Researchers announce vulnerability in ECOVACS robots that could be hacked to spy on owners



Security researcher Dennis Giese and security consultancy Braelynn have announced that malicious attackers could take control of ECOVACS vacuum and lawnmower robots and use their cameras and microphones to invade the owners' privacy.

Ecovacs home robots can be hacked to spy on their owners, researchers say | TechCrunch

https://techcrunch.com/2024/08/09/ecovacs-home-robots-can-be-hacked-to-spy-on-their-owners-researchers-say/

After analyzing ECOVACS DEEBOT 900 series, DEEBOTN8/T8, DEEBOT N9/T9, DEEBOT N10/T10, DEEBOT X1, DEEBOT T20, DEEBOT X2, GOAT G1, AIRBOT Z1, AIRBOT AVA, and AIRBOT ANDY, Giese and Braelynn reported that ECOVACS robots have a vulnerability that could be hacked via Bluetooth and secretly turn on the microphone and camera from up to 450 feet away.



In an interview with TechCrunch, an IT news site, Giese said, 'After sending a payload that takes one second, it will reconnect the machine. For example, it will reconnect to a server on the Internet and you can control the robot remotely from there. This allows you to read Wi-Fi credentials and read all the saved room map information. It also allows you to control the robot's OS operation, so you can access everything, including the camera and microphone.'

According to Giese and his colleagues, in the case of vacuum robots, Bluetooth is only enabled for 20 minutes immediately after turning them on and during the automatic restart once a day, making them difficult to hack, but in the case of lawnmower robots, Bluetooth is always on. Most ECOVACS robots are equipped with cameras and microphones, so once hacked, it is possible to access the cameras and microphones.



In addition, when the ECOVACS robot's camera is on, it plays a voice file every five minutes to inform the user, but it is possible to hack the robot and delete the file, thereby maintaining its stealth.

In addition, the data and authentication tokens stored on the robot remain on ECOVACS's cloud servers even after the user's account is deleted, making it possible to spy on people who buy used robots, Giese and his colleagues report. In addition, the lawnmower robot is equipped with a system for entering a PIN code to prevent theft, but this PIN code is stored in plain text on the lawnmower robot, making it easy for hackers to find and use it.

Giese and his colleagues reported the vulnerability to ECOVACS, but it had not been fixed at the time of writing, and they are warning that it could be exploited by hackers.



Giese and Braelynn plan to give a talk detailing the vulnerabilities in the ECOVACS robot at DEF CON , an international security conference to be held in Las Vegas on August 12-13, 2024.

in Hardware,   Security, Posted by log1i_yk