Ecovacs Robots May Be Hacked for Surveillance, Researchers Raise Alarms

Recent research has revealed alarming security vulnerabilities in Ecovacs vacuum and lawn mower robots, highlighting significant risks associated with smart home technology. According to findings that will be presented by security researchers Dennis Giese and Braelynn at the Def Con hacking conference, malicious hackers could potentially take control of these devices, using them as surveillance tools to spy on their owners through the robots’ built-in cameras and microphones.

Giese and Braelynn conducted a detailed analysis of various Ecovacs products, uncovering multiple weaknesses that can be exploited via Bluetooth connections. They reported a particularly concerning vulnerability that allows unauthorized individuals to connect to Ecovacs robots from a distance of up to 450 feet (approximately 130 meters). Once hackers gain access to a device, they can exploit its Wi-Fi connection to remotely control it, turning the robot into a tool for espionage. Giese explained the ease with which an attacker can accomplish this: “You send a payload that takes a second, and then it connects back to our machine.” This capability enables hackers to access sensitive information, such as Wi-Fi credentials and stored room maps, and gain control over the robot’s microphone and camera.

The implications of such vulnerabilities are troubling. Many of the newer Ecovacs robots come equipped with cameras and microphones, allowing them to function as potential spying devices. Notably, there are no hardware indicators on these robots that signal when the cameras or microphones are activated. While some models are programmed to play an audio alert every five minutes when the camera is on, Giese pointed out that hackers could easily disable this feature by deleting or overwriting the audio file, effectively rendering the alerts useless.

Giese and Braelynn expressed their concerns about the lack of response from Ecovacs after they attempted to report these vulnerabilities. The researchers believe that the security flaws remain unaddressed and could be exploited by malicious actors, thereby endangering users’ privacy and safety.

In addition to the hacking risks, the researchers identified other significant security concerns related to Ecovacs devices. For instance, data stored on the robots continues to reside on Ecovacs’ cloud servers even after users delete their accounts. This retention of data poses a risk, particularly for individuals who may purchase the robots secondhand, as the authentication tokens remain accessible and could allow unauthorized access to the devices. Furthermore, although Ecovacs lawn mower robots have an anti-theft mechanism requiring a PIN for operation if the device is picked up, this PIN is stored in plaintext within the robot, making it vulnerable to discovery by hackers.

Another troubling aspect of the vulnerabilities is the potential for a domino effect; if one Ecovacs robot is compromised, it may enable attackers to hack other nearby Ecovacs devices. This interconnectedness raises concerns about the broader implications of smart home security, as a single compromised device could jeopardize the security of an entire network of connected devices.

The devices analyzed by the researchers include a range of models from the Ecovacs Deebot series, such as the Deebot 900 Series, N8/T8, N9/T9, N10/T10, X1, T20, and X2. Additionally, they examined the Ecovacs Goat G1, Spybot Airbot Z1, Airbot AVA, and Airbot ANDY. The findings from this research serve as a critical reminder of the vulnerabilities inherent in smart home technology and the urgent need for manufacturers like Ecovacs to prioritize robust security measures. As smart devices become increasingly integrated into everyday life, ensuring user privacy and safety must be a paramount concern for both developers and consumers. This incident highlights the broader challenge of maintaining security in a rapidly evolving technological landscape, where the benefits of innovation must be balanced against the risks posed by malicious actors.