Pierluigi Paganini August 24, 2024

Recently, researchers warned vacuum and lawn mower robots made by Ecovacs could be hacked to spy on their owners, the company will fix it.

During the recent Def Con hacking conference, security researchers Dennis Giese and Braelynn explained that attackers can exploit flaws in vacuum and lawn mower robots made by Ecovacs to spy on their owners.

The researchers analyzed the following devices: Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, Ecovacs Deebot N9/T9, Ecovacs Deebot N10/T10, Ecovacs Deebot X1, Ecovacs Deebot T20, Ecovacs Deebot X2, Ecovacs Goat G1, Ecovacs Spybot Airbot Z1, Ecovacs Airbot AVA, and the Ecovacs Airbot ANDY.

The experts discovered a set of flaws that could allow threat actors can take over devices’ cameras and microphones via Bluetooth. The experts pointed out that the robots have no light to indicate that their cameras and microphones are on. 

“Their security was really, really, really, really bad,” Giese told TechCrunch.

One of the issues discovered by the researchers in Ecovacs robots allows anyone within 450 feet to take control of the device via Bluetooth. Once the attackers have gained control over the device, they can remotely access the robot through its Wi-Fi connection. Then they can retrieve sensitive data like Wi-Fi credentials, saved room maps, and even access the cameras and microphones.

Giese explained that Ecovacs lawn mower robots have Bluetooth active constantly, while vacuum robots only have it enabled for 20 minutes after powering on and once a day during an automatic reboot, making them slightly harder to hack. Although some models theoretically play an audio alert every five minutes when the camera is on, hackers can easily delete this file, allowing them to operate undetected.

The two researchers also identified several other issues with Ecovacs devices. They discovered that data and authentication tokens remain on Ecovacs’ cloud servers even after a user deletes their account, which can allow unauthorized access to the robot vacuum and enable spying on individuals who purchase the device secondhand. Furthermore, the lawn mower robots feature an anti-theft PIN stored in plaintext within the device, an attacker can easily obtain and misuse it. Additionally, once an Ecovacs robot is compromised, it can potentially be used to hack other nearby Ecovacs robots.

Initially, an Ecovacs spokesperson told TechCrunch that the company would not address the vulnerabilities discovered by the researchers.

Weeks later, the vendor announced that it would fix the issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, vacuum robots)