Texts about protection, 13.01.2025, 00:00 AM
Imagine getting up in the middle of the night to drink a glass of water, and someone starts yelling at you from the dark. That would be unpleasant to say the least, but that’s exactly what could happen to owners of robot vacuum cleaners, which hackers can command to turn from household helpers into something terrifying. And that’s not all – hackers could also remotely control the robot and access its camera, Kaspersky experts warn.
A modern robot vacuum cleaner is a real computer on wheels, usually running on Linux, with a powerful multi-core ARM processor, solid RAM, a large flash drive, Wi-Fi and Bluetooth. The robot vacuum cleaner has sensors everywhere: infrared, lidar, motion sensors, often several cameras, and some models also have microphones for voice control.
All modern robot vacuum cleaners are constantly online and connected to the manufacturer’s cloud infrastructure. In most cases, they communicate a lot with the cloud, sending the mass of data collected during operation.
In August 2024, the first report of a vulnerability in Ecovacs robot vacuums and lawnmowers appeared when security researchers Denis Giza, known for hacking Xiaomi robot vacuums, and Braylin Ludtki held lecture at DEF CON 32 on reverse engineering and hacking the Ecovacs robot.
They described several methods for hacking Ecovacs robot vacuums and the mobile app owners use to control them. Specifically, they discovered that a hacker could access the video feed from the robot’s built-in camera and microphone.
This is possible for two reasons. First, if the application is used on an insecure network, attackers can intercept the authentication token and communicate with the bot. Second, although in theory the PIN code set by the device owner protects the video feed, in practice it is verified on the app side, so it can be bypassed.
The researchers were also able to gain root access to the robot’s operating system. They discovered that it is possible to send malware to the robot via Bluetooth, which in some models of the Ecovacs robot turns on after a scheduled restart, while in others it is always on. In theory, encryption should protect against this, but Ecovacs uses a static key that is the same for all devices.
An intruder could use this to gain root privileges on the operating system of any vulnerable Ecovacs robot and hack it from up to 50 meters away, which is exactly what the researchers did. As for robotic lawnmowers, these models can be hacked at a distance of more than 100 meters, since they have more powerful Bluetooth capabilities.
Add to that the fact that today’s robot vacuum cleaners are real computers, and it’s easy to imagine attackers using an infected robot as a tool to hack other robots nearby. In theory, hackers could even create a network worm to automatically infect robots anywhere in the world.
The researchers notified Ecovacs about the vulnerability they found, but received no response. The company tried to fix some of the bugs, but according to researchers, with little success and ignoring the most serious vulnerabilities.
What the researchers presented at DEF CON generated a lot of interest in the hacking community, so much so that someone seems to have taken it a step further and applied it to Ecovacs robot vacuum cleaners in the real world. According to recent reports, hackers have hacked robot vacuum cleaners in several US cities.
In one incident in Minnesota, the Ecovacs DEEBOT X2 started moving on its own and making strange noises. Alarmed, its owner logged into the Ecovacs app and saw that someone was accessing the video feed and the remote control function. Thinking it was a software bug, he changed the password, restarted the robot, and sat down on the couch to watch TV with his wife and child. But the robot almost immediately came back to life, this time emitting a series of racist slurs from its speakers. Not knowing what to do, the owner turned off the robot, took it to the garage and left it there. Although the experience was very unpleasant, he is grateful that the hackers made their presence so obvious. It would have been much worse, he says, if they had simply surreptitiously monitored his family via a robot without revealing themselves.
In a similar case, in California, Ecovacs DEEBOT X2 chased the dog around the house and insulted the housemates. A third case was reported in Texas, where a robot vacuum cleaner also disturbed its owners.
The exact number of attacks on Ecovacs robot vacuum cleaners is not known. One of the reasons for this could be that owners may not be aware that hackers may be surreptitiously observing their daily life through a built-in camera.
How to protect yourself from hacking with a robot vacuum cleaner?
Kaspersky experts say you can’t. Unfortunately, there is no universal method of protection against hacking robot vacuum cleaners that covers all possibilities. For some models, in theory, there is an option to hack yourself, gain root access, and disconnect the machine from the manufacturer’s cloud. But this is a complex and time-consuming procedure that the average owner probably wouldn’t even attempt.
A serious problem with IoT devices is that many manufacturers, unfortunately, still do not pay enough attention to security, and often even refuse to respond to researchers who report such problems.
To reduce your risk, research the manufacturer’s security practices before purchasing. Some do a pretty good job of keeping their products safe. Always install firmware updates: new versions usually remove at least some of the vulnerabilities that hackers can exploit to gain control of your robot.
Keep in mind that a robot connected to a home Wi-Fi network, if hacked, can become a platform for attacking other devices connected to the same network – smartphones, computers, smart TVs, etc.
Photo: cottonbro studio
Source: www.informacija.rs
