Security Flaw in Ecovacs Deebot X2 Robots Exposed: Hackers Control Devices and Broadcast Racial Slurs

Ecovacs vacuum cleaner robots, model Deebot X2, have been hacked in several cities in the United States, allowing attackers to control the machines remotely and gross and obscene racial slurs through their loudspeakers. The events happened within a few days and revealed security flaws in the model, which had already been warned by cybersecurity researchers months before.

Daniel Swenson, a lawyer from Minnesota, told the Australian website ABC News that his robot vacuum cleaner started working erratically while he was watching television. When he checked the Ecovacs app on his cell phone, Swenson noticed that a stranger was accessing the device’s camera and controlling it remotely.

After resetting the password and restarting the robot, the machine was again under the control of the attacker, who began to emit racial insults through the speakers, in front of Swenson’s 13-year-old son.

Other similar cases have been reported in various US cities. In Los Angeles, on the same day as the Minnesota incident, a Deebot X2 robot cleaner went after its owner’s dog while making abusive comments. Five days later, in El Paso, another machine started using racial slurs throughout the night, until it was turned off by its owner.

Known security issues

The security flaws that allowed the attacks are already there identified by cybersecurity researchers in December 2023. Dennis Giese and Braelynn Luedtke demonstrated at a conference how to easily bypass the PIN code system that protected remote access to the device and camera.

The researchers found that the security PIN code was only verified by the app, not the server or the robot. This means that anyone with technical knowledge could bypass the scan and access the device and its camera remotely. They informed Ecovacs about the issue before they disclosed the flaw publicly, but the company did not patch the vulnerability to their satisfaction.

Ecovacs, the manufacturer of robot vacuum cleaners, confirmed the attacks and said that a security update would be released in November. The company, however, denied any direct damage to its systems and he attributed the events to a “credible atmosphere”, in a way hackers They use login credentials from other websites and services to try to access accounts on different platforms.

The incidents have raised concerns about consumer privacy, as remotely accessed robot cleaners have cameras and microphones. Security experts warn about the importance of using strong and unique passwords for all online services, as well as protecting Wi-Fi networks with stronger passwords as well as encryption.