Hackers Take Control of Robot Vacuums in Multiple US Cities, Shout Racial Slurs
Hackers took control of Ecovacs Deebot X2 robot vacuums in multiple US cities, shouting racial slurs through the devices' speakers. Security researchers had previously identified critical flaws in Ecovacs robot vacuums and their controlling app, raising concerns about device security. Ecovacs attributed the security breach to a 'credential stuffing' cyberattack, prompting the company to promise a security upgrade for affected users.
The targeted devices were all Ecovacs Deebot X2s, the same model previously hacked to demonstrate a critical security flaw.
One affected user, Daniel Swenson from Minnesota, recounted how his robot vacuum suddenly malfunctioned while he was watching TV. Upon investigation through the Ecovacs app, he discovered a stranger accessing the live camera feed and remote control feature. Despite resetting his password, the robot resumed moving and began blaring racist obscenities, alarming Swenson and his family.
The incidents extended beyond Swenson's home, with similar hacking reports emerging from different parts of the US within days. In one case, a Deebot X2 in Los Angeles chased a pet dog around the house while hurling abusive comments. Another robot in El Paso unleashed racial slurs until its owner unplugged it late at night.
Security researchers had previously highlighted significant vulnerabilities in Ecovacs robot vacuums and their controlling app, including a flaw in the Bluetooth connector that allowed remote access from over 100 meters away. The PIN code system safeguarding the video feed and remote control was also found to be faulty, enabling hackers to infiltrate multiple devices across various locations.
Following the unsettling experiences with his hacked robot vacuum, Swenson lodged a complaint with Ecovacs. Despite scepticism from a company representative during their interaction, an investigation was conducted, revealing that Swenson's account had been compromised by an unauthorised individual. The culprit's IP address was identified and disabled to prevent further breaches.
Ecovacs attributed the security breach to a 'credential stuffing' cyberattack, where reused login credentials from other platforms were exploited. Although the company claimed no evidence of system breaches, the known security flaw in the PIN code system raised concerns about the overall device security.
Cybersecurity researchers had previously exposed the vulnerability of the PIN code system, highlighting that it could be bypassed due to an oversight in the app's security checks. Despite Ecovacs' efforts to address the issue, concerns lingered about the effectiveness of the fix in preventing future breaches.
In response to the incidents, Ecovacs pledged to release a security upgrade for the X2 series owners in November. However, users like Swenson expressed dissatisfaction with the lack of prior awareness about the PIN code issue and questioned the company's response to the security concerns raised.
Hackers took control of Ecovacs Deebot X2 robot vacuums in multiple US cities, shouting racial slurs through the devices' speakers.
Security researchers had previously identified critical flaws in Ecovacs robot vacuums and their controlling app, raising concerns about device security.
Ecovacs attributed the security breach to a 'credential stuffing' cyberattack, prompting the company to promise a security upgrade for affected users.
Source: ABC NEWS