Ecovacs Robots Susceptible to Hacking

New research has discovered that malicious hackers can seize control of vacuum and lawn mower robots manufactured by Ecovacs to monitor their owners through the devices’ cameras and microphones

Dennis Giese and Braelynn, security researchers, are scheduled to present their research on Ecovacs robots at the Def Con hacking conference on Saturday. Upon analyzing numerous Ecovacs products, the two researchers identified several vulnerabilities that could be exploited to remotely activate microphones and cameras and hijack the robots via Bluetooth.

In an interview conducted before the presentation, Giese confided in TechCrunch, “Their security was appalling.”

The researchers stated that they attempted to notify Ecovacs of the vulnerabilities, but they did not receive a response. They think the vulnerabilities have not been resolved, and hackers could exploit them.

Ecovacs did not respond to inquiries from TechCrunch for comment.

The primary concern, as per the researchers, is a vulnerability that enables individuals to connect to and control an Ecovacs robot via Bluetooth from a distance of up to 450 feet (approximately 130 meters) using a smartphone. The hackers can remotely access the device once they have gained control, as the robots are connected to the internet via Wi-Fi.

“You transmit a payload that requires a second to complete, and it subsequently establishes a connection with our machine.” For instance, this may establish a connection to an internet server. Giese stated, “And from there, we can remotely operate the robot.” “We can read the Wi-Fi credentials and all the [saved room] maps.” Because we oversee the robot’s Linux operating system, we can do so. We can access cameras, microphones, and any other relevant equipment.

Giese stated that the vacuum robots are more difficult to compromise, as they have Bluetooth enabled for 20 minutes upon power-up and once a day during their automatic reboot. In contrast, the lawn mower robots maintain Bluetooth connectivity at all times.

Since most of the most recent Ecovacs robots have at least one camera and microphone, hackers can convert them into informants once they have control of a compromised robot. According to the researchers, the robots do not have any hardware lights or other indicators to alert individuals nearby that their microphones and cameras are operational.

In theory, certain models have an audio file playing every five minutes to indicate the camera is on. However, according to Giese, hackers could easily delete the file and remain undetected.

“You can essentially delete or replace the file with an empty one,” Giese stated that the warnings are no longer played when the camera is accessed remotely.

Giese and Braelynn reported that they encountered additional issues with Ecovacs devices, as well as the potential for infiltration.

The data stored on the robots remains on Ecovacs’ cloud servers even after the user’s account is deleted. Additionally, the authentication token remains on the cloud, allowing someone to access a robot vacuum after the user’s account is deleted.

This could allow them to spy on the person who may have purchased the robot secondhand. As one of the issues, they stated. Additionally, the lawn mower robots are equipped with an anti-theft mechanism that necessitates the input of a PIN upon its retrieval. However, the PIN is stored in plaintext within the lawn mower, making it readily accessible to hackers.

According to the researchers, if an Ecovacs robot is compromised and is near other Ecovacs robots, those devices may also be susceptible to hacking.

Giese and Braelynn conducted an analysis of the following devices: the Ecovacs Deebot 900 Series, the Ecovacs Deebot N8/T8, the Ecovacs Deebot N9/T9, the Ecovacs Deebot N10/T10, the Ecovacs Deebot X1, the Ecovacs Deebot T20, the Ecovacs Deebot X2, the Ecovacs Goat G1, the Ecovacs Spybot Airbot Z1, the Ecovacs Airbot AVA, and the Ecovacs Airbot ANDY.