At DEFCON, the world’s largest computer security conference and hacking competition, researchers revealed vulnerabilities in robotic vacuum cleaners and lawnmowers produced by Ecovacs, a Chinese electronics company.
According to a report from TechCrunch published yesterday, security researcher Dennis Giese and hacker Braelynn presented their findings at the DEFCON hacking conference in Las Vegas last week. They highlighted significant vulnerabilities in Ecovacs’ robotic products, making them susceptible to hacking.
They discovered that multiple Ecovacs products could be hacked from a distance of up to 130 meters by sending a malicious payload via Bluetooth. This payload would allow remote control of the robot’s microphone and camera, enabling hackers to drive the robot or download a map of the interior space.
Giese emphasized, “Their security was really, really, really, really bad.” He and Braelynn attempted to contact Ecovacs to report the vulnerabilities but received no response. They argued that since the vulnerabilities have not yet been fixed, hackers could exploit them.
Their research found that some Ecovacs models play an audio file every five minutes to indicate that the camera is on, but this warning function could easily be disabled through hacking.
Giese warned that even after users delete their accounts, data stored on the robots remains on Ecovacs’ cloud servers. This could potentially allow future buyers of second-hand robotic vacuums to be monitored. He also pointed out that other Ecovacs devices within range of the compromised robot might be vulnerable to hacking.
The Ecovacs devices involved in this research included the Ecovacs Deebot 900 series, Ecovacs Deebot N8/T8, Ecovacs Deebot N9/T9, and Ecovacs Deebot T20. Some of these models are also sold in South Korea.