In summary: Beware, your robot vacuum could be a sneaky spy. Researchers have uncovered alarming Bluetooth security flaws in certain autonomous cleaning devices, allowing cybercriminals to take control of the camera-equipped robots and peer into your private space.
Security experts Dennis Giese and Braelynn have identified a range of vulnerabilities in Ecovacs-branded robotic cleaners that enable hackers to remotely hijack the robots via Bluetooth from a distance of up to 450 feet. Once compromised, the hackers can establish an internet connection for full remote access. The researchers will be presenting their discoveries at the upcoming Def Con hacking conference.
“Their security measures were extremely inadequate,” Giese informed DailyTech.
The main issue lies in a vulnerability that permits hackers to connect to an Ecovacs robot via Bluetooth. Giese explained that hackers can swiftly send a payload that establishes a connection to their computer. Subsequently, the attackers can instruct the compromised robot to connect to a server over the internet. This command-and-control server grants the hacker remote control over the hijacked robot.
Once breached, the hackers can access the robot’s cameras, microphones, stored Wi-Fi credentials, mapped rooms, and more. Furthermore, the compromised robots can spread the attack to other nearby Ecovacs devices. Alarmingly, there are no visible indicators when the cameras and microphones are activated. While some models have audio alerts, hackers can easily disable them.
More than 10 vacuum and lawnmower models are impacted, including the Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, and Ecovacs Deebot X1.
In addition, the researchers discovered concerning practices such as user data and authentication tokens lingering on the company’s cloud even after an account is deleted. This means that a hacker could potentially access a previously owned robot to spy on the new owner. To compound the security lapses, lawnmower models store an anti-theft PIN in plain text on the device!
Although Giese and Braelynn attempted to responsibly disclose these issues to Ecovacs, they claim to have received no response from the company. As of August 9, the vulnerabilities remain exploitable.