Sometimes I look at my robot vacuum and wonder if it knows how much I like it. I do not ponder if it’s staring back at me, thinking…well…who know what? If I owned an Ecovac robot vacuum, though, that might be all I was thinking about and, soon, throwing a blanket over its potentially rapacious camera.
According to a new report and the work of long-time robot vacuum hackers, some Ecovac vacuums can, with some skill but no physical, access be hacked, giving would-be attackers access to all onboard systems and sensors, including the camera.
It’s a simple and somewhat unnerving tale: An ABC Australia news reporter, Julian Fell, followed up on reports that some Ecovac vacuums could be hacked and was soon, with the permission of an Ecovac owner, hacking a robot vacuum in the safety of his news site’s offices.
Not a hacker himself, Fell worked with Northeastern University Cybersecurity researcher Dennis Giese who (along with collaborators Braelynn Luedtke and Chris Anderson) discovered the hack and has spent years researching robot vacuum vulnerabilities. Via email, Giese told me he’s researched most of the major robot vacuum manufacturers, including Neato and iRobot. “Ecovacs is a bit unlucky this year, as I usually swap the vendor every year. Next year, it might hit a different vendor.”
Giese developed a payload and all Fell had to do was stand outside his offices, connect to the robot vacuum via Bluetooth, and download Giese’s encrypted payload to it. That triggered a function in Ecovac’s vacuum, which led to it downloading a script from Giese’s server and then executing it. Within moments, both Fell and Giese had access to the robot vacuum’s camera feed. They could see what it saw and, more chillingly, were able to, according to the report, use the speaker to send a message to the Ecovac’s owner: “Hello Sean, I’m waaaatching you.”
At no point during this process did the robot vacuum indicate that it was under outside control.
Ecovac’s POV
When contacted about the Hack story, Ecovacs sent me this response:
“ECOVACS places the highest priority on data security and customer privacy. To address some security issues raised over the last several months, the ECOVACS Security Committee initiated an internal review process of network connections and data storage. As a result, we have enhanced product security across multiple dimensions, and will continue to strengthen system security in upcoming updates..”
This differed slightly from what the company told TechCrunch in August. Back then, it mentioned the internal review process but also said consumers had little to worry about, claiming in the statement to TechCrunch, “Security issues pointed out by Giese and Braelynn are extremely rare in typical user environments and require specialized hacking tools and physical access to the device. Therefore, users can rest assured that they do not need to worry excessively about this.”
While Ecovac was likely right about the programming tools, I asked Giese about the “physical access” claim since Fell’s report detailed how he used only a Bluetooth connection from outside his office and the payload on his phone to hack the vacuum.
Giese told me that there are many different vulnerabilities, but for the one that Fell hacked, “You only need a phone and the magic payload. No physical access, you do not even need to know where the robot is, who it belongs to, or what kind of model it is. If you are in range, you can do it.”
Giese first told Ecovacs about the vulnerability in December 2023 and told Fell that the company initially didn’t even respond to the message. Giese, though, is not a Black Hat hacker and has no plans to release the details of the hack to the public. In fact, he has no particular beef with Ecovacs.
“Ecovacs was just unlucky this year…I am not super focused on Ecovacs and would have moved on by now if the problems were fixed.”
“It appears that I ‘bite’ into that company and want to damage them, but that’s not true. I am not super focused on Ecovacs and would have moved on by now if the problems were fixed,” said Giese.
He added that he doesn’t necessarily blame Ecovacs for these and other robot vacuum vulnerabilities. He claims that the company paid to get the proper certifications. ” Ecovacs is also a victim here. They paid money to someone that was expected to certify them according to a standard (ETSI xxxx). There were a lot of things that should have been found (e.g. the SSL issues), but they were not.”
As for what you should do if you own an Ecovacs robot vacuum: Start with making sure all your software is up-to-date. Ecovacs may not agree this is a dangerous vulnerability, but Ecovacs did tell us, “We have enhanced product security across multiple dimensions,” which sounds like software updates to me.
In the meantime, you could do as the original Ecovacs consumer did and put a blanket over the robot vacuum camera when it’s not in use.