Home Tech These smart vacuums and mowers can be hacked to spy

These smart vacuums and mowers can be hacked to spy

These smart vacuums and mowers can be hacked to spy

Skip to content

Image: Christoph Hoffmann

The smart home trend hasn’t let up as all kinds of internet-connected devices continue to make home life more efficient and convenient. But what happens when these smart gadgets are hacked?

In a presentation at the Defcon hacking conference, security researchers showed that it’s possible for malicious actors to exploit the smart vacuums and mowers by Ecovacs to secretly hack their microphones and cameras for spying, as TechCrunch reports.

Related: Level up your office with these work-from-home gadgets

Ecovacs smart robots are frighteningly easy to hack

After analyzing several Ecovacs products, security researchers Dennis Giese and Braelynn found a number of problems that could be abused to remotely hack the robots via Bluetooth and secretly switch on their microphones and cameras.

According to the researchers, the main vulnerability is that the Ecovacs robots allow any smartphone owner to connect. Hackers could theoretically take control of the robots from a distance of up to 425 feet (130 meters) — and once that’s done, the hackers could potentially connect to the robots from even greater distances, as the robots are also connected to the internet via Wi-Fi.

“Their security was really, really, really, really bad,” Giese said in an interview with TechCrunch before the talk. According to the security researchers, it’s also possible to read Wi-Fi login data and stored room maps as well as access microphones and cameras with little effort, all done directly via the robot’s Linux operating system.

Related: Smart tricks to keep your home network secure

Robot mowers are more vulnerable than robot vacuums

The security researchers clarified that the robotic lawn mowers are more vulnerable because their Bluetooth connections are always on, whereas the robotic vacuums are only Bluetooth-active when first switching on and when automatically restarting once per day for 20 minutes.

These smart devices have no hardware light or indicator to show that their cameras and/or microphones are on, which makes it hard to know if they’re spying.

Some models technically play an audio file every five minutes to indicate an active camera, but this can easily be disabled by hackers who know what they’re doing. “You can basically just delete the file or overwrite it with an empty file. The warnings are therefore no longer played if you access the camera remotely,” said Giese.

More security issues with Ecovacs robots

In addition to the above risks, the security researchers also identified other vulnerabilities.

For example, data stored on Ecovacs’ cloud servers is retained even after a user deletes their account — and that includes the authentication token, meaning someone could sell their robot vacuum after deleting their account and possibly spy on the next owner.

Another example is the anti-theft mechanism, which forces the user to enter a PIN whenever the robot is lifted. This feature has been programmed half-heartedly at best, as the PIN is stored in the device in plain text, making it extremely easy for hackers to read.

Incidentally, once an Ecovacs robot is compromised, other Ecovacs robots can be subsequently hacked if they’re within range.

The following devices were analyzed by the security researchers:

Ecovacs Deebot 900 series

Ecovacs Deebot N8/T8

Ecovacs Deebot N9/T9

Ecovacs Deebot N10/T10

Ecovacs Deebot X1

Ecovacs Deebot T20

Ecovacs Deebot X2

Ecovacs Goat G1

Ecovacs Spybot Airbot Z1

Ecovacs Airbot AVA

Ecovacs Airbot ANDY

The researchers said they contacted Ecovacs to report the vulnerabilities but never received a response. The company also didn’t respond to an enquiry sent to them by TechCrunch.

Further reading: Burglars are jamming Wi-Fi security cameras

This article originally appeared on our sister publication PC-WELT and was translated and localized from German.

Author: René Resch, Contributor

René has been part of the Foundry team in Germany since 2013. He initially began his career in the development team. He then worked as a trainee and freelancer in the area of ​​portal management. He has been working as a freelance author since 2017. He is particularly interested in topics such as tech trends, games and PCs.

%
Read whole article here

Leave a Reply

Your email address will not be published.