marry 14.10.2024, 12:30 PM
Owners of robot vacuum cleaners from a Chinese manufacturer have reported that their vacuum cleaners were hacked and that unknown people insulted them through the device’s speaker. Some users have also reported crazed vacuum cleaners chasing their dogs around the house. Hackers managed to disable the warning sound that should be heard when the camera is used.
All the hacked vacuum cleaners are Ecovacs Deebot X2s from the Chinese company Ecovacs Robotics, which cost around $900. The company has confirmed a vulnerability affecting some of its products.
According to an Australian television report ABC Newsthe hacking spree lasted several days in several American cities. Some users told the ABC their robots sounded like broken radios, and the Ecovacs app revealed to some victims that the attackers had access to the camera and remote control functionality.
Despite resetting the password and restarting the robot, this behavior of the device would soon start again. The owners were shocked to learn that a security vulnerability could allow the vacuum cleaners to be used for spying and an attacker could see their every move and hear everything they say.
The vulnerabilities were discovered last year by researcher Denis Gize, who has been looking for bugs in robot vacuum cleaners for years. As a responsible researcher, he informed Ecovacs of the vulnerabilities he discovered. However, although he informed the company about it back in December 2023, the problem is still not fully resolved.
The security flaws affect the Bluetooth connector, allowing full access to the X2 from a distance of over 100 meters. Another bug is the PIN code that protects the robot’s video feed and remote control function.
Gize said that Ecovacs did not respond to his initial warning in December 2023, and after releasing some details at a hacking conference in August this year, they initially downplayed the problem, claiming that “specialized hacking tools were needed and physical access to the device”.
However, an ABC News test showed that physical access is not required and that the hack can be done with just a cheap smartphone.
Ecovacs told the ABC that it had found no evidence that any account had been hacked and that there was no sign of any hacking of Ecovacs’ systems. However, Cybersecurity researchers showed how the four-digit PIN protecting the device could be bypassed, as it was only checked by the app, not a server or robot.
Eventually, Ecovacs did release a patch for this bug. However, ABC sources said that was insufficient.
The company plans to further improve the security of the X2 series by releasing an OTA firmware update in November.
Photo: Ecovasc
Source: www.informacija.rs
