Hackers can take over Ecovacs home robots to spy on their owners

Summary: Security researchers revealed significant vulnerabilities in Ecovacs vacuum and lawn mower robots that could allow attackers to spy on users by exploiting flaws in their cameras and microphones. The findings highlight serious security concerns, including unauthorized access and data retention issues, prompting Ecovacs to announce plans for fixes.

Threat Actor: Unknown | unknown
Victim: Ecovacs users | Ecovacs

Key Point :

  • Attackers can exploit Bluetooth vulnerabilities to take control of Ecovacs robots’ cameras and microphones from up to 450 feet away.
  • Data and authentication tokens remain on Ecovacs’ cloud servers even after account deletion, risking unauthorized access for secondhand device users.
  • Security flaws include an anti-theft PIN stored in plaintext, making it easy for attackers to misuse it.
  • Compromised robots can potentially be used to hack other nearby Ecovacs devices.
  • Ecovacs initially declined to address the vulnerabilities but later announced plans to fix the issues.

During the recent Def Con hacking conference, security researchers Dennis Giese and Braelynn explained that attackers can exploit flaws in vacuum and lawn mower robots made by Ecovacs to spy on their owners.

The researchers analyzed the following devices: Ecovacs Deebot 900 Series, Ecovacs Deebot N8/T8, Ecovacs Deebot N9/T9, Ecovacs Deebot N10/T10, Ecovacs Deebot X1, Ecovacs Deebot T20, Ecovacs Deebot X2, Ecovacs Goat G1, Ecovacs Spybot Airbot Z1, Ecovacs Airbot AVA, and the Ecovacs Airbot ANDY.

The experts discovered a set of flaws that could allow threat actors can take over devices’ cameras and microphones via Bluetooth. The experts pointed out that the robots have no light to indicate that their cameras and microphones are on. 

“Their security was really, really, really, really bad,” Giese told TechCrunch.

One of the issues discovered by the researchers in Ecovacs robots allows anyone within 450 feet to take control of the device via Bluetooth. Once the attackers have gained control over the device, they can remotely access the robot through its Wi-Fi connection. Then they can retrieve sensitive data like Wi-Fi credentials, saved room maps, and even access the cameras and microphones.

Giese explained that Ecovacs lawn mower robots have Bluetooth active constantly, while vacuum robots only have it enabled for 20 minutes after powering on and once a day during an automatic reboot, making them slightly harder to hack. Although some models theoretically play an audio alert every five minutes when the camera is on, hackers can easily delete this file, allowing them to operate undetected.

The two researchers also identified several other issues with Ecovacs devices. They discovered that data and authentication tokens remain on Ecovacs’ cloud servers even after a user deletes their account, which can allow unauthorized access to the robot vacuum and enable spying on individuals who purchase the device secondhand. Furthermore, the lawn mower robots feature an anti-theft PIN stored in plaintext within the device, an attacker can easily obtain and misuse it. Additionally, once an Ecovacs robot is compromised, it can potentially be used to hack other nearby Ecovacs robots.

Initially, an Ecovacs spokesperson told TechCrunch that the company would not address the vulnerabilities discovered by the researchers.

Weeks later, the vendor announced that it would fix the issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, vacuum robots)



Source: https://securityaffairs.com/167508/hacking/researchers-hacked-ecovacs-devices.html