Recently, a wave of cyberattacks has targeted robot vacuum cleaners, turning them into unexpected sources of surveillance and verbal harassment. Multiple users in the United States have reported that their Ecovacs Deebot X2 vacuums—widely regarded as a leading brand in service robotics—were hacked to shout insults and obscenities through their speakers.
One of the victims, Daniel Swenson, a lawyer from Minnesota, first noticed strange sounds coming from his vacuum cleaner. Checking the device through the Ecovacs app, he was shocked to see someone else accessing the live camera feed and remote control functions. Despite changing the device password, the unauthorized access continued, and the device began broadcasting loud, offensive language. Feeling threatened, Swenson ultimately powered down the vacuum and removed it from his home entirely.
This incident raised significant privacy and security concerns, especially as it’s not the first time smart home devices have been exploited for unintended surveillance. Similar cases were reported within days of Swenson’s experience, all involving unauthorized control of Ecovacs Deebot X2 models. When asked for clarification, Ecovacs suggested that hackers likely used Swenson’s credentials in a “credential stuffing” attack—where attackers leverage passwords stolen from other websites. However, this response didn’t fully explain the breach, as the app’s camera access should have been secured by a unique PIN code, separate from the device login.
Further investigation has revealed a possible explanation: in 2023, security researchers discovered a flaw in the Ecovacs PIN security feature. Rather than verifying the PIN through Ecovacs’ servers or the device itself, the PIN check occurred only within the app. This allowed anyone with control of the app and technical know-how to bypass the PIN check. Although Ecovacs claimed to have patched this vulnerability, one of the researchers noted that the fix may not have been entirely effective.
Following the attacks, Ecovacs stated that they sent emails advising customers to change their passwords. Yet, users like Swenson reported they hadn’t been notified of any specific security issues or given guidance on strengthening device security. Ecovacs has promised a security update for the X2 series, expected to be released in November 2024. Until then, users are advised to disable their devices or take extra precautions to secure their accounts.
What This Means for IoT Security
The vulnerabilities highlighted by these incidents underscore the need for rigorous security in all IoT devices, particularly those with cameras or microphones. Device manufacturers must prioritize strong, server-based authentication for critical features and provide prompt communication with users in the event of security issues.
ComplianceRT remains committed to supporting businesses in strengthening their cybersecurity posture to prevent such breaches. Our team offers compliance and security assessments, tailored solutions for IoT manufacturers, and best practices for managing user credentials and access controls to protect privacy and uphold consumer trust.
Source: https://www.malwarebytes.com/blog/news/2024/10/robot-vacuum-cleaners-hacked-to-spy-on-insult-owners
- We can help you become FADP compliant!
Expert Guidance, Affordable Solutions, and a Seamless Path to Compliance
