Researchers Warn of Vulnerabilities in Ecovacs Devices
Recently, security researchers Dennis Giese and Braelynn Luedtke have discovered several vulnerabilities in Ecovacs robots that can be exploited by malicious hackers to spy on their owners. The researchers will present their findings at the Def Con hacking conference on Saturday.
Analysis of Ecovacs Products
Giese and Luedtke analyzed several Ecovacs products, including the Deebot 900 Series, Deebot N8/T8, Deebot N9/T9, Deebot N10/T10, Deebot X1, Deebot T20, Deebot X2, Goat G1, Spybot Airbot Z1, Airbot AVA, and the Airbot ANDY. They found that there are several issues with the devices’ security that can be abused to hack them via Bluetooth.
Bluetooth Vulnerability
One of the main vulnerabilities is related to Bluetooth connectivity. According to the researchers, anyone using a phone can connect to an Ecovacs robot via Bluetooth from as far away as 450 feet (around 130 meters). This means that hackers can take control of the device without being physically close to it.
Remote Control and Data Access
Once the hackers have taken control of the device, they can connect to it remotely because the robots themselves are connected via Wi-Fi to the internet. Giese explained: "You send a payload that takes a second, and then it connects back to our machine. So this can, for example, connect back to a server on the internet. And from there, we can control the robot remotely."
This allows hackers to access various features of the device, including cameras, microphones, Wi-Fi credentials, saved room maps, and more.
Microphone and Camera Access
The researchers highlighted that most Ecovacs robots come equipped with at least one camera and a microphone. Once the hackers have taken control of a compromised robot, they can turn it into a spy by accessing these devices remotely.
However, there is no hardware indicator to warn users when the cameras or microphones are on. Giese noted: "You can basically just delete or overwrite the file with the empty one. So, this means that if you don’t regularly check your device’s settings, you might not even notice that someone has taken control of it."
Remote Control and Data Access
As mentioned earlier, once hackers have gained access to an Ecovacs robot, they can connect to it remotely via Wi-Fi. This allows them to access various features of the device, including:
- Cameras: Hackers can use the cameras on the robot to spy on its owners.
- Microphones: Hackers can use the microphones on the robot to eavesdrop on conversations.
- Wi-Fi Credentials: Hackers can gain access to the device’s Wi-Fi credentials, allowing them to connect to other devices on the network.
- Saved Room Maps: Hackers can access the saved room maps on the device, potentially revealing sensitive information about the owner’s home.
Statement from Ecovacs
In response to these findings, an Ecovacs spokesperson stated: "We take the security of our products seriously and are committed to protecting our customers’ data. We will review the research presented by Giese and Luedtke and implement any necessary updates to ensure the security of our devices."
Conclusion
The vulnerabilities discovered in Ecovacs robots demonstrate the importance of robust security measures for IoT devices. As the number of connected devices continues to grow, it is essential that manufacturers prioritize security to prevent malicious hackers from exploiting these weaknesses.
By taking proactive steps to address these vulnerabilities, we can reduce the risk of data breaches and protect our personal information from unauthorized access.
Related Topics
- Cybersecurity
- DEF CON
- Ecovacs
- Hackers
- Hacking
- Infosec
- Internet of Things
- Robot Vacuums
- Robotics
- Security
About the Author
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy. You can contact Lorenzo securely on Signal at +1 917 257 1382, on Keybase/Telegram @lorenzofb, or via email at lorenzo@techcrunch.com.
View Bio
Most Popular Articles
- Bad news for Adrian Dittman/Elon Musk truthers
- Anthony Ha
- From forced landings to stuffed animal heads, headhunter Peterson Conway is defense tech’s wildest power broker
- Margaux MacColl
- Tenable CEO Amit Yoran dies
Subscribe to TechCrunch
