When Sean Kelly bought a top-of-the-line vacuum cleaner, he imagined he was making a sensible purchase.
Not only would his Ecovacs Deebot X2 help him keep the house he shares with his wife, twin toddlers and a five-month-old baby, clean, but he also felt confident that spending AU $2,500 (approximately US $1600) would ensure it would be well-secured from hackers.
Little did he know that the cleaning machine scuttling about his family's feet contained a security flaw that could let anyone see and hear their every move.
And the flaw was not just theoretical, it was actually exploited by a security researcher called Dennis Giese who has spent years hunting for flaws in robot vacuums.
Giese discovered a method to remotely exploit Ecovacs robots - including lawnmowers and Deebot vacuums - via Bluetooth, gaining access to sensitive information and functionalities including the onboard camera and microphone.
Like any responsible security researcher, Giese informed Ecovacs about the vulnerability. However, despite being informed in December 2023, the security hole still hasn't been addressed.
Australian TV's ABC News reached out to Diese about his discovery, and - with Kelly's permission - hacked the robot vacuum.
Not only could news reporters view Kelly making a cup of coffee in his fourth-floor office kitchen (his wife banned the experiment at home due to understandable privacy concerns), but they were also able to speak to him.
“Hello Sean,” says a robotic voice. “I’m waaaatching you.”
Remember, this was happening remotely via Bluetooth. And the reporter who had hacked the robot vacuum cleaner was not in the same room, or even same office - but instead located at ground-level in a park across the street.
Even that close proximity was only required for the initial Bluetooth hack of the device. Once compromised, it could be controlled from anywhere in the world. Images and audio were being streamed to a server in the United States, and then relayed to Giese's apartment in Berlin.
Giese said Ecovacs didn't respond to his original responsible disclosure of the security vulnerabilities in December 2023, and after he made some details public at a hacking conference in August, they initially downplayed the issue, claiming it required "specialised hacking tools and physical access to the device."
The ABC News demonstration, however, did not require physical access or even sight of the vacuum - and could be done with a cheap smartphone.
Ecovacs appears to now be taking the problem more seriously and says security updates have started rolling out for some models and will be available for its Deebot X2 in November 2024.
That won't come soon enough for some of its customers. In the aftermath of the experiment, a suitably-spooked Sean Kelly has taken matters into his own hands when maintaining his family's privacy from his expensive robot vacuum:
"I’ve started just tossing a little dishcloth on it when it’s not in use."
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsDecember 19, 2024
November 14, 2024