Vulnerability in Evovacs vacuum robots allows remote control by hackers

Dystopian scenes recently played out in US living rooms: Within just a few days, cyber attackers repeatedly managed to remotely gain complete control over vacuum robots in several cities. The perpetrators then shouted obscenities and racist abuse, including the F-word and the N-word, at the residents via the built-in speakers. According to a report by US broadcaster ABC, the problem particularly affects the Deebot X2 model from Chinese manufacturer Ecovacs, whose devices have long been considered notoriously unsafe.

In addition to the security vulnerabilities, the manufacturer has been criticized for allegedly using data collected by the robot vacuum to train the company's AI. Even recordings deleted by users are said to have been stored and used by the company. Cyber criminals have now apparently also discovered and exploited these possibilities for capturing audio and image data from the devices.

According to ABC, those affected include the family of lawyer Daniel Swenson from Minnesota. He was watching TV one day in May when his robot vacuum made strange noises. "It sounded like an intermittent radio signal or something," he told the station. "You could maybe hear snippets of voices." Through the Ecovacs app, he saw that a stranger had accessed the live camera feed and remote control function. Swenson thought it was a glitch, reset his password, restarted the bot and sat back down on the couch next to his wife and 13-year-old son. But the device immediately stirred again and this time the racial slurs were unmistakable.

Despite the vociferous speech, Swenson was glad, according to the report, that the attackers at least clearly announced their "presence". It would have been much worse, he pointed out, if they had decided to secretly watch his family in their home. The vacuum robot then ended up switched off in the garage.

Haunting robots in LA and El Paso too

Around the same time, there were several reports of similar incidents across the US. According to ABC, one of these occurred in Los Angeles, where a vacuum cleaner chased a dog and spewed hate speech. Late at night, a Deebot in El Paso is also said to have insulted its owner with racist slurs until the owner disconnected it from the power supply.

The attacks are apparently comparatively easy to carry out, as Ecovacs vacuum robots have several known security vulnerabilities. These include a faulty Bluetooth connection, which is supposed to allow remote control from up to 100 meters away, and a defective PIN system. This precaution is actually intended to protect video feeds from remote access, but is apparently only of symbolic value.

PIN system only has symbolic value

IT security researchers Dennis Giese and Braelynn Luedtke revealed back in December at the Chaos Communication Congress in Hamburg that the four-digit PIN query can be easily bypassed. The security code is therefore only checked by the app, not by a server or the robot itself. According to the experts, this means that anyone with the necessary technical know-how could bypass the check. The duo said they had warned Ecovacs about the problem before making it public.

An Ecovacs spokesperson told ABC that the bug has since been fixed. Customers have been instructed by email to change their PINs. An additional security upgrade for the X2 series will also be released in November. According to Giese, the company's current solution is not sufficient to close the vulnerability. Swenson complains that he was not informed about the PIN code problem in any of his conversations with Ecovacs. Customer service initially refused to believe his story and repeatedly asked for video documentation.

(nie)