1. Forum
  2. Usenet
  3. MISC.NEWS.INTERNET.DISCUS

  • Ecovacs robot vacuums are being hacked - accessing video and microphone

    From MummyChunk@21:1/5 to All on Fri Oct 11 13:25:04 2024
    Robot vacuums in multiple US cities were hacked in the space of a few
    days, with the attacker physically controlling them and yelling
    obscenities through their onboard speakers.

    The affected robots were all Chinese-made Ecovacs Deebot .

    Minnesota lawyer Daniel Swenson was watching TV when his robot started
    to malfunction.

    "It sounded like a broken-up radio signal or something," he
    told the ABC. "You could hear snippets of maybe a voice."

    Through the Ecovacs app, he saw that a stranger was accessing its live
    camera feed and remote control feature.

    Dismissing it as some kind of glitch, Mr Swenson reset his password,
    rebooted the robot and sat back down on the couch beside his wife and 13-year-old son.

    Almost straight away, it started to move again.

    This time, there was no ambiguity about what was coming out of the
    speaker. A voice was yelling racist obscenities, loud and clear, right
    in front of Mr Swenson's son.

    "F*** n******s," screamed the voice, over and over again.

    "I got the impression it was a kid, maybe a teenager
    [speaking]," said Swenson. "Maybe they were just jumping
    from device to device messing with families."

    The second time around, he turned it off.

    It could have been worse

    Mr Swenson kept his robot vacuum on the same floor as the family's
    master bathroom.

    "Our youngest kids take showers in there," he said. "I
    just thought of it catching my kids or even me, you know, not
    dressed."

    Despite the slurs, Mr Swenson was glad that the hackers had announced
    their presence so loudly.

    It would have been much worse, he said, if they had decided to quietly
    observe his family inside their home.

    They could've peered through his robot's camera, and listened through
    the microphone, without him having the slightest clue.

    "It was shock," he said. "And then it was like almost
    fear, disgust."

    While his son didn't quite grasp the "creepiness" of the
    encounter, Mr Swenson was taking no chances.

    He took the device to the garage, and never switched it on again.

    Robots hacked in multiple cities

    Multiple people, all based in the US, have reported similar hacking
    incidents within days of each other.

    On May 24, the same day that Mr Swenson's device was hacked, a Deebot
    X2 went rogue, and chased its owner's dog around their Los Angeles
    home.

    The robot was being steered from afar, with abusive comments coming
    through the speakers.

    Five days later, another device was infiltrated.

    Late at night, an Ecovacs robot in El Paso started spewing racial
    slurs at its owner until he unplugged it.

    It is unclear how many of the company's devices were hacked in total.

    Six months earlier, security researchers had attempted to notify
    Ecovacs of significant security flaws in its robot vacuums and the app
    that controls them.

    The most severe was a flaw in the Bluetooth connector, which allowed
    complete access to the Ecovacs Deebot from over 100 metres away.

    Given the distributed nature of the attacks, this vulnerability is
    unlikely to have been exploited in this case.

    The PIN code system protecting the robot's video feed and remote
    control feature was also known to be faulty, and the warning sound
    that is meant to play when the camera is being watched was able to be
    disabled from afar.

    These security issues could explain how attackers took control of
    multiple robots in separate locations, and how they could've silently surveilled their victims once they'd gotten in.

    In the days following the incidents with his Ecovacs robot vacuum,
    Daniel Swenson made a complaint to the company.

    After some back and forwards with support staff, he received a call
    from a senior Ecovacs employee based in the US.

    "He must've said three or four times that I should have a video
    of what happened.

    "Each time I told him: 'yeah, that would be great, but I was more
    focused on the fact that a hacked robot was in the middle of my living
    room watching us and possibly recording us'."

    The employee seemed to disbelieve what he was saying, Mr Swenson says,
    despite multiple other owners having reported similar attacks around
    the same time.

    "Was this an effort to discourage me from pursuing my
    complaints?" he asks.

    Following this call, he was informed that a "security
    investigation" had been conducted.

