Hackers have taken control of robot vacuum cleaners. The devices chased pets and insulted their owners with racist remarks.
Hackers have taken control of Ecovacs robot vacuum cleaners in several US cities. As ABC News reports, the attackers exploited a known security vulnerability to gain access to Deebot X2 devices. The robots’ speakers blared racist insults and obscene statements as the devices moved through the apartments.
According to the report, the incidents occurred in various US cities between January and May 2024. Households affected included Minnesota, Los Angeles and El Paso. It is said that the hackers controlled the vacuum robots remotely and used their built-in cameras and microphones.
Daniel Swenson, a lawyer from Minnesota, told ABC News about his experience. He was sitting on the couch with his wife and 13-year-old son when his Deebot X2 suddenly started making strange noises. At first it sounded like a disturbed radio signal, but then clearly racist insults could be heard.
Swenson attempted to resolve the issue by resetting the password and restarting the device. But the robot immediately moved again and the insults continued. The lawyer finally turned off the device and took it to the garage.
Other sufferers reported similar experiences. In Los Angeles, a hacked robot vacuum chased a dog while spewing hate speech. In El Paso, a Deebot insulted its owner with racist slurs in the middle of the night until the owner unplugged it.
The cause of the attacks appears to be a critical security vulnerability in the Deebot X2. This allows unauthorized persons to bypass the four-digit security PIN and thus gain full control of the device. According to “ABC News”, IT security researchers Dennis Giese and Braelynn Luedtke had already made this error public in December 2023 at the Chaos Communication Congress in Hamburg.
According to the experts, the PIN is only checked by the app, but not by the server or the robot itself. This means that anyone with the appropriate technical know-how can override the check. The researchers said they warned Ecovacs about the problem before making it public.
Ecovacs, the manufacturer of the Deebot X2, has now confirmed the incidents. A company spokesman told ABC News that the error has now been fixed. Customers were instructed by email to change their PIN. An additional security update for the X2 series is also scheduled to be released in November 2024.
IT security experts advise users of networked household devices to be careful. They recommend changing passwords regularly and using two-factor authentication if possible. Users should also critically examine which devices actually need a camera or microphone.