The responsible company knew there was a security flaw in its devices, but did not patch it
Ecovacs robot vacuum cleaners, model Deebot Racist insults and obscenities over loudspeakers. These incidents occur every few days and reveal security flaws in the model, which cybersecurity researchers had previously warned about months ago.
Daniel Swenson, a lawyer from Minnesota, reported to Australia's ABC News that his robot vacuum cleaner started working intermittently while he was watching TV. When checking the Ecovacs app on his cell phone, Swenson noticed this A stranger was accessing the device's camera and controlling it remotely.
After resetting the password and restarting the bot, the attacker once again gained control of the device and began shouting racist insults over loudspeakers in front of Swenson's 13-year-old son.
Other similar cases have been reported in various US cities. In Los Angeles, on the same day as the Minnesota incident, a Deebot X2 robot vacuum cleaner chased its owner's dog while making offensive comments. Five days later, in El Paso, another device began blaring racist remarks throughout the night, until its owner turned it off.
Known security flaws
The security flaws that allowed the attacks have already become apparent It was identified by cybersecurity researchers in December 2023. Dennis Giese and Braylin Luedtke demonstrated during a conference how the PIN system that protects remote access to the device and camera can be easily bypassed.
The researchers found that the security PIN was only verified by the app, not the server or bot. This means that anyone with technical knowledge can bypass the scan and access the device and its camera remotely. They alerted Ecovacs to this issue before disclosing the flaw publicly, but the company has not patched the vulnerability to their satisfaction.
Ecovacs, a manufacturer of robotic vacuum cleaners, confirmed the attacks and said a security update would be released in November. However, the company He denied that his systems had been directly compromised The incidents were attributed to “credential stuffing”, a technique in which Hackers They use login credentials leaked from websites and other services to try to access accounts on different platforms.
These incidents raised concerns about user privacy, as robotic vacuum cleaners contain cameras and microphones that can be accessed remotely. Security experts warn of the importance of using strong, unique passwords for each online service, in addition to protecting Wi-Fi networks with stronger passwords in addition to encryption.