In brief: Your robot vacuum might be a secret spy. Researchers have exposed some scary Bluetooth security vulnerabilities in some atonomous cleaners and mowers, allowing hackers to hijack the camera-toting robots. They can then grant themselves an intimate front-row view into your home.
Security researchers Dennis Giese and Braelynn discovered a laundry list of vulnerabilities in Ecovacs-branded auto-cleaning robots that would let bad actors hijack the robots via Bluetooth from up to 450 feet away. Once they've got control, they can connect over the internet for complete remote access. The researchers will present their findings during this year's Def Con hacking conference.
"Their security was really, really, really, really bad," Giese told TechCrunch.
According to the report, the crux of the problem lies in a vulnerability that essentially leaves the door open for hackers to connect to an Ecovacs robot via Bluetooth. Giese elaborates that hackers can send a quick payload that instantly connects back to their computer. From there, the bad actors can command the compromised robot to connect back to a server over the internet. This command-and-control server grants the attacker remote control capabilities over the hijacked robot.
From that entry point, it's open season on the robot's cameras, mics, stored Wi-Fi credentials, mapped rooms, and more. The hacked bots can even propagate the attack to other nearby Ecovacs devices. Even worse, there's no warning light or other indicator when the cameras and mics are on. Some models have an audio alert, but hackers can easily disable those.
Over 10 vacuum and lawnmower models are affected, including the Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, and the Ecovacs Deebot X1.
The researchers also found other shady stuff like user data and authentication tokens sticking around on the company's cloud even after deleting an account. Therefore, a hacker could potentially access a used robot to spy on the new owner. To further highlight the security incompetence, lawnmower models have an anti-theft PIN stored in plaintext on the device!
Giese and Braelynn tried to disclose these issues responsibly to Ecovacs but say they never heard back from the company. As of August 9, the vulnerabilities were still open for exploitation.