If you think your robot vacuum cleaner is watching you, you might not be wrong
Sometimes I look at my robot vacuum cleaner and wonder if it knows how much I like it. I don’t think about it or it’s staring at me and thinking… well… who knows what? However, if I had an Ecovac robot vacuum cleaner, that might be the only thing on my mind and would quickly throw a blanket over the potentially predatory camera.
According to a new report and the work of experienced robot vacuum hackers, some Ecovac vacuum cleaners can, with some skill but without physical access, be hacked, giving potential attackers access to all built-in systems and sensors, including the camera.
It’s a simple and slightly unnerving story: an ABC Australia news reporter, Julian Fell, followed up on reports that some Ecovac vacuum cleaners could be hacked and was soon, with permission from an Ecovac owner, hacking a robot vacuum cleaner into safety from the site’s news offices.
Not a hacker himself, Fell worked with Northeastern University Cybersecurity researcher Dennis Giese, who (along with collaborators Braelynn Luedtke and Chris Anderson) discovered the hack and spent years researching the vulnerabilities of robot vacuums. Over email, Giese told me that he has researched most of the major robot vacuum cleaner manufacturers, including Neato and iRobot. “Ecovacs is a bit unlucky this year, because I normally change suppliers every year. Next year it may well be a different supplier.”
Giese developed a payload and all Fell had to do was stand outside his office, connect to the robot vacuum via Bluetooth and download Giese’s encrypted payload to it. That triggered a function in Ecovac’s vacuum, which caused it to download a script from Giese’s server and then run it. Within moments, both Fell and Giese had access to the robot vacuum’s camera feed. They could see what he saw and, even more chilling, they could, according to the report, use the loudspeaker to send a message to the Ecovac’s owner: “Hi Sean, I’m curious.”
At no point during this process did the robot vacuum indicate that it was under outside control.
Ecovac’s POV
When I contacted about the Hack story, Ecovacs sent me this response:
“ECOVACS places the highest priority on data security and customer privacy. To address a number of security concerns in recent months, the ECOVACS Security Committee has initiated an internal review process of network connections and data storage. As a result, we have improved product security across multiple dimensions, and will continue to strengthen system security in upcoming updates.”
This differed slightly from what the company said TechCrunch in August. At the time, it mentioned the internal review process but also said consumers had little to worry about, claiming in the statement to TechCrunch: “Security issues pointed out by Giese and Braelynn are extremely rare in typical user environments and require specialized hacking tools and physical access. Users can So we can make sure that they don’t have to worry too much about this.”
While Ecovac was probably right about the programming tools, I asked Giese about the “physical access” claim, since Fell’s report details how he used only a Bluetooth connection from outside his office and the payload on his phone to hack the vacuum cleaner .
Giese told me that there are many different vulnerabilities, but for the one who hacked Fell: “All you need is a phone and the magic payload. No physical access, you don’t even need to know where the robot is, who it belongs to, or what kind of model it is, if you’re within range, you can do it.”
Giese first told Ecovacs about the vulnerability in December 2023, telling Fell that the company initially didn’t even respond to the message. However, Giese is not a Black Hat hacker and has no plans to make the details of the hack public. In fact, he has no particular problems with Ecovacs.
“It seems like I’m biting into that company and wanting to damage them, but that’s not true. I’m not super focused on Ecovacs and would have moved on by now if the problems had been resolved,” said Giese.
He added that he doesn’t necessarily blame Ecovacs for this and other vulnerabilities in robot vacuum cleaners. He claims the company paid to obtain the proper certifications. Ecovacs is also a victim of this. They paid money to someone who was expected to certify them to a standard (ETSI xxxx). There were a lot of things that should have been found (e.g. the SSL issues), but they weren’t found. .”
What to do if you own an Ecovacs robot vacuum cleaner: Start by making sure all your software is up to date. Ecovacs may not agree that this is a dangerous vulnerability, but Ecovacs did tell us, “We have improved product security across multiple dimensions,” which sounds to me like software updates.
In the meantime, you could do as the original Ecovacs consumer did and put a blanket over the robot vacuum cleaner camera when it’s not in use.