One of the most useful features of smart home devices is the ability to check on them remotely in their absence Remote access, however, can create serious security vulnerabilities, as was the case with the recent spate of hacks against popular robotic vacuum cleaners

According to ABC News Australia, at least three Ecovacs Deebot X2 vacuum cleaners were hacked during one week in May, with reports of robots being compromised in Minnesota, Texas, and California In each case, hackers exploited the onboard speakers, remote controls, and cameras

One victim, Minnesota attorney Daniel Swenson, said he was watching television when his vacuum cleaner started working He said, “It sounded like a broken radio signal or something He explained, “I could probably hear bits and pieces of voices”

After logging into the app, Swenson observed that a stranger was using the live camera feed and remote control features He changed his password and rebooted the robot, but the problem was not solved for long The robot started up again, and a voice could be heard shouting racist slurs over the speakers in front of the family gathered on the couch

Swenson speculated that the teenagers had tampered with the device remotely He said, “Maybe they were just jumping from device to device and messing with the family

In any case, he turned off the robot and chased it into the garage If the hackers did not noisily announce their presence, the robot had previously lived on the same floor as the master bedroom, so he was wary of the possibility that the bad guys could take advantage of it

“Our youngest children shower there I figured I could catch the kids and even me without clothes on”

The same day Swenson moved the Ecovacs robot into the garage, ABC reported that another Deebot X2 was also acting distressed - in this case, a hacker was chasing a dog around the LA house while shouting abuse through the built-in speaker Five days later, another Ecovacs robot in El Paso began racially parroting back and forth at its owner until he unplugged it

ABC said it is “unclear” how many Ecovacs devices in total were hacked The site had previously experimented with hacking the company's robots via Bluetooth and successfully took control of nearby devices, but given the large geographic gap between the reported attacks, this appears to be a different vulnerability

One of the known problems exposed at the 2023 hacking conference was that the four-digit PIN protecting remote control and video was only checked by the app, not by the robot itself or the server

Ecovacs said in a statement [PDF] to ABC News that this particular issue has been “resolved” and that another OTA firmware update will be provided “in the second week of November 2024” to “further enhance security”

The company said it had “no evidence to suggest that usernames and passwords were obtained by unauthorized third parties as a result of the intrusion into Ecovacs' system,” but noticed “significantly more login attempts than the average daily volume, at a rate of one in 90” He added Because they all came from the same “unusual” device and location, the connected IP addresses were “immediately blocked”

“Ecovacs has always prioritized the security of its products and data and the protection of consumer privacy Ecovacs' existing products provide a high level of security in everyday life, ensuring that consumers can use Ecovacs products with confidence”