ABC News reports that robot vacuum cleaners across the United States have been hacked in the past few days. This allowed the attacker to not only control the robovac, but also use the speaker to yell racial slurs and abuse at anyone nearby.
The affected robots were all the same make and model, the Chinese-made Ecovacs Deebot X2. This particular robovac has a widespread reputation for being hackable thanks to serious security flaws. For example, ABC News was able to take full control of one of the robots, including the camera.
One of the victims of this week’s hack was a Minnesota lawyer named Daniel Swenson. He told the ABC he was watching TV when the robot started making strange noises, like “a broken radio signal or something.” Through the app, Swenson was able to learn that strangers were accessing live camera feeds and remote control capabilities.
He reset the password and restarted the vacuum, but then the weird things really started. It soon began to move on its own again, and human voices began to emanate from the speakers. The voice was shouting racist obscenities right in front of Swenson’s son.
“I got the impression it was a child, maybe a teenager,” Swenson said. “Maybe they were bouncing from device to device and bothering your family.”In the end, if the vacuum cleaner had been silently monitoring your family for days on end, the situation could have been worse. He said it could have been.
Swenson’s device was hacked on May 24th. On the same day, another Deebot X2 in Los Angeles began chasing a dog. The vacuum’s speakers also screamed abuse. Five days later, a similar incident occurred in El Paso. It remains unclear how many of the company’s devices were hacked in total.
At the root of this issue is a security flaw that allows a malicious attacker to bypass the four-digit security PIN required to control the vacuum. This issue first came to light in December 2023. The Bluetooth connector also has a flaw that allows full access from up to 300 feet away. However, since the attacks occurred across the country, it is unlikely that a Bluetooth vulnerability was the culprit.
According to Gizmodo, the company has developed a patch to eliminate the security flaw, which will be released in November. We have reached out to Ecovacs for confirmation on this matter.
