Robot vacuums across the country were hacked in the space of several days, according to reporting by ABC News. This allowed the attackers to not only control the robovacs, but use their speakers to hurl racial slurs and abusive comments at anyone nearby.
All of the affected robots were of the same make and model, the Chinese-made Ecovacs Deebot X2s. This particular robovac has developed a reputation for being easy to hack, thanks to a critical security flaw. ABC News, for instance, was able to get full control over one of the robots, including the camera.
One victim of this week’s hacks was a Minnesota lawyer named Daniel Swenson. He told ABC that he was watching TV when the robot started making weird noises, like “a broken-up radio signal or something.” Through the app, Swenson could tell that a stranger was accessing the live camera feed and the remote control feature.
He reset the password and rebooted the vacuum, but that’s when the weirdness really started. It immediately started moving again of its own accord and the speakers began emitting a human voice. This voice was yelling racist obscenities right in front of Swenson’s son.
“I got the impression it was a kid, maybe a teenager,” said Swenson. “Maybe they were just jumping from device to device messing with families.” Ultimately, he said it could have been worse, such as if the vacuum silently spied on his family for days on end.
Swenson’s device was hacked on May 24. That same day another Deebot X2s in Los Angeles began chasing around a dog. This vacuum’s speakers also shouted abusive comments. Five days later, a similar incident happened in El Paso. It remains unclear how many of the company’s devices have been hacked in total.
At the root of this issue is a security flaw that allows bad faith actors to bypass the required four-digit security PIN in order to gain control of the vacuum. This issue originally came to light in December 2023. The Bluetooth connector also has a flaw that allows for complete access from up to 300 feet away. However, the attacks occurred throughout the country, so the Bluetooth vulnerability is an unlikely culprit.
According to Gizmodo, the company has developed a patch to eliminate the aforementioned security flaw that’ll roll out sometime in November. We reached out to Ecovacs to get a confirmation on this.