    "Your Ecovacs account and its password have been acquired by an
    unauthorised person," a company representative told him via
    email.

    They also said the company's technical team had identified the
    culprit's IP address, and disabled it to prevent further access.

    In a later email, they told him there was "a high possibility
    that your Ecovacs account was affected by a 'credential stuffing'
    cyberattack."

    This is when someone re-uses the same username and password on
    multiple websites, and the combination is stolen in a separate cyber
    attack.

    The company told the ABC it "found no evidence" that the
    accounts were hacked through "any breach of Ecovacs'
    systems".

    Even if Mr Swenson had used the same username and password on other
    sites, and if those credentials had been leaked online, that still
    should not have been enough to access the video feed or to control the
    robot remotely.

    These features are supposed to be protected by a four-digit PIN.

    However, a pair of cybersecurity researchers had revealed that it
    could be bypassed at a hacking conference back in December 2023.

    Dennis Giese and Braelynn Luedtke said on stage that it was based on
    an "honour system".

    The PIN code was only checked by the app, rather than by the server or
    robot. Which means that anyone with the technical know-how could
    bypass the check completely.

    They had warned Ecovacs about the problem ahead of going public with
    the exploit.

    An Ecovacs spokesperson said this flaw has now been fixed, however Mr
    Giese told the ABC that the company's fix was insufficient to plug the
    security hole.

    The spokesperson also said the company "sent a prompt email"
    instructing customers to change their passwords following the
    incident.

    Ecovacs said it would issue a security upgrade for owners of its
    Deebot vacuum in November.

    Mr Swenson said that he was not informed of the PIN code issue in any
    of his communications with Ecovacs.

    "I asked them if this was a known thing," he said. "If
    it had happened to other people."

    "They just act shocked like it hadn't happened."

    Ecovacs statement to ABC News
    11 October 2024

    Ecovacs does not provide public comment on individual consumer
    situations out of respect to the privacy of our consumers.

    Ecovacs conducted a thorough internal investigation at the end of May
    2024 and found no evidence to suggest that any usernames and passwords
    were obtained by unauthorised third parties as a result of any breach
    of Ecovacs systems. This investigation also identified a credential
    stuffing event, in which a third party attempted to use email
    addresses and passwords to try to gain access to Ecovacs customer
    accounts. There were significantly more attempts to log-in than the
    average daily amount, by a factor of 90:1. These all from the same IP
    address, which was identified as coming from both an unusual device,
    and an unusual location. This IP address was immediately blocked.

    To keep consumers fully updated and stress the importance of changing
    their security protocols, Ecovacs sent a prompt email to customers on
    May 31-June 1 to change their account passwords.
    Ecovacs takes its responsibility around security and data extremely
    seriously, it is a process undertaken with both internal and external
    industry experts, and we have implemented significant measures in this
    area, including in recent months, and will continue to do so on an
    ongoing basis. This includes improving the Remote Live Video PIN
    bypass issue, which is now resolved. To further enhance security, an Over-the-air (OTA) firmware update will be made available in the
    second week of November 2024 specifically for the X2 series. No other
    models in Australia are affected.

    ECOVACS has always prioritised product and data security, as well as
    the protection of consumer privacy. We assure customers that our
    existing products offer a high level of security in daily life, and
    that consumers can confidently use ECOVACS products.

    It is also important for consumers to implement their own steps to
    improve their level of personal online security, including strong
    passwords, unique passwords not used for multiple purposes, and to
    strengthen their Wi-Fi security.

    More guidance can be found here: https://www.ecovacs.com/au/blog/robot-vacuum-privacy-concerns
    Strengthen Wi-Fi Security

    Set Strong Passwords
    Regular Software Updates Suspicious Activity Notifications Factory
    Reset

    Below is a PDF that show exactly detailed information how the Ecovacs
    Deebot robot vacuums are being accessed

    View the attachments for this post at: http://www.jlaforums.com/viewtopic.php?p=675840953#675840953

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)