The vulnerability that allows ECOVACS robots to be hacked and used to monitor your home in real time is still unpatched

ABC News, an Australian public news distribution service, reported that a vulnerability that allows ECOVACS robots announced in August 2024 to be hacked has not yet been fixed in some models, leaving them vulnerable to hacking.

We hacked a robot vacuum — and could watch live through its camera - ABC News

https://www.abc.net.au/news/2024-10-04/robot-vacuum-hacked-photos-camera-audio/104414020

At the DEF CON security event held in Las Vegas in August 2024, security researchers Dennis Giese and Braelyn Gillan presented a report about a vulnerability in ECOVACS robots.

Researchers announce vulnerability in ECOVACS robots that could be hacked to spy on owners - GIGAZINE

Prior to the announcement, Giese had told ECOVACS in December 2023 that he had 'discovered a serious security flaw that could be executed remotely.' However, there was no response from ECOVACS, and the vulnerability was not fixed. 'It appears that ECOVACS only began to respond after we disclosed the existence of the vulnerability in August 2024,' Giese said.

In fact, in response to the disclosed vulnerabilities, ECOVACS said that since the hack requires physical access, 'users should rest assured that there is no need to be overly concerned about this' and that 'the flaws discovered by the researchers will not be fixed.'

'This is a particularly delicate issue because, as opposed to physically connecting to a robot or disassembling it to access its internals, hackers can do it simply by sending data over Bluetooth from nearby,' Giese said.

Giese did not disclose the specific method of hacking, so ABC News conducted a demonstration experiment with Giese's help. The target robot vacuum cleaner was placed on the fourth floor and hacked by connecting to it via Bluetooth from the park in front of the building.

Once the hacking is complete, the robot vacuum cleaner's data will be accessible from anywhere in the world from the next time onwards.

ECOVACS robot vacuum cleaners have an indicator that shows when the camera is in use, but this indicator works when accessed from the official app, but it doesn't work when hacked, so a hacker can view the camera footage without the other party noticing.

ECOVACS ultimately decided to fix the vulnerability, stating, 'ECOVACS has always placed the highest priority on product and data security, as well as consumer privacy protection,' and 'Our existing products provide a high level of safety in everyday life, and we assure our customers that consumers can use ECOVACS products with confidence.'

The fix updates are being rolled out gradually, and the patch for the Deebot X2 used in this demonstration experiment is scheduled to be released in November 2024.