Why trust Greenbot
While smart home appliances make life more convenient and easier, security researchers have raised concerns after discovering that Ecovacs smart vacuums and mowers can be hacked.
During the 32nd DEF CON hacker conference, held from August 8 to 11, experts Dennis Giese and Braelynn revealed that their analysis of Ecovacs robots found several security risks that can be exploited by malicious actors.
The two added that the products could be secretly hacked via Bluetooth to access microphones and cameras remotely for spying. The following smart vacuums and lawnmowers were tested:
- Ecovacs Deebot 900 series
- Ecovacs Deebot N8/T8
- Ecovacs Deebot N9/T9
- Ecovacs Deebot N10/T10
- Ecovacs Deebot X1
- Ecovacs Deebot T20
- Ecovacs Deebot X2
- Ecovacs Goat G1
- Ecovacs Spybot Airbot Z1
- Ecovacs Airbot AVA
- Ecovacs Airbot ANDY
“Their security was really, really, really, really bad,” Giese told TechCrunch ahead of their presentation.
Potential hacking alert
Based on the researchers’ analysis, the main issue lies in how the Ecovacs robots could be connected to anyone with a phone. Once connected, they could take control of the robots even from a distance of up to 425 feet (around 130 meters).
It is also possible to hack the vacuum or mower at greater distances by connecting them to the Internet via Wi-Fi.
“You send a payload that takes a second, and then it connects back to our machine. So this can, for example, connect back to a server on the internet. And from there, we can control the robot remotely,” explained Giese.
In addition to that, the Wi-Fi login data and save room maps can be read using the robot’s Linux operating system. The same goes for the cameras, microphones, and other built-in key features of the product.
Between the two smart home products, the researchers highlighted that robotic lawnmowers are more susceptible to hacking because their Bluetooth is active at all times. Meanwhile, vacuum robots have Bluetooth only enabled for 20 minutes after startup and once a day when automatically rebooting.
Moreover, since there is no hardware light or indicator warning users that their cameras and microphones are on, it could be more challenging to spot when they are turned into spies.
Likewise, similar products equipped with audio files to signal an active camera could still be hacked by simply removing the file.
More security concerns
Other vulnerabilities were also determined from the analysis of the Ecovacs robots.
For one, the data, along with the authentication taken and stored on the mowers and vacuums, stays on Ecovacs’ cloud servers even after the account is deleted. This means the original owners could spy on the person who buys the robot secondhand.
The anti-theft mechanism is also unreliable since the PIN needed to pick up the robot is stored in the device as plain text, which hackers could easily access. If that was not enough, once an Ecovacs robot is hacked, other Ecovacs robots nearby can be hacked, too.
The security researchers have reported these findings to Ecovacs but have not received a response from the Chinese technology company yet.
However, according to TechCrunch, an Ecovacs spokesperson said the firm would not fix the flaws found by the researchers, reassuring its clients that “they do not need to worry excessively about this.”
