaining employees on a ‘mandatory unpaid break’

Struggling electric van startup Canoo has placed its remaining employees on what it’s calling a “mandatory unpaid...