TL;DR
- Multiple ECOVACS Deebot X2 robot vacuums were reportedly hacked in cities across the US.
- It’s claimed that the hacked robots did everything from yelling slurs at owners to chasing pets.
- Security researchers had notified the company that significant security flaws were found in its robots and the app that controls them.
Cybersecurity is not something to take lightly, and a new report about a smart home product perfectly highlights that point. Over the course of several days, multiple robot vacuums were hacked in cities across the US.
ABC News in Australia reports that hackers were able to take full control over robot vacs in multiple cities around the country. The hack allowed the attackers to yell racial slurs at owners, remotely control the device to chase after pets, and see through the vacuum’s camera. All of the affected robot vacuums were of the same make and model, the Chinese-made ECOVACS Deebot X2.
One report comes from a Minnesota lawyer named Daniel Swenson. In Swenson’s case, he was watching TV when he noticed his vacuum making weird noises, like a “broken-up radio signal or something.” Swenson told the outlet that he reset his password and rebooted the robot after seeing a stranger was accessing the live camera feed and remote control feature. After sitting down on the couch with his wife and 13-year-old son, the robot immediately started moving again and Swenson’s family could hear racist obscenities being spewed as clear as day.
“I got the impression it was a kid, maybe a teenager,” Swenson said. “Maybe they were just jumping from device to device messing with families.” The lawyer has since turned off the device and taken it to his garage where it remains powered down. Despite the creepiness of it all, Swenson says it could’ve been worse, the hacker could have quietly observed his family with no one the wiser. Swenson says he kept the robot on the same floor as the family’s master bathroom, adding that, “Our youngest kids take showers in there.”
The incident in Minnesota happened on May 24, the same day a Deebot X2 was hacked in Los Angeles and used to chase the owner’s dog. Another incident was reported in El Paso where, like in Minnesota, racial slurs were being hurled at the owner until it was unplugged.
It’s unclear how many Deebot X2s were hacked, but ECOVACS was reportedly warned by security researchers six months prior about serious security vulnerabilities in its robots and its app. The most severe flaw was the Bluetooth connector, which could give someone complete access from over 300 feet away — unlikely the cause of these incidents. In December 2023, security researchers Dennis Giese and Braelynn Luedtke also found an issue with the PIN code system protecting the camera feed. The PIN code was only checked by the app and not by a server or the robot, which means the check could be bypassed if you have the technical know-how.
ECOVACS was warned of this issue before the pair went public with the exploit. A spokesperson claims the vulnerability has been fixed, but Giese told ABC that the solution was insufficient.
According to the publication, ECOVACS plans on releasing a patch for the Deebot X2 in November. It’s also said the company has sent an email to customers prompting them to change their passwords.