It’s a tale as old as… the Internet of Things era. Robot vacuums made by Ecovacs have been reported roving around people’s homes, yelling profanities at them through the onboard speakers after the company’s software was found to be vulnerable to intrusion.
ABC News in Australia reports that there were recently multiple instances across the U.S. when owners of Ecovacs vacuums noticed their devices acting unusually.
“It sounded like a broken-up radio signal or something,” Daniel Swenson told the outlet. “You could hear snippets of maybe a voice.” He opened the vacuum’s app to find a stranger was accessing its live camera feed and remote control feature, but assumed it might be an error. After resetting the password and rebooting the robot, the vacuum quickly started moving again:
This time, there was no ambiguity about what was coming out of the speaker. A voice was yelling racist obscenities, loud and clear, right in front of Mr Swenson’s son.
“F*** n******s,” screamed the voice, over and over again.
Perhaps the best part of this anecdote was Swenson’s incredulous conclusion that the situation “could have been worse.” But he’s right that it was nice of the hacker to let him know his vacuum was hacked instead of spying on him indefinitely.
The most common issue people have with so-called “smart” home devices is that they often require a software subscription to access most functionality, and if the manufacturer goes under or stops supporting the device, it simply becomes a paperweight.
The more disturbing issue arises when smart devices are remotely accessed and the manufacturer never considered (or cared about) the possibility that tricksters might take advantage of this to torment people in their own homes. Remote access is convenient, but every couple of years we hear about something egregious, like intruders accessing a baby monitor and whispering through it at night, or gaining access to your garage door to mess with its owner. A lot of the time the intent of these intruders is just to be punks. But you have to wonder how many times it happens and no one knows about it.
The problem is that most of these smart home companies are selling consumer hardware and don’t want or care to invest much in security. You can buy one of dozens of robovacs on Amazon; most people want the cheapest one. So this is what we get, a company that doesn’t put basic security measures in place.
And ‘basic’ seems to be fair here. ABC found that although Ecovacs accounts are password-protected, and a further four-digit PIN code is required to access the video feed, that PIN code is not validated server-side—meaning anyone with the basic know-how of a tool like Chrome web inspector could bypass it. It’s likely that Swenson was reusing credentials from other services, but the code should have been an extra factor that prevented access. At a bare minimum all Ecovacs really needs to do is some basic “if-true” validation on its servers before opening the video feed.
Ecovacs reportedly was informed about the vulnerability back in 2023 and didn’t take action until recently. It says a more substantial security update will be released in November.
If you are paying rock-bottom prices for a robot vacuum, you may get what you’re paying for.
Read the full article here