A hacked Ecovacs robot vacuum cleaner screams racist insults: what happened?

[ad_1]

A Deebot X2 vacuum robot from the Ecovacs brand shouted racist insults. The hacker had access to the robot and its cameras.

Coincidence: while my Ecovacs Deebot has just screamed to ask me to unlock its laser which allows it to measure distances, I came across a testimony published on the American media ABC which starts from the same situation, ending in a nightmare cybersecurity. Daniel Swenson, an American lawyer, was quietly watching TV with his family when his robot vacuum cleaner started moving and emitting confusing sounds, like white noise. Thinking it was a bug, he put it back on its charging station and returned to his couch. That’s where everything went wrong.

To go further

Roborock robot vacuum cleaner // Source: Numerama

The robot started moving again and this time it started uttering racist insults. Panicked, Swenson unplugged everything, put the machine in his garage and rushed to contact the Chinese company Ecovacs to find out what happened. After an expert asked for videos of the interaction, which Swenson did not have, Ecovacs ended up finding a plausible explanation: his username and password duo were the same everywhere on the web and was disclosed during a hack of another company. Ecovacs claimed not to have suffered any data theft.

Leaving the same password everywhere exposes you to this type of hack which is rather easy to carry out. We then understand that a hacker, in possession of Swenson’s credentials, was able to connect to the Ecovacs application and use the speakers, the camera and the remote control of the robot vacuum cleaner. Clearly, if the hacker had not had the crazy idea of ​​shouting racist insults into the microphone, he could have had a spy in an American family, monitoring their actions. Until, let’s imagine the worst, burglarizing their house in their absence.

The DEEBOT X2 OMNI and its astonishing square design // Source: ECOVACSThe DEEBOT X2 OMNI and its astonishing square design // Source: ECOVACS
The Deebot X2 and its astonishing square design // Source: Ecovacs

Between Ecovacs and the customer, the fault is shared

But Swenson, rather than a real thug, had the impression that he was more of a “teenager”, who had fun “going from house to house scaring families”. Relief ? Not really. Because there remains a problem to be clarified: certainly, Swenson made a mistake by using his password on several online services. But the application is supposed to ask for a PIN code, as a double verification, to prevent smart people from taking remote control of robot vacuum cleaners.

And this is where Ecovacs, ABC believes, did not do things well. The American media had already succeeded in hacking a vacuum cleaner from the brand thanks to a Bluetooth flaw and ethical hackers had shown in December 2023 that the control of the PIN code, only verified by the application, was faulty. They could then circumvent this protection. Ecovacs claimed, following these revelations, to have proposed a fix on its robots to block this hack. Unfortunately, the fix was not enough and it is still possible to bypass the protection.

Following this affair which fortunately did not cause any damage, Ecovacs affirmed that a new patch would be deployed in November 2024. In the meantime, if you have a Deebot X2, configure it with a password that you haven’t used anywhere else on the web.

The best password managers

See all MDP managers

a comparison of the best mdp numerama managera comparison of the best mdp numerama manager

[ad_2]

Source link -100