A recent research study has revealed that malicious hackers could exploit vulnerabilities in Ecovacs vacuum and lawn mower robots to spy on users by gaining access to the devices’ cameras and microphones.
Security researchers Dennis Giese and Braelynn are scheduled to present their findings at the Def Con hacking conference, where they will discuss the flaws in Ecovacs robots. Upon analyzing various Ecovacs products, the researchers discovered multiple issues that could be leveraged to hack the robots through Bluetooth, enabling remote activation of microphones and cameras.
In an interview with TechCrunch, Giese emphasized the poor security measures implemented by Ecovacs, stating, “Their security was really, really, really, really bad.”
Despite reaching out to Ecovacs to report the vulnerabilities, the researchers received no response from the company, leaving the potential for exploitation by hackers unresolved. Ecovacs did not provide any comments when approached by TechCrunch.
The primary vulnerability identified by the researchers allows individuals using a phone to connect to and seize control of an Ecovacs robot via Bluetooth from up to 450 feet away. Once compromised, hackers can establish remote connections to the robots as they are connected to the internet via Wi-Fi.
Giese explained, “You send a payload that takes a second, and then it connects back to our machine. So this can, for example, connect back to a server on the internet. And from there, we can control the robot remotely.” This control grants access to Wi-Fi credentials, room maps, cameras, microphones, and other functionalities.
The researchers noted that while Bluetooth is constantly active in lawn mower robots, vacuum robots have Bluetooth enabled for 20 minutes upon startup and once daily during automatic reboot, making them slightly harder to hack.
Due to the presence of cameras and microphones in most newer Ecovacs robots, compromised devices could be utilized as espionage tools by hackers. The absence of any hardware indicators warning individuals of active cameras and microphones poses a significant privacy risk.
Giese revealed that although some models play an audio file every five minutes to alert users of active cameras, hackers can easily delete the file to remain undetected. “You can basically just delete or overwrite the file with the empty one. So the warnings are not playing anymore if you access the camera remotely,” he explained.
In addition to hacking risks, Giese and Braelynn identified other concerns with Ecovacs devices. They found that data stored on the robots remains on Ecovacs cloud servers even after user account deletion. The authentication token also persists on the cloud, potentially allowing unauthorized access to a robot post-account deletion and enabling spying on subsequent users if the device is sold secondhand. Moreover, lawn mower robots feature an anti-theft mechanism requiring a PIN for manual handling, but the easily accessible plaintext storage of the PIN inside the robot exposes it to exploitation by hackers.
The researchers warned that once one Ecovacs robot is compromised, nearby devices within range are also vulnerable to hacking.
During their analysis, Giese and Braelynn reviewed the following Ecovacs devices: Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, Ecovacs Deebot N9/T9, Ecovacs Deebot N10/T10, Ecovacs Deebot X1, Ecovacs Deebot T20, Ecovacs Deebot X2, Ecovacs Goat G1, Ecovacs Spybot Airbot Z1, Ecovacs Airbot AVA, and the Ecovacs Airbot ANDY.
