Robot vacuum cleaners hacked to spy on, insult owners

Multiple robot vacuum cleaners in the US were hacked to yell obscenities and insults through the onboard speakers.

ABC news was able to confirm reports of this hack in robot vacuum cleaners of the type Ecovacs Deebot X2, which are manufactured in China. Ecovacs is considered the leading service robotics brand, and is a market leader in robot vacuums.

One of the victims, Minnesota lawyer Daniel Swenson, said he heard sound snippets that seemed similar to a voice coming from his vacuum cleaner. Through the Ecovacs app, he then saw someone not in his household accessing the live camera feed of the vacuum, as well as the remote control feature.

Thinking it was a glitch, he rebooted the vacuum cleaner and reset the password, just to be on the safe side. But that didn’t help for long. Almost instantly, the vacuum cleaner started to move again.

Only this time, the voice coming from the vacuum cleaner was loud and clear, and it was yelling racist obscenities at Swenson and his family. The voice sounded like a teenager according to Swenson.

Swenson said he turned off the vacuum and dumped it in the garage, never to be turned on again.

While this may seem bad enough as it is, it could have been much worse. What if the hackers had decided to keep quiet and just spy on the victim’s family? In 2020 we talked about such an occurrence in our Lock & Code podcast, where a photo taken by a Roomba vacuum cleaner of a woman sitting on a toilet was shared on Facebook.

Within a few days, various similar incidents involving the Ecovacs Deebot X2 were reported in the US. And, even though Swenson had several communications with a US representative of Ecovacs, the response didn’t explain what had happened.

The Ecovacs representative claimed the victim’s credentials must have been acquired by the hacker and used in a credential stuffing attack, where the attacker uses login information obtained in breaches on other sites to login to another one—in this case Ecovacs.

But that did not make sense, because even with a valid password the attacker shouldn’t have been able to access the video feed or to control the robot remotely. These features are supposed to be protected by a four-digit pin number.

In 2023, however, two security researchers showed a method to bypass that protection. The weakness of the pin protection is that the app is the only place where the PIN is checked, not on the server or by the robot itself. So, if you have control of the device with the app on it and the necessary technical knowledge, you can have the device send a signal to the server which claims that you have entered the correct pin.

And though Ecovacs claimed to have fixed this flaw, one of the hackers that disclosed the flaw said it had been fixed insufficiently.

The same Ecovacs spokesperson said the company “sent a prompt email” instructing customers to change their passwords following the incident. However, Swenson says he never received any communication about the issue with the pin codes, even though he specifically asked if it had happened to other people.

Ecovacs told ABC news it would issue a security upgrade for owners of its X2 series in November. Until that happens you might want to do the same as Swenson and turn the vacuum off.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.