Owners of Ecovacs robotic vacuum cleaners in US cities have reported a hack. The hackers gained access to the cameras and controls, cursed obscenely through the speaker, and chased animals.
All of the affected owners’ vacuum cleaners are Ecovacs Deebot X2 made in China, which cost about $900. The company confirmed the vulnerability in some of its products.
The hacker attack lasted several days in some US cities. Some users reported that their robots sounded like interrupted radio signals, and the Ecovacs app indicated that the attacker had gained access to the camera’s live feed and remote control functions. Despite resetting the password and rebooting the robot, the erratic behavior soon began again.
The owners were shocked to find out that the robot could be used to silently spy on them for days. The hackers managed to disable the warning sound that is supposed to play when the camera is in use.
Security researchers had previously reported significant security flaws in Ecovacs’ products. An impact on the Bluetooth connection gave full access to the X2 model at a distance of more than 100 meters. The remote control’s security PIN code was also vulnerable to hacking.
Ecovacs reported that it found no evidence that owner accounts had been compromised and no indication of any breach of Ecovacs systems. The company has released a patch for the PIN vulnerability, but it is reportedly not enough.
At the end of May 2024, Ecovacs detected abnormal credential inputs when multiple login attempts came from the same IP address, and this event was immediately blocked. The company plans to strengthen the security of the X2 series with a wireless update in November. Ecovacs notes that users should also take steps to improve online security — strong and unique passwords, stronger Wi-Fi security.